It is difficult to ignore the monumental monetary impact bot attacks can have, particularly when such attacks are aimed directly at financial services markets and organizations.
In our 2021 State of Bot Mitigation report, we revealed that 83 percent of businesses surveyed experienced at least one bot attack within the past year, resulting in increased operational expenses and a loss of revenue.
Of the 83 percent of companies that had experienced a bot attack, 77 percent of them lost six percent of their revenue or more, with 39 percent reporting a revenue loss greater than 10 percent. And this financial impact was for companies that had already purchased a dedicated anti-bot solution – imagine how much larger it would be for those who haven’t!
Bot attacks have plagued traditional financial services for years, including banks, brokerages, and insurance. With the rise of decentralized finance, it was inevitable that bots would have an impact on cryptocurrencies, public blockchains, NFTs, and other tokenized assets.
Recently, we have noticed that hackers are using malicious bots to manipulate blockchain-based digital assets, including non-fungible tokens (NFTs) and cryptocurrencies. Below, we will look into the use of NFT bots and how we can stop them.
What are scalper bots?
Scalper bots, also known as scalping bots, have traditionally utilized automated methods to purchase in-demand products, such as games consoles, graphics cards, luxury apparel, or event tickets, in bulk, and can complete the checkout process in a fraction of the time that a legitimate user can.
Scalper bots will use automated software so they can get to the front of the queue and buy thousands of products from the moment they go on sale. This is something a lot of people have come to know and expect when buying tickets or sneakers online. However, we have now seen this extend to other areas, such as NFT drops for limited edition digital collectibles.
What is an NFT and why are these trades ideal for using bots?
Before we delve deeper into NFT bots, it is important to understand what an NFT is and why these trades are ideal for bot operators.
NFT stands for a non-fungible token, with “non-fungible” meaning that it is unique and cannot be replaced with something else. For instance, “fungible” can be used to describe Bitcoin, as you can trade one Bitcoin for another, and you will end up with the same thing. However, a one-of-a-kind trading card is not fungible. If you trade it for another card, you will end up with something completely different.
How do NFTs work?
At a very high level, most NFTs are part of the Ethereum blockchain. Similar to Dogecoin or Bitcoin, Ethereum is a cryptocurrency. However, it is also a blockchain and it supports these NFTs, which store additional information through programmable “smart contracts” so they work in a different manner to, say, the purchase and sale of an ETH coin itself.
It is also worth pointing out that different blockchains can implement their own versions of NFTs, and some have already done so. Other blockchains present new opportunities to improve upon transaction speed, scale, and fees (gas or otherwise).
Why NFTs are a target for bots
An NFT’s value is determined by what someone else is willing to pay for it. The NFT market value has grown quickly throughout 2021 as the current market capitalization for NFTs exceeds $14 billion.
NFTs tend to be minted and then sold via auction on marketplaces like Rarible and Open Sea, and there are even some of the more conventional auctioneers that hold NFT auctions today, such as Christies and Sotheby’s.
Bots are regularly used during online auctions, especially sniper bots, which will place a winning bid at the latest possible moment of the auction to increase the chances of winning an item at the lowest price.
However, there are some other ways that NFT bots are being used to manipulate NFT auctions, such as an NFT drop before an NFT is auctioned, as we will discuss in more depth.
Types of NFTs bots used to manipulate markets
- We are certain you will know about the scalper bots that were utilized to grab all of the PS5s for resale, and also those that are used whenever a new pair of hype sneakers comes onto the market. Well, NFT bots work in an identical manner. Scalper bots are also commonly referred to as “sneaker bots” or “grinch bots” – they are pretty much the same thing.
- A spinner bot adds an item to their shopping basket simply to make the item unavailable to other customers. This causes denial of inventory, which prevents customers from buying the item from the website, forcing them to look into the secondary market instead.]
- The spinner bot operator will simultaneously advertise the product on the secondary market, only completing the initial purchase once the item has already been sold to another customer.
