Inside a Sneaker Bot Business

Ever wonder how sneaker bot businesses work behind the scenes? We see posts on Twitter and Discord that brag about snatching and reselling limited-edition merchandise using bots, but the inner workings of the sneaker bot industry are typically kept secret.

So, what’s the reality? That’s the story we want to tell. 

In this article, we explore the activity of a popular, real-world sneaker bot business that targets more than 30 sneaker retailers worldwide, including some protected by DataDome. We analyzed the business’ web traffic over a two-week period and found the following.

*DISCLAIMER: We did not “hack” the sneaker bot business discussed in this article. They granted us access to their traffic, and we have been careful to protect their anonymity.*

Structure of the Website

The sneaker bot website has a main landing page presenting the primary features of the bot and the sneaker websites the bot can target. Besides this landing page, most of the URLs are protected behind a login. As is often the case in the sneaker bot industry, the bot is in limited edition (like the shoes it aims to acquire), and cannot simply be bought from the website. 

Instead, a visitor can either:

1. Wait for a random drop and hope to be lucky enough to be allowed to buy a license key.
2. Buy the bot from specialized marketplaces (such as CopSupply or BotBroker), or from a private channel on Discord, with all the potential scams that may arise with such transactions.

The sneaker bot business relies on Stripe for payments and uses Zendesk to handle their 24/7 support.

The website is structured professionally, using different subdomains:

• siteBot.com
• api.siteBot.com
• status.siteBot.com: Status page of the website. They use UptimeRobot to ensure their site is up and running.
• socket.siteBot.com: Endpoint to handle websocket connections.
• As well as other subdomains we won’t reveal for anonymity purposes. 

The website has the following main features:

• Login Page
• User Dashboard
• Payment Endpoint to Renew License
• Admin Panel

The site supports integration with Discord, which is no surprise given the popularity of Discord and Discord bots in the sneaker community.

Website Traffic

The graph below shows the number of requests per hour on the website and the associated APIs over time. Besides a few bots conducting vulnerability scans, we didn’t detect any significant volume of malicious traffic. (However, it is still important to understand how to prevent vulnerability scanning where it occurs.)

As for most websites nowadays, the sneaker bot business faces vulnerability scanning bots.

Unsurprisingly, the websocket endpoints represent the majority of the traffic (4M/6M).

Number of Users

We tried to estimate the number of users of the service. To do that, we analyzed sessions that had conducted a human-like activity.

In total, we identified 358 human sessions. It’s likely to be an upper bound of the number of users, since the same user can access their account from different devices and browsers. Thus, an estimate of ~175 users is more accurate (considering most users access the service from a computer and a mobile device).

This number may seem low, given the popularity of bot businesses on social networks (45K+ Twitter followers). That’s partly because following a bot business on social media is one of the only ways a user can get randomly selected to be allowed to buy a bot license. 

The reason bots (like sneakers) are often sold as limited edition is because too many bots would compete against each other. “Limited edition” bots also enable bot vendors to increase their prices, all while having fewer users to support.

~175 users seems consistent with what many sneaker bots advertise online, on social networks, and in Discord channels.

User Location

The graph below shows the main countries of the sneaker bot business’ users, inferred using the geolocation linked to their IP addresses.

Distribution of user base:

We observe that most of the users come from Europe, which is consistent with the sneaker websites targeted by the sneaker bots.

Understanding the Bot Development Process

We tried to identify the admins and the developers of the sneaker bots to understand their modus operandi. In particular, we wanted to better understand the bot development process for bots used against the customers we protect in order to best protect our customers.

To identify the bot developers and admin, we filtered the traffic on /admin/* URLs.

• We noticed that >95% of the requests were coming from five Italian IPs, which is consistent with information we gathered online from different social networks.
• In addition to the five Italian IP addresses, we also observed <5% of requests coming from Korean, Spanish, and Swiss IPs.

This data, combined with other data gathered online, leads us to believe that there are one or two admins.

We then analyzed the traffic of the IP addresses on sneaker websites we protect for customers. Among all the sneaker websites and applications we protect, the sneaker bot business’ IP addresses made requests on three sneaker websites and applications (CF graph below).

