Choose a language:

Everything you need to know about ticket bots

Published:
Updated: 12 Apr 2024
pink ticket bot with tickets

What are ticket bots? How do they work? Are they illegal? How do we beat them? Get the answers to these questions & learn everything you need to know about ticket scalping bots in this comprehensive blog post.

1,000+ concert tickets bought by one bot in one minute. 15,000+ tickets bought by two bots in a day. Up to 7,000% markups for tickets on secondary markets. These are just a few of the damning ticket bot data points highlighted by the New York Attorney General.

Ticket bots take money out of the pockets of genuine fans and make online ticket sales unfair.

That’s why everyone from politicians to musicians to fan alliances are fighting to stop bots from buying tickets and restore fairness to ticketing. That’s why online ticketing organizations are on the front lines of a battle against ticket bots.

But what are ticket bots, how do they work, and how can they be stopped? Read on to discover everything you need to know about ticket bots—and how you can beat them.

Table of contents

What are ticket bots?

A ticket bot, also known as a “scalper bot”, is software that’s designed to help purchase tickets by performing automated tasks like scraping pricing details, checking inventory for newly released seats, or purchasing and reselling tickets.

Ticket bots typically imitate the behavior of human users, only faster and in larger volumes. This means these scalper bots can unfairly find and purchase tickets in ways human customers can’t.

The scale of the bots problem in the ticketing world is hard to overstate. Bots make up almost 40% of all ticketing website traffic.

In a recent high-profile concert ticket sale Queue-it worked with, 96% of traffic came from bots and uninvited visitors.

Just 138,000 (4%) of the 3.3 million requests to enter the onsale came from legitimate, trusted visitors.

Chart showing 3.2 million bots & 138 thousand genuine users entering an onsale

One scalper used bots to open their presale link for the event 31,325 times, but with Queue-it’s bot mitigation tools in place, got just one spot in queue.

Malicious activity like this is one of the main reasons it's so hard to get tickets to see your favorite artists, sporting teams, or live events.

RELATED: Block Ticket Bots & Deliver Fairness with Queue-it's Suite of Bot Mitigation Tools

How do ticket bots work?

Ticket bots use software to execute automated tasks based on the instructions bot makers provide. Bots buy concert tickets in bulk by using speed to purchase tickets faster than regular people, and volume to get around ticket purchase limits.

What all ticket bots have in common is that they provide the person using the bot with an unfair advantage. If shoppers were athletes, using ticket bot software would be the equivalent of doping.

Ticket bots have many vectors of attack. The strategies used by bots are best understood based on where in the ticket purchase process they’re used. Consider the following timeline:

How do ticket bots work infographic

While some scalper bots will specifically target the account creation process, others target the moments before the onsale, or the checkout process. When people talk about ticket bots, they’re usually talking about bots designed to complete one or more of the malicious functions below.

Discover how you can beat bad bots & deliver fairer onsales now

ticket bots guide

 

Prior to the ticket onsale

Prior to the sale of tickets online, bad bots are used to create fake accounts or take over existing legitimate ones.

For example, one ticket broker apparently used 9,047 separate accounts on Ticketmaster to make 315,528 ticket orders to “Hamilton” and other popular events over a 2 year period.

 

account creation shopping bot Account creation bots

Fraudsters abuse the account signup process by using bots to create accounts in bulk. These accounts are then misused to get around ticketing purchasing limits (most ticketing companies limit to 4 or 6 tickets per customer).

account takeover shopping bot Account takeover bots

Ticketing touts also try to get control over existing legitimate accounts. They either use bots to guess common usernames and passwords (called credential cracking) or to perform mass login attempts for stolen username/password pairs (called credential stuffing).

 

During the ticket onsale

During the onsale itself, scalpers use ticket bots’ speed and volume advantages to beat loyal fans to the tickets and scoop up as much inventory as they can.

Bot operators use this lightning speed across several browsers to circumvent per-customer ticket limits.

By combining superhuman speed with sheer volume, bot operators effortlessly reserve hundreds of tickets as soon as the onsale starts.

Ticket buying bot example

A ticket buying bot reserving and purchasing multiple sets of tickets.

Ticket scalpers use one or several of these ticket bots to reserve and purchase tickets:

footprinting shopping bot Expediting bots

Scripted expediting bots use their speed advantage to blow by human users. An expediting bot can easily reach the checkout page in the time that it could take a fan to type his or her email address. And a single bot can open 100 windows and simultaneously proceed to the checkout page in all of them, coming away with a huge volume of tickets.

scraping shopping bot Scraping bots

Scraping bots scan the web and monitor for specific types of tickets. When they find available tickets, they use expediting bots to quickly reserve and scalping bots to purchase them.

denial of inventory shopping bot Denial of inventory / Spinning bots

Ever wonder how concert tickets are available on resale sites like StubHub or Viagogo even before the tickets go on sale? Next-generation denial of inventory bots are to blame.

