What is a scalper bot?

A scalper bot is an automated program that performs scalping—purchasing limited-edition goods (such as event tickets) to resell at a higher cost. Because bots can complete the checkout process in a fraction of the time it takes a human user, they can buy thousands of goods the moment they go on sale. Scalped items are usually resold for higher profit because they are not available from the original retailer.

Who should care about stopping scalper bots?

To many e-commerce enterprises, scalper bots are not a familiar issue. If scalper bots are making your most popular product launches an IT, SecOps, and customer service nightmare, you are not alone!

Any retailer selling limited-edition goods online will be confronted with scalper bots, also known as “grinch bots“, “shopping bots“, or “purchasing bots”. Scooping up the entire inventory, often in just seconds, scalper bots are a serious source of annoyance (and complaints) for ordinary buyers who can never beat them to check out.

Scalper bot traffic also consumes significant bandwidth, drives up your infrastructure costs, and keeps your IT team busy firefighting instead of creating value. If you’re wondering how to stop scalpers and gain back your time and serenity, read on. Here’s what we’ll cover:

What to Know About Scalper Bots

After scalper bots bulk buy valuable merchandise before customers can get any, the coveted goods are then resold at a profit on eBay or similar sites. The OWASP Automated Threat Handbook for Web Applications defines scalping (OAT-005) as a threat designed to “obtain limited-availability and/or preferred goods/services by unfair methods”.

Ticket scalping has been a well-known problem for many years, but scalper bots are increasingly common in other industries as well. For example, when the PlayStation 5 console first dropped in November 2020, the inventory was gone in seconds from most retailers’ websites. The traffic even crashed Walmart’s website, to regular customers’ great frustration.

Only a few weeks earlier, Nvidia launched its GeForce RTX 3080 graphics card with similar results. Nvidia admitted that their storefront was “overrun with malicious bots and resellers.”

During Black Friday and holiday sales, most e-commerce sites see some level of scalper bot traffic. But increasingly, scalping is a serious problem all year round.

Are scalper bots illegal?

It’s complicated. Scalper bots fall into a gray area for many legislations. While they’re not illegal on their own, what most operators do with them can fall into illegal territory.

Currently, there is not much legislation in place to protect businesses from scalper bots. In the US, the Better Online Ticket Sales Act (BOTS) of 2016 outlawed the resale of tickets bought with bot technology, and the Stopping Grinch Bots Act bill was introduced in 2021 (but still has yet to pass).

But the legislation (or lack thereof) doesn’t mean you should (or can afford to) let scalper bots ruin your sales for customers. Keep reading to understand how to stop scalpers.

5 Different Types of Scalper Bot

While every scalper bot can be programmed differently, they tend to fall into certain types. Here are some common examples:

  1. Monitor Bots: Constantly scan websites for new releases and/or restocks and either alert their operators or feed the information to other scalper bots.
  2. Account Bots: Automate the sign-up process and create user accounts, sometimes hundreds or thousands per day. Account bots exist because some websites put restrictions on the number of limited-edition merchandise one user can buy.
  3. Semi-Automated Bots: These bots don’t fully automate the process of buying something. For example, some can scan for new releases and put an item in your cart, but won’t automatically pay or check out.
  4. Specialized Bots: Including the well-known sneaker bots, specialized scalper bots fully automate the process of scanning and buying items. Sometimes, they immediately advertise the scalped products on the secondary market for quick profits.
  5. Bots as a Service (BaaS): Bots as a service are bots that any user can rent (including non-technical attackers). Users rent bots and only pay the BaaS provider when the scalper is successful at bypassing the targeted website’s security measures. The BaaS business model ensures the bot creators are highly incentivized to make their bots as sophisticated as possible.

How do scalper bots work?

Scalpers use automated software to position themselves at the start of the line and snap up coveted items within seconds after they are released for sale. In order to always be first to purchase items before human buyers get to them, scalper bots must manage three different tasks.

1. Monitor Target Websites

Also known as “drop checking” or “spinning”, monitoring means the bot is constantly and automatically checking retailer websites, applications, and even Twitter feeds to identify interesting releases and early links.

On an e-commerce website, this might mean constantly checking product pages to see when they change from “Out of Stock” to “Add to Cart”. It could also mean identifying pages that have not yet been publicly released. Certain bots even guess at new product SKUs to be the first to find new pages when they go online.

Many scalper bot developers license their bots to other people, and they run online communities (known as “cook groups”) on Discord and similar platforms. Users pay a monthly fee to receive tips and information, often getting instant notifications when a popular product becomes available.

Scalper bots’ constant monitoring of your site can generate significant traffic volume, hurting your website’s speed and performance.

2. Add to Cart

This is the crux of the battle—being the first to add the desired item to the shopping cart.

To be able to make multiple purchases without being detected and blocked, scalper bots must often bypass a series of security and access controls, such as inventory limits, CAPTCHAs, and more. They typically rely on proxy networks, so each new request comes from a completely different IP address. The best are using residential IP addresses with perfectly clean reputations.