• In total, the traffic going out of the sneaker bot business’ IPs over three weeks was low: ~1,700 requests.
• We detected ~400 bot requests over the 1.7K requests (~23.5%) made by these IPs. 

It makes sense to have a low volume of bot requests. Bot developers rely heavily on residential proxies to hide their own home IPs and avoid being blocked.

The analysis of bot traffic activity makes us think that bot developers were conducting tests to improve their bots, rather than trying to buy limited-edition shoes. Notably, there were no limited-edition releases at the time we detected the bot traffic. Moreover, the shoes targeted had no particular resale value.

How much money does a sneaker bot make?

During the ~two weeks we analyzed, there were 16 yearly license renewals.

That’s ~one renewal per day.

The price of the business’ sneaker bot when purchased from the official source (i.e. not on resell price) is ~200 euro (~$211 USD), with a 30 euro (~$32 USD)/month subscription to continue to use it.

30 euro (monthly subscription) * 12 months * 365 days (1 renewal/day on average) = 131K euro (~$138K USD) per year in subscriptions alone (not including initial bot price)

If we consider a user base of ~175 users, and a minimum bot price of 200 euros (175 users * 200 euros), then the bot developers made at least 35K euros (~$37K USD) in initial bot sales.

Note: Not all users pay 200 euros/bot. Since the bot is in limited edition, many users have to buy it from resell marketplaces. Moreover, it seems to be common for sneaker bot admins to sell part of their license key at retail price (i.e. from their website) and another part at resell price on marketplaces.

Although there is no price history for the resell price of the bot sold by the business we analyzed, we can safely hypothesize that a bot can be resold at 2x the retail price: ~400 euros (~$422 USD). Thus, if we now consider that half the licenses were sold at retail price and the other half at resell price, the business made:

87.5 users * 200 euros + 87.5 users * 400 = 52.5K euros (~$55K USD)

Potential Partnerships

The sneaker bot ecosystem and economy are broader than sneaker bot software. Bot users also need to spend a lot on residential proxies and cook groups to increase their chances of getting limited-edition sneakers.

Residential Proxies: It’s highly possible the sneaker bot business we analyzed has a partnership with the Koch.gg residential proxy service. Indeed, we observed several URLs on the dashboard, as well as referrers pointing to this service. 

Thus, although it is not advertised on the website, we think the sneaker bot business may propose an easier integration with the Koch.gg service. This proxy provider is oriented toward sneaker bots and seems to collaborate with several bots in the field, so the partnership is probably not exclusive.

Cook Groups: We also noticed a significant number of users whose referer was set to cook.goodfellasclub.io, a sneaker bot cook group. However, contrary to the Koch.gg proxies, we didn’t observe any particular integration in the dashboard. Thus, we are unsure if there is a formal relationship between the bot business and the cook group service.

Conclusion

Our investigation of a popular sneaker bot service showed that sneaker bot developers are sophisticated (unlike some bot users, judging by comments on social media). The sneaker bot business we analyzed:

• Runs a well-architectured website.
• Proposes 24/7 support.
• Leverages popular SaaS to ensure the business SLAs are met. 
• Conducts frequent tests on the targeted sneaker websites to ensure the bot is working as intended.

From a business perspective, sneaker bot businesses can make a significant amount of money—we estimated ~183.5K euros (~$193.5K USD) per year for the direct revenue generated by the bot software and the monthly subscription. We also showed it’s highly likely bot operators and businesses have partnerships with other services in the sneaker bot ecosystem, such as proxy providers and cooking groups, which may be another source of revenue. 

Scalper bots in general, and sneaker bots in particular, have become increasingly popular in the last few years. With dedicated marketplaces, such as StockX, and limited-edition sneakers reselling at more than 5x the original price, sneaker bots have never been more lucrative.

You might have heard the old adage, “During a gold rush, sell shovels.” Indeed, our numbers show that bot buyers might sink more money into sneaker bots than shoe lovers will pay for limited edition sneakers.

If you’re interested in seeing which malicious bots are targeting your website, mobile app, and/or APIs, you can try a free traffic assessment and 30-day trial of DataDome.