Picture this: you run a high-traffic eCommerce store, and you’re about to drop a limited edition item that you spent months creating hype for.

You invested thousands into paid advertising and you’re confident that you’ll sell out in minutes. But when the countdown timer hits zero and the sale goes live, all of your inventory is instantly scooped up by a handful of customers who seem to have an unfair advantage. Your loyal customers who waited hours for your sale are left with an empty cart and a wave of disappointment.

“How is this possible?” you ask. Well, if you ask us, sneaker bots, are likely the culprit.

What are Sneaker Bots?

Sneaker bots are computer programs that are designed to automate the process of buying limited-edition items from online retailers. Users often combine sneaker bots with proxies to disguise their bot software as legitimate customers. This allows them to buy large quantities of items without being detected or blocked by the retailer.

Some sneaker bots are so sophisticated that they can even mimic human behavior, making them more difficult to detect. For example, they may add items to their cart and then abandon them, or browse the site for a long time before making a purchase.

Bots can complete transactions much faster than a human can. As a result, they can buy up all of the inventory before regular customers even have a chance to click “add to cart.”

The Bot Controversy

Sneaker bots are wildly popular in 2022, but they are also shrouded by controversy. We believe these bots give an unfair advantage to those who use them because they block regular customers from purchasing the items they want.

Sneakerheads, fashionistas, and resellers love bots because they help them snag limited-edition items that sell out within minutes. But we think this creates an elitist system in which only those with the resources to buy expensive bots can get their hands on the latest trends.

What’s even more concerning is that some bots are designed to commit fraud. For example, they may add items to their cart and then cancel the order before it’s processed. This allows them to scoop up inventory without actually paying for it.

Fraudulent bots can also be used to buy gift cards with stolen credit card information and then use those cards to make purchases. This can result in massive financial losses for retailers.

So, Are Sneaker Bots Illegal?

No, sneaker bots do not break the law. However, if you use a sneaker bot, it may violate the terms and conditions of the site you are purchasing from.

For example, Yeezy’s terms and conditions state that:

“You agree that you will not use any robot, spider, scraper, or other automated means to access the website for any purpose without our express written permission.”

Many other retailers have similar terms and conditions that prohibit the use of bots. So, if you’re thinking about using a sneaker bot, make sure you read the fine print first.

Unfortunately, terms and conditions often do not do much to stop bots from taking advantage of retailers. In fact, one Twitter user claimed they used an automated software called Trickle Bot to purchase 1,132 pairs of Yeezys on Yeezy Day in 2021.

While it’s impossible to know for sure if this user is telling the truth, their story highlights how difficult it is for retailers to stop bot users.

How Sneaker Bots Have Evolved Over Time

As retailers get better at detecting and blocking bots, bot developers find new ways to disguise their software. Sneaker bots became more sophisticated as time went on.

They began to mimic human behavior, making them harder for retailers to detect. Today, there are even AI-powered bots that can learn and adapt to different situations.

Then and Now

In the first sneaker bot attacks, scrapers and bots were separate tools. The scraper collected the information, and the bot completed the necessary actions.

Companies were unaware of the sneaker bot problem at the time, so attackers could make tons of requests from the same IP address without getting flagged or blocked. This was the golden age for sneaker botters.

However, companies eventually realized they were losing out on sales because of bots, and they began to take action. They started rate-limiting the number of requests that could be made from a single IP address.

Attackers responded by making their bots more intelligent. They began using proxy servers to make requests from multiple IP addresses. They also became better at solving CAPTCHA challenges.

In response, companies like Adidas began using bot detection software to identify and block suspicious activity. They also began monitoring the behavior of users on their site and blocking those who were behaving in a way that looked like they were using a bot.

Despite these efforts, bots have continued to evolve and become more sophisticated. The most recent generation of bots is powered by artificial intelligence (AI) and can mimic human behavior more effectively than ever before.

Sneaker Bots Aren’t Just for Shoes, Either.

While the term “sneaker bot” might bring to mind images of people waiting in line for the latest release, these bots can be used for more than just buying shoes.

People can use bots to buy tickets to concerts, sporting events, and even festivals like Burning Man. They can also be used to buy limited edition products from brands like Supreme.

The use of bots is not limited to illegal or unethical activities. Although the use of sneaker bots is controversial (and unethical in our opinion), many companies use good bots to automate tasks like customer service, marketing, and sales.

Bots can be used for good or bad—it all depends on the intention of the operator.

