The Evolution & Ecosystem of Sneaker Bots in 2021

Sneaker bots are easier to build, buy, and deploy. What does their evolution mean for eCommerce businesses?

If you’re an eCommerce company or online provider, chances are you’re battling an enemy known as sneaker bots — which includes an army of people behind them. Automation enables collectors, resellers, and DIYers to scoop up inventory of limited edition footwear faster and in larger quantities than is humanly possible to fuel a sizzling resale market.

 —– Join our webinar with Aite Group, “How the Democratization of Sneaker Bots Is Tying Up the Entire eCommerce Industry” to learn more —–

Sneakers have become an asset class similar to stocks and cryptocurrency, as they can be quite lucrative, and they trade on a variety of reseller platforms. A Piper Sandler spotlight on StockX estimates the sneaker resale market is worth $10 billion in 2021 in the U.S. alone.

But bots aren’t just for scoring sneakers for resale. When paired with proxies and user agents to make them appear as authentic consumers, sneaker bots can be used to scoop up other in-demand merchandise and services, such as gaming systems, concert tickets, consumer electronics, luxury apparel, hotel rooms, and even vaccines. Any time where demand exceeds supply — and where there’s a profit to be made — you will find bots behind the scenes, as we witnessed with the PS5 and hand sanitizer online sales over the past year.

Sneaker bots are also known to hoard inventory in online shopping carts without checking out, which is an OWASP automated threat known as denial of inventory. This is usually conducted so retailers appear to be sold out of an item, forcing consumers to go to a reseller to find what they’re looking for and pay 2-5x the retail price. Due to the mature ecosystem, sneaker bots are a growing problem for online organizations. Last year, bots accounted for at least 20% of traffic to eCommerce sites, but when it comes to new sneaker drops, that percentage soars to 99% in some cases.

While sneaker botting may be unfair, it’s completely legal. At the same time, it can be considered to be an automated attack that creates frustrated shoppers and retailers alike. As a result, bots are often in violation of eCommerce providers’ terms of service. To combat sneaker bots, retailers are resorting to lotteries and waiting rooms, where shoppers have to take a number in order to complete a purchase or registration. But even waiting rooms and ticket numbers can be exploited at scale. What appears to be multiple legitimate customers signing up all at once are really bots, more often than not.

Sneaker Bot Slang

• • Kicks: Sneakers
  • Sneakerheads: Sneaker aficionados
  • Cop: Purchase kicks
  • Drop: New limited edition release
  • Cook Group: Online community for sneakerheads looking to cop limited edition items

Who Uses Sneaker Bots?

We typically see three types of end-users in this mature ecosystem:

• Collectors simply want to beat the competition and win their coveted pair of kicks for themselves at any cost.
• Resellers want to snag as much quantity as possible and jack up the resale prices for a quick profit with built-in demand. They may be reselling on auction sites or through their own online shop.
• DIYers are attracted to the potential to make money through the use of cheap bots and plugins. They join online communities and Cook groups for advice and purchase bots-as-a-service to grab inventory.

Lots of Bots to Choose From

There is a lucrative market for sneaker bots. In fact, bots and bots-as-a-service are marketed just like other SaaS software, with sites promoting different pricing tiers and levels of service. Today, sneaker bots can be accessed for free or purchased for as little as $10, yet some of the most sophisticated sneaker bots can be as much as tens of thousands of dollars.

We’ve highlighted some of the most popular types of sneaker bots in the infographic below:

Let’s take a look at the various types of sneaker bots:

All-in-One (AIO) Bots: To target more than one site, operators deploy all-in-one bots, which pretty much automate the entire purchase. For example, AIO bots can seek out new inventory, add it to the cart, and check out, all in less than 0.2 seconds. Real shoppers simply cannot compete.

Not only can they make automated buys, but they can also keep up with updates to shopping cart procedures in order to work around bot detection and mitigation solutions. These bots work around the clock, shopping all over the world to score kicks and other in-demand merchandise. There are lots of AIO bots to choose from, such as Prism AIO, Torpedo AIO, geographic-specific AIO bots such as EU-focused Burst AIO, as well as many, many others.

