Beyond Stopping You from Buying Air Jordans, Sneaker Bots are Tying Up the World

Image from Pixabay

We’ve all heard about the ultra-premium sneakers like Adidas’s Yeezy and Nike’s Air Jordans that sell out within minutes of a drop. But what you probably haven’t thought about is the havoc Sneaker bots are wreaking not only on sneaker companies, but on the entire eCommerce industry.

Sneaker bots (aka Scalper bots) are infamous for purchasing extremely limited items by using automation for speed and volume. These bots clear out digital inventory and expedite the online checkout process the millisecond a sneaker or other highly demanded product drops. Automation enables collectors, resellers, and DIYers to scoop up inventory of limited-edition products faster and in larger quantities than is humanly possible.

Sneakers have become an asset class similar to stocks and cryptocurrency, and trade on a variety of reseller platforms for investors to make lucrative profits. A Piper Sandler spotlight on StockX estimates the sneaker resale market is worth an estimated $10 billion in 2021 in the U.S. alone.

However, sneaker bots are also being used to scoop up other in-demand merchandise and services, such as gaming systems, concert tickets, consumer electronics, luxury apparel, hotel rooms, and even vaccines. Last year, bots accounted for at least 20% of traffic to eCommerce sites, but that percentage soars to 99% in some cases when it comes to new sneaker drops. Sneaker bots are also known to hoard inventory in online shopping carts without checking out. This is usually conducted so retailers appear to be sold out of an item, forcing consumers to go to a reseller to find what they’re looking for and pay 2-5x the retail price.

Sneaker Bots’ War on eCommerce

There are several ways that sneaker bots negatively affect the customer experience, which in turn, has detrimental consequences for a business’ bottom line:

  • Damaged brand reputation: When bots scoop up all your inventory (or even just make it look that way through inventory hoarding), it hurts your customer experience.
  • Loss of revenue: Due to inventory abuse, you don’t get to create new customers (and possibly evangelists) or service customers with whom you already have a relationship, impacting their loyalty to your site and your ability to establish consumer preference.
  • Increased infrastructure costs: If you’re dealing with automated traffic to your site, you’re paying for bandwidth and infrastructure costs (and the human resources to support them) that aren’t necessary thanks to automated bots. In some cases, the cost of processing bad bot traffic can exceed the profit margin of the item being sold.

While sneaker botting may seem unfair, it’s completely legal. At the same time, it creates frustrated shoppers and retailers alike. As a result, bots are often in violation of eCommerce providers’ terms of service. To combat sneaker bots, retailers resort to lotteries and waiting rooms, where shoppers have to take a number to complete a purchase or registration. But even waiting rooms and ticket numbers can be exploited at scale. What appears to be multiple legitimate customers signing up all at once are really more sophisticated bots, more often than not.

Who are the Sneaker Bot Players?

There are generally three types of sneaker bot players:

  • Collectors who simply want to beat the competition and win their coveted pair of kicks for themselves at any cost.
  • Resellers who want to snag as much quantity as possible and jack up the resale prices for a quick profit with built-in demand. They may be reselling on auction sites or through their own online shop.
  • DIYers who are attracted to the potential to make money through the use of cheap bots and plugins. They join online communities and Cook groups for advice and purchase bots-as-a-service to grab inventory.

Three Types of Sneaker Bots

All-in-One (AIO) Bots:

To target more than one site, operators deploy all-in-one bots, which automates the entire purchase. For example, AIO bots can seek out new inventory, add it to the cart, and check out, all in less than 0.2 seconds. Real shoppers simply cannot compete.

Not only can they make automated buys, but they can also keep up with updates to shopping cart procedures in order to work around bot detection and mitigation solutions. These bots work around the clock, shopping all over the world to score kicks and other in-demand merchandise. There are lots of AIO bots to choose from, such as Prism AIO, Torpedo AIO, geographic-specific AIO bots such as EU-focused Burst AIO, and many others.

Monitor Bots:

Specifically built for automatically scanning and scraping information, monitor bots seek out new releases, pricing, and stock availability. Once identified, the bots send an alert with the relevant information to their operators, as well as to other bots such as AIO bots. A subset of this type of bot is known as a Footprinting bot, which probes for online inventory that might not be public yet, scoring stock a human being could never find before its release.

Specialized Bots:

Some sneaker bots are optimized for a single brand, the most popular being Nike, Supreme, and Adidas Bots. Like AIO bots, these specialized bots continuously update their approach to work around detection. There are also bots designed to work with specific eCommerce platforms such as Demandware or Shopify, which host dozens of sneaker websites, as well as Footsites bots that target four popular sneaker websites (Footlocker, EastBay, ChampsSports, and Footaction).

Beating Bots at their Own Game

To fight sneaker bots, eCommerce companies need a modern anti-bot solution that stops bots from even getting into companies’ infrastructure in the first place and makes it financially unviable for them to operate. But how?

For starters, put faith in an architectural approach that relies on zero trust and assumes all requests are guilty until proven innocent. This no-rules method can stop bots without having to inspect behavior or device and network attributes, including those never seen before.

Second, removing the economic incentive at the heart of the sneaker bot model does wonders to stop them cold. This can be accomplished through an asymmetric cryptographic proof-of-work challenge that exhausts the compute resources of automated attacks, wrecking their ROI and making it too costly to continue.

Last, because bots are constantly updated, another way to strike back is to make it difficult for bot operators to retool and reverse-engineer defenses or even to build new bots that can bypass detection. This can be done through resilient obfuscation instead of open-source tools, such as using techniques that dynamically change, frustrating bot operators.

The bottom line is that when it comes to automated technology like sneaker bots, the best way to fight them is also through automated technology, and these three approaches together help beat bots at their own game.

Sam Crowther: Sam Crowther, founder and CEO of Kasada, is an entrepreneur with a passion for cybersecurity. He got his start in the industry as a high school student when he joined the cybersecurity team of the Australian Signals Directorate (ASD). From there, he moved to a red team role at a global investment bank, an experience that inspired him to start his own company. With funding from leading U.S. and Australian investors, Crowther launched Kasada in 2015 to provide innovative web traffic integrity solutions to companies around the world. Based in New York and Sydney, Crowther loves creating simple technical solutions to complex problems and is motivated by challenging preconceived ideas and beliefs in order to have a positive impact on the world.

View Comments (0)

Related Post