How to Stop Scalper Bots and Prevent Scalping on Your Website

Are scalper bots illegal?

It’s complicated. Scalper bots fall into a gray area for many legislations. While they’re not illegal on their own, what most operators do with them can fall into illegal territory.

Currently, there is not much legislation in place to protect businesses from scalper bots. In the US, the Better Online Ticket Sales Act (BOTS) of 2016 outlawed the resale of tickets bought with bot technology, and the Stopping Grinch Bots Act bill was introduced in 2021 (but still has yet to pass).

But the legislation (or lack thereof) doesn’t mean you should (or can afford to) let scalper bots ruin your sales for customers. Keep reading to understand how to stop scalpers.

5 Different Types of Scalper Bot

While every scalper bot can be programmed differently, they tend to fall into certain types. Here are some common examples:

1. Monitor Bots: Constantly scan websites for new releases and/or restocks and either alert their operators or feed the information to other scalper bots.
2. Account Bots: Automate the sign-up process and create user accounts, sometimes hundreds or thousands per day. Account bots exist because some websites put restrictions on the number of limited-edition merchandise one user can buy.
3. Semi-Automated Bots: These bots don’t fully automate the process of buying something. For example, some can scan for new releases and put an item in your cart, but won’t automatically pay or check out.
4. Specialized Bots: Including the well-known sneaker bots, specialized scalper bots fully automate the process of scanning and buying items. Sometimes, they immediately advertise the scalped products on the secondary market for quick profits.
5. Bots as a Service (BaaS): Bots as a service are bots that any user can rent (including non-technical attackers). Users rent bots and only pay the BaaS provider when the scalper is successful at bypassing the targeted website’s security measures. The BaaS business model ensures the bot creators are highly incentivized to make their bots as sophisticated as possible.

How do scalper bots work?

Scalpers use automated software to position themselves at the start of the line and snap up coveted items within seconds after they are released for sale. In order to always be first to purchase items before human buyers get to them, scalper bots must manage three different tasks.

1. Monitor Target Websites

Also known as “drop checking” or “spinning”, monitoring means the bot is constantly and automatically checking retailer websites, applications, and even Twitter feeds to identify interesting releases and early links.

On an e-commerce website, this might mean constantly checking product pages to see when they change from “Out of Stock” to “Add to Cart”. It could also mean identifying pages that have not yet been publicly released. Certain bots even guess at new product SKUs to be the first to find new pages when they go online.

Many scalper bot developers license their bots to other people, and they run online communities (known as “cook groups”) on Discord and similar platforms. Users pay a monthly fee to receive tips and information, often getting instant notifications when a popular product becomes available.

Scalper bots’ constant monitoring of your site can generate significant traffic volume, hurting your website’s speed and performance.

2. Add to Cart

This is the crux of the battle—being the first to add the desired item to the shopping cart.

To be able to make multiple purchases without being detected and blocked, scalper bots must often bypass a series of security and access controls, such as inventory limits, CAPTCHAs, and more. They typically rely on proxy networks, so each new request comes from a completely different IP address. The best are using residential IP addresses with perfectly clean reputations.

In the video below, the YouTube user “Snkrbolt” is operating various scalper bots trying to buy Yeezy 500 Utility Black sneakers and PlayStation 5 consoles. The list of proxies can be seen in the column on the right in the dashboard. Later in the video, the user is busy solving CAPTCHAs to bypass security solutions:

The most sophisticated scalper bot operators will shave additional milliseconds off the acquisition process by spreading their servers geographically to exploit the latency of data signals.

3. Autocomplete Checkout

After successfully selecting the items to buy, scalper bots can also automate the purchase by logging into premade accounts. Or they can enter all the required information to use a guest account. Finally, bots complete the order using a credit card that could belong to the bot operator—or it could be stolen specifically for use in fraudulent online transactions (carding).

How to Stop Scalper Bots

Given the many different types of scalper bots and the variability between individual scalper bots, it can be hard to figure out how to prevent or stop scalper bots. Thankfully, there are several anti-scalping techniques that stop bots from scalping websites.

1. Device or Browser Fingerprinting

The first anti-scalping technique is device or browser fingerprinting. Scalper bots need to run at scale to be profitable, and they can’t change the device they run on for every request they make. So scalper bots are sometimes identifiable through the set of browser and device parameters they run on, and can be blocked accordingly.

2. Validate the Browsers of Particular Requests

Similarly, you can validate the browser of a particular request. In particular, you can check for the JavaScript agent of a browser and whether it’s making the right browser calls. Scalper bots often run on modified browsers, so checking for anything out of the ordinary in the browser can reveal a scalper bot, and be instrumental in stopping them.

3. Check IP Reputation

You can also use the IP reputation of a request to determine its genuineness. Some bot scalpers use cheap, low-quality IPs that should have no business on your website. This isn’t a foolproof method, because many scalper bots now rotate through many high-quality, residential IPs. But the IP reputation can be used in combination with other indicators to determine whether a request is human or not.

4. Behavioral Analysis

Behavioral analysis is another technique for identifying scalper bots to stop them from buying your products. Most bots don’t act like humans. They race through your website, going straight for the target. Humans, however, tend to meander a little bit, move their cursor here and there, and act in slower, more natural ways. 

How to really stop scalpers: use a bot detection solution

None of the techniques for detecting scalper bots to prevent scalping are easy to implement. The best bot programmers are extremely skilled, quick to adopt new technologies (including artificial intelligence and machine learning) and reverse engineer your security systems in order to bypass them.

Scalper bots come at their targets from many different IP addresses, often using residential proxies and IoT devices. Therefore, volumetric defenses and rules-based security systems, such as Web Application Firewalls (WAFs), are no longer effective in stopping scalper bots.

And while a traditional CAPTCHA might be enough to stop (or at least slow) the least advanced scalper bots, a CAPTCHA alone is no match for sophisticated bots. Today’s bots can be almost indistinguishable from human users, and impossible to detect without expert knowledge.

The increasing sophistication of bots has sparked the need for tools that can determine the intent of online traffic, rather than simply evaluating traffic volume and known bot signatures. To protect against scalping and other e-commerce bot attacks, a specialized bot protection solution with real-time decision-making capabilities is fundamental.