Denial of inventory involves using bots to add tickets to the cart, making them unavailable for fans to buy. Scalpers know some fans will see the “no tickets available” messaging and will want to go to the event so badly they’ll pay whatever just to get their hands on a ticket. So, the scalpers list the tickets on the resale sites.

When the fans buy at the outrageously inflated resale prices, only then will the scalpers have their bots buy the tickets, pocketing a huge profit in the process.

homer simpson buys ticket from scalper


RELATED: 
Tickets Sold Out? Debunking the Instant Sellout Onsale Myth

During the ticket purchase

Scalpers nearly always use bots to exceed the ticket limit, thus breaking ticketing companies’ terms of service. While some scalpers will pay for these tickets with legitimate credit cards, the worst scalpers do this all with stolen or hacked card information, increasing their scalping profit.

cashing out shopping bot Cashing out bots

Cashing out refers to the general online credit card fraud that occurs when fraudsters use stolen card info to buy the tickets. In advance or during the ticket buying itself, fraudsters use bots to verify the validity of stolen cards (known as carding) or identify missing expiry dates or security codes for the stolen cards (known as card cracking).

Fraudsters, touts, and scalpers use bots for unfair advantage and fraud in every step of the ticket scalping journey.

Who uses ticket bots?

When you think of the people behind ticket bots, you probably conjure up images of a hacker or criminal type, camped out in a basement. But the reality is different. For example, hospitality agencies use ticketing bots to snag premium seats to include in their package deals.

“If we talk about the ticketing in North America, there’s probably 40 organizations, at least, that are snapping tickets out of the primary market,” Queue-it Co-founder Niels Henrik Sodemann told Forbes.

There are five main types of ticket bot operators, each with their own objectives.

Who uses bots

Bot objectives

Ticket brokers

  • Scrape ticket details
  • Continuously scanning seat map inventory for newly released seats
  • Instantly purchase any available tickets for resale

Individual scalpers

Hospitality agencies

  • Scrape ticket details
  • Continuously scanning seat map inventory for premium seats
  • Instantly purchase best-available tickets for resale

Corporations

Criminals

  • Take over accounts to steal tickets or transfer to another account
  • Conduct credit card fraud and loyalty program fraud (e.g. sports team season ticket holders)

 

Are ticket bots illegal?

Using a bot to purchase tickets is illegal in most Western countries. Scalping—the practice of purchasing tickets with the intention to resell for a profit—is also outlawed in much of the world.

While online ticketing bots have been around for at least 20 years, it’s only in the last 5 that governments have begun targeting bots with legislation. But these laws forbidding ticket bots and scalping are rarely enforced—meaning ticket botting and reselling remains alive and well.

Here’s a breakdown on the legality of ticket bots in the U.S., E.U., U.K., Canada, and Australia.

Are ticket bots illegal in the United States?

Ticket bots became illegal in the U.S. in 2016 when Congress passed the Better Online Ticket Sales (BOTS) Act. The BOTS Act makes it illegal to buy tickets to events by evading security measures and breaking purchasing rules set up by the ticket issuer. It also banned the resale of such illegally bought tickets.

RELATED: How the BOTS Act Impacts the Ticketing Industry [Webinar]

Are ticket bots illegal in the European Union?

Under E.U. law, the use of ticket bots became illegal in all E.U. member states in 2022. This legislation makes it illegal “to bypass any other technical means put in place by the primary seller to ensure accessibility of tickets for all individuals.” It also requires professional resellers to identify themselves on online marketplaces.

The legislation marks the first E.U.-wide legislation on the topic, and also leaves the door open for member states to pass additional laws regarding ticket resale (several already have such laws). The Council of the E.U. adopted the legislation in November 2019, and the laws came into effect for E.U. member states in May 2022.

Are ticket bots illegal in the United Kingdom?

In 2017, the U.K. passed a law that outlaws ticket bots used to exceed ticket purchase limits and requires secondary sellers to provide a unique ticket number with details of seats or standing location.

Are ticket bots illegal in Australia?

There is no nationwide legislation in Australia outlawing ticket bots. However, several states have outlawed bots and put caps on the resale prices of tickets.

In 2017, the Australian state of New South Wales passed anti-bot legislation, which also included a resale cap at no more than 10% over the face value of the ticket. The following year, the state of South Australia ratified the Fair Trading (Ticket Scalping) Amendment Bill to crack down on ticketing bots. Western Australia introduced the similar legislation in 2021, including a ban of the use of bot software.