- Should no purchaser be found, the shopping carts that hold the unsold products are abandoned, making it a no-lose situation for the spinner bot operator.
- Bid spoofing bots are very similar to spinner and scalper bots in the sense that they are programmed to place a huge number of bids across the NFT marketplace, typically at a rate below the asking price for every token.
- Once the bid has been accepted, it cancels the bot, which causes the NFT value to be driven down once it is relisted. This is the perfect chance for the bot operator to jump in and bid at an amount less than the initial asking price for the NFT.
- It is difficult to know just how much money can be accumulated via this approach. Nevertheless, because it costs money to cancel the bed, the ned outfit is sufficient enough to make sure the investment is worth the money and time put in.
Time Magazine’s NFT launch fell apart due to scalper bots
To see how NFT bots are manipulating markets, we only need to look at the NFT launch at Time Magazine. This was scheduled for September 2021, and the event fell apart, as scalper bots snatched up the collectibles, causing Ethereum “gas” fees to increase for the full network.
Called TimePieces, the 4,676 NFTs were each tied to a unique digital art piece and came with a subscription for the Time Magazine website. Each TimePiece would be sold at approximately $310 in ETH, working on a first-come, first-serve basis, yet you could only purchase 10 NFTs at the most. This limit was established to try and prevent mass buying from scalping bots.
However, this attempt failed miserably, all of the NFTs were bought in a matter of minutes, and unlucky prospective purchasers went to Twitter to complain about scalper bots. After the full supply had been snapped up, it only took a few hours for the prices on the secondary market to skyrocket. In fact, the lowest available price was $9,500, representing a massive 30 times markup in comparison to the initial price.
As the ethereum blockchain enables bidders to pay extra fees to get to the front of the line, virtually all of the successful purchasers in the minute-long sale period paid massive fees, typically well in excess of the original $310 price. In fact, there was one high-roller who purchased ten TimePieces for approximately $3,000, yet paid more than $60,000 in line-cutting and transaction fees.
The huge sale also had a massive impact on the entire ethereum network, with gas fees increasing by as much as six times their price on the morning of the sale. Fees were heightened for around an hour, and then they fell while the bottleneck cleared.
The President of Time, Keith Grossman, stated that the incident was a massive lesson for everyone. We would certainly agree, and it shows that there is a lot to learn when it comes to NFTs and bot mitigation.
You need to keep bots at bay during NFT launches
As is the case with virtually all items with a high resale value, such as limited release products, tickets, and sneakers, new NFT drops are prone to be targeted by bots.
Bots can cause a whole host of trouble during product releases, as the Time example above demonstrates. From orchestrating brute force attacks to taking NFTs out of real customers’ hands, bots can end up causing huge frustration and bring down your website.
If bots are allowed to snatch your products, your real customers will grow tired and frustrated. Plus, there is the risk that your product release is going to be ruined by crashing your customers’ point of access. Plus, the cost necessary to scale and serve requests to fake traffic has an impact on operating profits. Many people greatly underestimate the true financial impact of bad bot traffic.
Therefore, investing in bot mitigation measures to ensure that your site is fast and reliable while investing in the least amount of infrastructure to scale for peak, is a crucial aspect of planning during any NFT product launch.
How can manipulation by bots be prevented?
Unfortunately, there is no magic formula when it comes to preventing manipulation bots. It is challenging for marketplaces to identify this activity if there is not a pattern of bad reputation from the buyer. This is only made worse because bots are getting increasingly better at disguising themselves as humans, ensuring they fly under the radar of detection.
This is why it is important to use a modern bot detection and mitigation solution that doesn’t rely on antiquated methods that rely on assigning risk scores while searching for bad behavior. Bots use techniques like hiding behind residential proxies, CAPTCHA bypass, and script recorders that emulate human behaviors to avoid being blocked or caught out. For instance, their bots operate “low and slow” by using many IP addresses at low request rates to prevent detection, as thousands of requests from the same source would be easy to identify as a bot attack.