Types of Sneaker Bots

Like shoes themselves, sneaker bots come in many different forms. Here’s a closer look at the main types of sneaker bots you may encounter online:

Monitor Bots

Monitor bots are simple scripts that run in the background of your computer. They’re designed to monitor a website for new releases and then send you a notification as soon as the shoes go on sale. These bots can communicate with other software, such as AIO sneaker bots. Most monitor bots are free to use, but they can be unreliable and often miss important releases.

Chrome Extensions

Yes, these are like the Google Chrome extensions you already use, except they are sneaker bots. These are not as sophisticated as other bots, but they are like the “gateway” into other forms of sneaker bots. They are easy to install and even easier to use.

Specialized Bots

Specialized bots are much more powerful than monitor bots and chrome extensions. They’re designed to automate the entire checkout process, from adding shoes to your cart to entering your shipping information. They actively update their code so they can bypass any new security measures put in place by retailers. Many of these bots are available for purchase, but they can be very expensive—some cost over $1,000.

AIO Bots

All-in-one bots, or AIO Bots, are the most powerful sneaker bots on the market. As the name suggests, they’re designed to automate the entire sneaker-buying process, from finding shoes to purchasing them. AIO bots are also expensive, but they’re the most likely to help you get your hands on the shoes you want. Your CAPTCHA is not stopping an AIO bot.

Open Source

Open source bots are sneaker bots that anyone can download and use for free. While these bots can be a great way to save money, they’re often not as effective as paid bots.

Bots as a Service (BaaS)

Bots as a service, or BaaS, is a new type of sneaker bot that’s becoming increasingly popular. With BaaS, you don’t need to download or install anything—you simply pay a monthly fee and use the bot in your web browser. This type of bot is often more reliable than free bots, but it’s also more expensive.

How Sneaker Bots Work

Want to know how those pesky sneaker bots always seem to get their hands on the latest shoes? It’s all thanks to automation.

Sneaker bots are designed to automate the entire sneaker-buying process, from finding shoes to purchasing them. By automating this process, they’re able to buy shoes much faster than humans can.

Let’s take a look at some of the most common methods sneaker bots use to purchase items at lightning speed and profit off them:

Scraping

Scraping is the process of extracting data from a website. Sneaker bots use scraping to gather information about upcoming releases, such as the date and time of the release, the product’s SKU number, and the retail price. Using this information, they can add the shoes to their cart as soon as they’re available.

Scalping

Scalping is the practice of buying products and then reselling them at a higher price. Sneaker bots are often used to buy shoes in bulk, which are then sold to other people at a markup. This can be a profitable business, but it’s also illegal in many places.

Checkout Automation

Once a bot has found the shoes it wants to purchase, it will automate the checkout process. This means that it will enter your shipping information and payment details for you. Sophisticated bots can complete checkout actions at a large scale on multiple different websites.

Denial of Inventory

One of the most common ways sneaker bots are used is to deny inventory from other shoppers. The bot adds a large number of products to its cart and then never completes the purchase. This leaves the items in the bot’s cart, which prevents other shoppers from buying them. Sneakerheads will then go to resale sites and pay more for the coveted item just because they couldn’t purchase it on the original retailer’s site.

Footprinting

Footprinting is a method used by sneaker bots to avoid detection. Essentially, the bot will create a “footprint” on the website that looks like a real person’s. To do this, it will use things like a fake IP address and browser fingerprinting. By creating a footprint that looks like a real person, the bot can avoid being detected and banned by retailers.

Mass Account Creation

Some sneaker bots are designed to create mass accounts. This means that they’ll create hundreds or even thousands of fake accounts on a website. They’ll then use these accounts to purchase shoes as soon as they’re released. This method is often used in conjunction with other methods, such as checkout automation and footprinting.

Brute Force

One of the most popular methods for buying shoes is the “brute force” method. With this method, bots simply bombard a website with requests until they’re able to successfully purchase a pair of shoes.

This method is effective, but it’s also very aggressive and often results in websites crashing. As you can imagine, retailers are not fans of this method.

Proxy Servers

Proxy servers act as a middleman between the bot and the website. By using a proxy server, bots can make multiple requests from different IP addresses, making it harder for retailers to block them. Proxies help sneaker bots score the coveted shoes.

CAPTCHA Solving

CAPTCHA solving is a method used by bots to bypass security features on a website. CAPTCHAs are those annoying little puzzles you have to solve before you can continue.