Are ticket bots illegal in Canada?

Although there isn’t yet a nationwide ticket bot law in Canada, several provinces have passed or are considering legislation.

In 2017, Ontario province passed the Ticket Sales Act, which bans tickets from being resold at more than 50% above the face value and makes it illegal to knowingly resell tickets that were purchased by bots.

In 2018, Alberta province implemented their own ban, and British Columbia followed suit in 2019 with their own Ticket Sales Act, which also bans speculative ticket resale where the reseller doesn’t have the ticket in his or her possession.

 

Why hasn't ticket scalping legislation been effective?

Enforceability isn't easy

Enforceability is an ever-present issue with ticketing legislation. Just because a law is on the books doesn’t mean it’s followed. Strong enforcement is necessary to curb illegal behavior.

When the Ontario ban on ticket bots passed, attorney general Yasir Niqvi acknowledged the difficulty of enforcing the bot ban, as many bot operators are located outside of the province. He cited the 50% resale cap as an easier enforcement tool. Two years later, in 2019, Ontario’s government rolled back the 50% resale cap, saying it wasn’t enforceable.

Similarly, in the U.S. the BOTS Act’s bark has been worse than its bite. In 2018, two year's after the BOTS Act's passage, the Federal Trade Commission—the agency tasked with enforcing the law—couldn’t comment on any instances of enforcement.

Even when the law was passed, the Congressional Budget Office judged it unlikely that substantial enforcement would take place.

“CBO estimates that [revenues from civil penalties] would be insignificant because of the small number of cases that the agency would probably pursue.”

The first (and so far only) BOTS Act enforcement action took place in 2021, when 3 New York-based ticket resellers were fined $31 million for buying more than 150,000 tickets, circumnavigating Ticketmaster's purchase limits and reselling for millions of dollars.

The financial incentives are too large

Using bots to scalp tickets is a perfect example of rent-seeking behavior (economist talk for leeching) that adds no benefit to society. But as long as there’s a secondary market to sell tickets at markups of over 1,000%, bad actors will fill the void to take advantage.

Indeed, the ticket resale market has ballooned to over $15 billion. Ticketmaster reported that it blocks 5 billion bot attempts every month. The financial incentive is simply too strong and the threat of legal action too weak to stop malicious bot operators.

Legislation can’t keep up with the technology

In such a rapidly evolving space, legislation becomes outdated as soon as it’s passed.

The U.S. BOTS Act, for example, doesn’t appear to apply to people who purchase tickets where they’ve only used bots to reserve the tickets (as Denial of Inventory bots do). The newest iteration of bots will continue to outpace and outmaneuver the legal roadblocks.

It’s clear that the ticketing industry cannot rely on legislation to solve the ticketing bot problem. The onus remains on venues, ticketing organizations, and online platforms to defend against malicious bots during online ticket sales. And companies that aren’t perceived as doing enough to battle bots are playing with fire. Public outrage can quickly turn on such organizations, and potential legal actions can follow in its footsteps.

RELATED: The Battle Between Bad Bots and Ticketing [Webinar]

 

How to beat ticket bots

Ticketing was the first industry to suffer the plague of bots. And given the fortune that successful bot operators can make, ticketing bots aren’t going away anytime soon.

We’ve seen limited impact from ticket bot legislation thus far, which makes ticketing organizations the only ones who can put a stop to bots.

A full-fledged plan to deal with ticket bots must span several levels, from concrete technical tactics to comprehensive bot mitigation solutions to larger ticketing strategies.

1. Detailed monitoring

Monitoring is key because behavior is what helps you tell real fans from bad bots. 

For example, the majority of stolen credentials fail during a credential stuffing attack. So, if you have monitoring that reports a sudden spike of traffic to the login page combined with a higher than normal failed login rate, it indicates account takeover attempts by bots.

Another example is if there is a high concentration of visitors using the same IP address. At Queue-it, we’ve found over 50% of the bots blocked by our virtual waiting room’s abuse and bot protection emanate from the same IP address. The bots are trying to simulate real users on a massive scale but getting unique IP addresses is an additional step that not all bot operators take.

RELATED: Behind-The-Scenes of a Concert Ticket Onsale: How Queue-it Blocked 8.3 Million Ticket Bots

2. Ticket bot mitigation solutions

Bots have changed the economics of the ticketing business, so ticketing organizations need to change the economics of bot attacks. That means targeting each bot attack vector and increasing the costs bot operators incur in order to overcome the protections.

On account creation, for example, bot mitigation tools validate biometric data like mouse movements, mobile swipe, and accelerometer data to distinguish bots from real users, and then feed that data into machine learning algorithms. You can also block or enforce Google’s reCAPTCHA on traffic from known bot hosting providers and outdated browsers typically used to run ticket bots.