In the video below, the YouTube user “Snkrbolt” is operating various scalper bots trying to buy Yeezy 500 Utility Black sneakers and PlayStation 5 consoles. The list of proxies can be seen in the column on the right in the dashboard. Later in the video, the user is busy solving CAPTCHAs to bypass security solutions:

The most sophisticated scalper bot operators will shave additional milliseconds off the acquisition process by spreading their servers geographically to exploit the latency of data signals.

3. Autocomplete Checkout

After successfully selecting the items to buy, scalper bots can also automate the purchase by logging into premade accounts. Or they can enter all the required information to use a guest account. Finally, bots complete the order using a credit card that could belong to the bot operator—or it could be stolen specifically for use in fraudulent online transactions (carding).

Many scalper bots were provided as professional services in the shape of browser extensions developed specifically for our site. Users could put in their contact details, their credit card number, and the URL of the product they wanted to buy. The moment it went on sale, the bot would complete the purchase in seconds.

Sayed Gaffar, Director of E-commerce, EMEA & International Markets at The Topps

How to Stop Scalper Bots

Given the many different types of scalper bots and the variability between individual scalper bots, it can be hard to figure out how to prevent or stop scalper bots. Thankfully, there are several anti-scalping techniques that stop bots from scalping websites.

1. Device or Browser Fingerprinting

The first anti-scalping technique is device or browser fingerprinting. Scalper bots need to run at scale to be profitable, and they can’t change the device they run on for every request they make. So scalper bots are sometimes identifiable through the set of browser and device parameters they run on, and can be blocked accordingly.

2. Validate the Browsers of Particular Requests

Similarly, you can validate the browser of a particular request. In particular, you can check for the JavaScript agent of a browser and whether it’s making the right browser calls. Scalper bots often run on modified browsers, so checking for anything out of the ordinary in the browser can reveal a scalper bot, and be instrumental in stopping them.

3. Check IP Reputation

You can also use the IP reputation of a request to determine its genuineness. Some bot scalpers use cheap, low-quality IPs that should have no business on your website. This isn’t a foolproof method, because many scalper bots now rotate through many high-quality, residential IPs. But the IP reputation can be used in combination with other indicators to determine whether a request is human or not.

4. Behavioral Analysis

Behavioral analysis is another technique for identifying scalper bots to stop them from buying your products. Most bots don’t act like humans. They race through your website, going straight for the target. Humans, however, tend to meander a little bit, move their cursor here and there, and act in slower, more natural ways. 

How to really stop scalpers: use a bot detection solution

None of the techniques for detecting scalper bots to prevent scalping are easy to implement. The best bot programmers are extremely skilled, quick to adopt new technologies (including artificial intelligence and machine learning) and reverse engineer your security systems in order to bypass them.

Scalper bots come at their targets from many different IP addresses, often using residential proxies and IoT devices. Therefore, volumetric defenses and rules-based security systems, such as Web Application Firewalls (WAFs), are no longer effective in stopping scalper bots.

And while a traditional CAPTCHA might be enough to stop (or at least slow) the least advanced scalper bots, a CAPTCHA alone is no match for sophisticated bots. Today’s bots can be almost indistinguishable from human users, and impossible to detect without expert knowledge.

The increasing sophistication of bots has sparked the need for tools that can determine the intent of online traffic, rather than simply evaluating traffic volume and known bot signatures. To protect against scalping and other e-commerce bot attacks, a specialized bot protection solution with real-time decision-making capabilities is fundamental.

Prevent Scalping With DataDome’s Anti-Scalper Bot Software

So, what does it take to detect and block malicious bots in today’s landscape effectively?

To help CTOs and CISOs protect their websites, mobile apps, and APIs from scalpers and other bad bots, DataDome has developed a powerful bot detection engine that makes extensive use of machine learning and artificial intelligence to detect and block bad bots from the first request.

Delivered as a service, DataDome’s solution can be installed in minutes on any web infrastructure without any changes to the host architecture. In an emergency, the protection can be activated in less than an hour.

The DataDome solution typically runs on autopilot—no action is required on your side. But if a massive scalper bot attack comes your way, our bot SOC team will monitor and manually mitigate the attack as required.

The graph below shows the burst of bad bot requests specifically targeting the PS5 product pages on DataDome’s customer websites. All the malicious requests were blocked in real time, with no intervention needed from the customers’ IT or SecOps teams. As a result, the companies’ real buyers got a fair chance of purchasing a PS5.

For most e-commerce websites, preventing and stopping scalping and other bot attacks with efficient anti-bot software will generate immediate ROI: Not only because it prevents unhappy customers from ranting on social media and ruining your reputation, but also because the business will save significant infrastructure and labor costs.

We were incurring heavy costs. Just the fact that we no longer have to upscale our servers for two-hour spikes of launch activity means that DataDome pays for itself—and that’s without mentioning the time my team is saving.

Sayed Gaffar, Director of E-commerce, EMEA & International Markets at The Topps