They are meant to be difficult for bots to solve, but many sneaker bots are equipped with algorithms or the ability to farm out the task of solving them to a CAPTCHA farm allowing them to solve CAPTCHAS quickly and efficiently.

CAPTCHAs are ineffective at stopping bots, and they also kill conversion rates by annoying real users.

Cashing Out

Once a bot has successfully purchased a pair of shoes, it will “cash out.” This means that it will sell the shoes to another person at a higher price. This is how bot managers make a profit off of their sneaker bots.

There are a few different ways to cash out, but the most common is to use a resale website. Resale websites are designed for people to buy and sell products, making them the perfect place to sell sneakers.

Bots purchase items on the original retailer’s site and then list them on the resale sites at a much higher price. For the operator, this is a nearly effortless way to earn some cash because they can sit back and let the bot do all the work.

Common resale websites include StockX, GOAT, and Stadium Goods.

Why Sneaker Bots are Difficult to Detect and Stop

Now that you know how sneaker bots work, you’re probably wondering why they’re so difficult to detect and stop. Here are a few reasons:

Constant Updates

As we mentioned, sneaker bots evolve so they can stay one step ahead of the latest security technology. They’re always being updated with new features and capabilities, making them difficult to detect.

Too Many Bots

There are millions of sneaker bots in operation today. It’s impossible for retailers to keep track of all of them and block them all. There are simply too many of them.

Proxy Servers

As we mentioned, proxy servers act as a middleman between the bot and the website. This makes it difficult for retailers to identify the source of the requests and block them.

Impact to Online Businesses

While sneaker bot operators might argue that their software is harmless, the truth is it can be detrimental to eCommerce companies. These bots are on a mission to purchase as many shoes as possible, and they often do so at the expense of human shoppers.

Here’s a closer look at the grave effects of sneaker bots on online businesses:

Lost Revenue

When bots purchase items in large quantities, it can deprive regular customers of the chance to buy those items.

You might be wondering why the company should care whether a bot or an actual human is making the purchase. After all, they’re still making a sale, right?

Yes, but a bot is a piece of software that does not have an ongoing relationship with the brand. Therefore, a bot will not be a repeat customer, whereas the fan who didn’t get a chance to buy the shoes may get discouraged and decide not to purchase from the company again. In other words, bots can cost companies repeat business.

It’s also important to remember that most people who buy from bots do so with the intention of reselling the items at a higher price. So not only does the company lose out on a potential repeat customer, but they also miss out on the full purchase price of the item.

This lost revenue can add up quickly, especially for companies that sell high-end items that are popular among bot operators.

Unhappy Customers

When bots purchase items in large quantities, it can deprive regular customers of the chance to buy those items. This can lead to frustration and even anger among customers who feel like they’ve been cheated out of an opportunity to buy a product they really wanted.

This frustration can damage the relationship between the customer and the company. In some cases, it may even lead the customer to take their business elsewhere.

Reputational Damage

Bots are a problem. There are no two ways about it. And when companies are unable to stop them from operating on their site, it can damage their reputation.

Customers may lose faith in the company’s ability to protect their personal information and transaction data. They may also question the company’s commitment to providing a level playing field for all shoppers.

When a company’s bot problem hits the press, that type of negative publicity can be difficult to recover from.

Website Crashes

When bots make a large number of requests to a website all at once, it can overwhelm the site and cause it to crash. This is problematic for companies that rely heavily on online sales. A website crash can result in lost sales, frustrated customers, and utter chaos—especially if the downtime occurs during a big launch.

Sneaker Bots Use Case

Curious to know how these bots operate? Let’s take a look inside an AIO sneaker bot attack.

Here’s a scenario:

In the days leading up to the launch of the hottest new sneaker, attackers plan their roadmap. They communicate with one another via online forums and chatrooms, sharing information about the release and discussing their plans.

You know the saying, “Two heads are better than one?” Well, imagine thousands of sneaky attackers coming together to share strategies, insights, and observations into the structure of the target site.

Then, the testing begins. The attackers send a small amount of bot traffic to the target site to test its defenses. This testing phase is crucial because it helps attackers figure out how to bypass the security system the site operator has in place. Unfortunately, it is difficult to detect and block bot traffic during the testing phase. It’s nearly impossible to prevent attackers from testing their bots prior to a launch.

Fast forward to launch day. The attacker is using an AIO bot to purchase a pair of shoes. The bot starts by making a request to the website. Then, it uses a web crawler to gather information about the shoes it wants to purchase.