During the onsale itself, you can target the speed and volume advantages that bots enjoy. A tool like a virtual waiting room can help neutralize both.

Ticketmaster, for instance, has blocked over 13 billion bots across more than 17,000 events using Queue-it’s virtual waiting room.

Ticketmaster smart queue phases

With a virtual waiting room, bots that arrive before the onsale starts are placed in a pre-queue together with legitimate users. When the sale launches, everyone in the pre-queue is randomized. This eliminates any advantage in arriving early or hitting the web page milliseconds after the start of the sale.

Ticketing organizations can also require visitors to enter known data, such as a membership number, to enter the waiting room. Combining known data like this makes impersonating real users exceptionally expensive and complex, and is thus a powerful way of combating bots’ volume advantage.

Finally, you can implement bot mitigation tactics on the ticket payment step similar to how you would on account creation to flag brute-force attacks like carding or card cracking. Stopping fraudulent account creation also helps prevent online card fraud.

RELATED: Prevent Website Crashes & Block Bots During Online Ticket Sales

3. Exclusive access for verified fans

Ticketmaster’s Verified Fan program is one example of how ticketing companies are getting inventive to provide fair presale access to the people who deserve it most. It does this by vetting fans who register, and giving them exclusive access, so only the people they choose can enter the onsale.

This program has been highly successful, with Ticketmaster reporting around 95% of tickets bought by verified fans are not resold.

The advantage of this exclusive strategy is that you choose who gets access to your onsale. Bots can’t abuse your sales because they’re not invited to them.

Plus, you can use exclusive access to incentivize genuine customers to share their details and sign-up for your loyalty program or membership scheme.

To run large, exclusive drops, Queue-it customers use the invite-only waiting room. They simply choose the customers to whom they want to grant access, send out invitations, then verify customer identities with two-factor-authentication.



The invite-only waiting room lets you confidently keep bots out while rewarding loyal customers, protecting your site, and delivering fairness.

Across 50 onsales, a top global ticketing company used the invite-only waiting room to:

  • Deny access to over eight million bots & uninvited users
  • Give a fairer experience to over a million verified fans
  • Dramatically reduce queue wait times
  • More than half the load on their infrastructure

RELATED: Block Ticket Bots & Reward Loyal Customers with The Invite-only Waiting Room

4. New (and old) ticketing strategies

Shifts in ticketing strategies can play an equally vital role in battling bots. We’ve already seen several examples where ticket bot regulations also include caps on ticket resale prices to remove some of scalpers’ financial incentive.

With the expanded adoption of smartphones, mobile ticketing is a promising strategy to curb scalping. The paper ticket is “this paper entity that can be spoofed and subject to fraud,” says Kristin Darrow, senior vice president at Tessitura Network. Mobile ticketing puts more control measures in place, such as tracking the transfer of tickets and limiting sales by geographic area.

In 2019, Spanish festival Primavera Sound became the first major music festival to go completely mobile with their ticketing, and has features like a QR code that only appears two hours before the concert to keep tickets from being sold on secondary markets.

What’s old is also new again. Paperless ticketing—where the purchaser uses his or her credit card and a form of ID to enter the event instead of a ticket—"has been around for over 25 years,” says ticketing insider Ian English.

The paperless strategy certainly has tradeoffs, in that it is rigid and can be difficult to transfer tickets or purchase on behalf of someone else. But it has documented effectiveness in battling scalpers and reducing tickets on the secondary market. High-demand shows like Hamilton continue to experiment with the approach.

Stopping scalper bots & restoring fairness to online ticketing

The ultimate goal for ticketing organizations, fans, and politicians should be to restore fairness to online ticketing. Here’s how Edward Roberts, Director of Product Marketing at Distil Networks (now part of Imperva), describes what fairness means to the different players in the ticketing industry:

  • For a fan, a fair experience is getting the same chance as any other fan to purchase available tickets at face value.
  • For an artist, it is getting tickets into the hands of enthusiastic fans into their shows.
  • For a ticketing company, it’s providing access to real humans to purchase the available tickets and eliminating any automation from abusing the system and ruining the ticketing buying experience for real fans.

With public outcry and artists’ frustration over ticketing bots at a boiling point, organizations that don’t take the problem seriously do so at their own peril.

But if you’re a ticketing organization and are committed to stopping ticket bots, there are tools and strategies at your disposal. Combined, you can tailor them to the unique angles of attack during each stage of the ticket-buying process to give you the best chance of achieving successful, bot-free onsales.

(This blog has been updated since it was originally written in 2019).

Expose the worst next-gen bots & get 8 concrete steps you can take to block malicious bots

Queue-it bad bot guide