Kasada provides advanced bot mitigation with invisible client-side interrogation to detect immutable evidence of malicious automation whenever a bot interacts with an application. This means you can adapt to new attacks within a matter of seconds. Actionable insights give you the ability to view, drill down, and assess all elements of your traffic, including bad bots, good bots, and humans. Kasada also gives you the ability to strike back by making bot attacks too CPU intensive to conduct and take away the fundamental driver that motivates bot operators – their ability to make a profit.
Long-term efficacy is critical when finding a bot mitigation solution
In our recent 2021 State of Bot Mitigation Survey, we conducted in-depth research from the perspective of businesses and organizations already using anti-bot solutions. We were able to find that even though some companies are using mitigation solutions in an attempt to protect themselves from the likes of NFT bots, they are not using them effectively.
In fact, 85 percent of organizations have stated that their bot mitigation solution became ineffective within 12 months after initial deployment. This is why it is important to consider long-term efficacy as part of the buying decision.
Bots are getting more sophisticated and it is critical that we have solutions in place that can deal with this. The research has shown that the majority of businesses are not prepared to protect against the bot landscape, which is evolving all of the time. Only 31 percent of business owners surveyed feel confident in their ability to detect new bots, which is worrying.
If you are planning any sort of NFT product launch in the near future or releasing any products in limited supply, you need to make sure you have an effective approach in place to deal with this threat. Otherwise, it could spell disaster for your business.
While organizations recognize the need to defend against these bad bots, most of them are using bot mitigation solutions that are not effective. As the NFT bot attacks mentioned above show, a lot has changed in the bot ecosystem within the past couple of years. This is why you need a proactive approach that adapts constantly alongside attacks. This is something we can help you with here at Kasada.
Final words on NFT bots
So there you have it: a primer on bots and the damage they can cause from the moment an NFT drops on an exchange, to long-term price manipulation. Profit seekers are increasingly using malicious bots for the purpose of skewing the prices of blockchain-based financial assets, such as non-fungible tokens (NFTs) and cryptocurrencies. We need to take this seriously and put advanced bot mitigation methods in place to help further legitimize the industry.
If you would like to know more about our bot mitigation software and how it can help your business in the battle against NFT bots and scalper bots, please do not hesitate to get in touch with our friendly and experienced team today for more information. You can test your website today to see whether or not you’re effectively catching bots. We’ll give you a full analysis of your website. Or, if you have any questions, simply use the contact form on our website or you can send an email to email@example.com and we will get back to you as soon as possible.
FAQs about scalping and NFT bots
We often receive a lot of questions about NFT bots and scalping in general, so we have put together this final section to give you a better understanding:
How can you monitor your site for the presence of an NFT bot or scalper bot?
The most effective way of monitoring your website for an NFT bot or scalper bot is to use bot mitigation software. This will give you a clear and effective picture of who recently visited your website and what actions were taken while on your website, including the time spent on each page. Make sure your anti-bot provider reports human, bad bot and good bot traffic. A summary only showing what has been blocked is insufficient.
Who makes scalper bots?
Scalper bots, including NFT bots, are created by a number of different independent builders who have determined that there is a need in the market for online scalping software, and they have created a program to fill that role. Many of the sneaker bot developers have shifted to NFTs due to the massive markups that exist on exchanges. As scalper bots are currently legal (aside from ticketing), developers can create them without any repercussions or concerns.
How are scalper bots built?
The majority of scalper bots are typically coded in PHP, Python, and other software languages. They run on several different operating systems, which means they can be adapted to work around the application security of different devices, including both desktop computers and mobile devices.
Is there any way to see if my company has been attacked by a bot?
The best way for you to figure out whether a scalper bot has targeted your company is to utilize an architecture that combines both client and server-side bot mitigation software. This will enable you to discover who (human, bad bot, good bot) has recently visited your site, and what they did while they were on your site, as well as the time spent on every page of the website. You can also submit a free test to show you the types of bot threats that your website can detect.