Next, the bot will add the shoes to its virtual shopping cart and proceed to the checkout page. At this point, the bot will fill out the necessary form fields with fake information and use a credit card that has been created for the sole purpose of making these types of purchases.

Once the purchase is complete, the bot will move on to the next target. It will continue to do this until it has successfully purchased as many pairs of shoes as possible.

Think your online store can outsmart an AIO bot? We hope so, but don’t count your blessings just yet. AIO bots update whenever shopping cart processes change so they can stay one step ahead.

How Kasada Detects and Stops Sneaker Bots

There are three key ways Kasada reigns superior to other security solutions in protecting eCommerce businesses from sneaker bots:

The Zero Trust Approach

Traditional bot mitigation methods rely on rules, heuristics, and risk scoring to make decisions. But once bots have accessed a company’s eCommerce infrastructure, it’s already too late.

It’s impossible to stop sneaker bots once they’re already in. That’s why Kasada’s approach to bot detection focuses on zero trust, meaning we use strict verification measures for everyone, regardless of whether they’re a human or a bot.

Kasada’s platform creates an invisible layer between your website and internet traffic. We inspect every request and response to determine whether it’s coming from a human or a bot.

If we detect that a bad bot is trying to access your website, we stop it before it even has a chance to do any damage. Kasada secures billions of dollars in eCommerce transactions each month.

Removing the Economic Incentive for Attackers

We remove the economic incentive for attackers by ensuring that attacks cost more to run than they are worth.

Remember, bot operators are focused on using automation  to maximize their profit. If we can make attacks highly expensive, we’ll wreck the ROI of the bots and deter attackers in the future. We do this by using an asymmetric cryptographic proof-of-work challenge, forcing bots to expend massive computing resources without achieving their goal.

Putting an End to Reverse Engineering

Kasada’s platform also makes it incredibly difficult for bots to analyze your website’s defenses ahead of a big product launch.

This is because our platform uses polymorphic techniques that change and evolve constantly. Think of this as “moving the goalposts.”

We do this by constantly changing the parameters of our challenge, making it impossible for bots to adapt quickly enough. We also make sure that our challenge is different for every user, meaning that bots can’t learn from each other and share information.

Kasada Customer Success Story

Now that you know the ins and outs of sneaker bots, we’d like to share results from a real organization that benefited from using Kasada’s platform.

To protect the privacy of the company, we will not share the name, but we will share key details that help you understand the scope of the work we did for the organization.

Company Profile

The company is a publicly traded global manufacturer and distributor of footwear with sales in 80 countries. Its annual revenue is over $1 billion, and many of those sales come from the company’s eCommerce store.

The company’s senior security executives were constantly battling their bot problem, but the malicious activity peaked during flash sales and events with celebrities.

The security team was already testing several sophisticated methods to stop the bots, including various security solutions and custom coding. However, the results were minimal.

With bot-based spikes in traffic, server crashes, web scraping, and automated gift card number guessing, this company had a lot to deal with.

Then, Kasada came on board. In just a month, the company saw the ROI with Kasada, increasing flash sale traffic and eliminating malicious bots from their site.

The Results Kasada Provided

We worked closely with the company’s team to implement our cloud-based service. We integrated our solution with minimal changes to the infrastructure and no impact on user experience. It was a seamless implementation.

Kasada’s solution effectively managed flash sales with up to a 100x increase in web traffic. We completely eliminated the distributed denial of service (DDoS) issues the company was facing during flash sales.

With the Kasada dashboard, we offered the company valuable visibility into the bot mitigation and detection process as well as the performance of their eCommerce site. We also shared the information we gathered with the company’s fraud prevention team so they could take action against fraud-based attacks, such as attempts to use stolen credit card numbers.

After collecting information for several months, we pulled the data into monitoring tools and produced customized reports for the company.

Request a Demo

Kasada’s platform is constantly evolving to stay ahead of the latest bot trends. We’re always on the lookout for new ways to detect and block bots, so you can rest assured that your eCommerce store is safe from the latest attacks.

If you’re interested in seeing how Kasada can help your organization, request a demo.

Want to learn more?

  • Kasada’s Reflections on the Q3 2024 Forrester Wave™ – Bot Management Evaluation

    Kasada named a Strong Performer. Here are some of our own reflections having taken part in this evaluation.

  • Exposing the Credential Stuffing Ecosystem

    Through our infiltration of the credential stuffing ecosystem, we reveal how various individuals collaborate to execute attacks and expose vulnerabilities for profit.

Beat the bots without bothering your customers — see how.