Monitor Bots: Specifically built for automatically scanning and scraping information in order to seek out new releases, pricing, and stock availability, which then sends an alert with the relevant information to their operators, as well as to other bots such as AIO bots. A subset of this type of bot is known as a Footprinting bot, which probes for online inventory that might not be public yet, scoring stock a human being could never find before its release.

Specialized Bots: Some sneaker bots are optimized for a single brand, the most popular being Nike, Supreme, and Adidas Bots (for that elusive Yeezy edition). Like AIO bots, these specialized bots continuously update their approach to work around detection. There are also bots designed to work with specific eCommerce platforms such as Demandware or Shopify, which host dozens of sneaker websites, as well as Footsites bots that target four popular sneaker websites (Footlocker, EastBay, ChampsSports, and Footaction).

Regardless of which kind bot operators choose, they’re all relatively easy to use. Typically operators enter their name, mailing address, and credit card information in the bot UI and then tell the bot what to purchase, either by directing it to a specific URL or providing product details. This kind of sneaker-related retail information is shared in Cook groups, making it easy for newbies to navigate and use the services very quickly.

Not Just Different Types of Bots, But An Entire Ecosystem

What started out as fairly simple tools has now become an entire supply chain of automated services. For example, bots can easily solve CAPTCHAs using inexpensive farming services like 2CAPTCHA — and because of that, CAPTCHAs are not effective at stopping bots. Bots can also pose as real consumers through the use of proxy services that use residential IP addresses.

Where Do Operators Get Their Bots?

Open Source for DIYers: With active online communities (Cook Groups) and other support groups and tools (think GitHub repositories, scripts, stealth plugins, and proxy networks), the web offers everything anyone needs to get started. For example, DevTools such as Puppeteer and Playwright, used to test websites, have proven their effectiveness for sophisticated botting when in the wrong hands.

Browser Extensions: By purchasing a bot and installing a Chrome extension, it’s relatively straightforward to start botting. While this approach isn’t as comprehensive in terms of coverage, it poses a very low barrier to entry and serves as a gateway for pretty much anyone to get into botting.

Bots-as-a-Service: For operators who aren’t DIYers, there’s always the ability to rent sophisticated bots as a service — to get the same benefits as purchasing a bot without needing a great deal of technical knowledge.

Bot Marketplaces: For operators who want a wide supply of bots to choose from, marketplaces such as Bot Mart and BotBroker (among others), have emerged to meet demand.

Websites: or social media pages of developers. There are many bots-for-sale websites, but developers want to control the availability of stock to help boost prices (like diamonds!). And, bots are so popular, they often run out of stock.

Resellers: Ironically there is a healthy resale market for the bots themselves, which can sell for hundreds — or in some cases thousands of dollars.

By using a residential proxy service, bot operators look like they come from unique IP addresses and look like multiple customers (and are therefore less likely to be blacklisted). But there are many other tricks bot operators are playing to make their requests look as legitimate as possible.

The following are various types of services for sale:

• Aged Gmail accounts – unused email accounts for sale with a history of activity used to create accounts with retail sites, bypass CAPTCHAs, and conduct business in general.
• Virtual credit cards – so bot operators don’t get timed out or canceled by using the same card for multiple purchases.
• Credit card jigging – to make one shipping address look like multiple addresses, so the retail sites believe that the “consumer” is legitimate and has not received more than a single pair.
• Script recording – to fool bot detection engines with what looks like human gestures such as clicking and page scrolling.

The end result? Not only do the IP requests look like real customers, but they also act like real customers. In addition, successful operators typically use servers to speed up their botting. Cook groups take advantage of community forums to keep up with bot updates.

All of these elements work together to comprise the bot ecosystem that makes sneaker botting so effective.

A Growing Problem with Big Impacts for Customers and Online Businesses

So what’s the impact of sneaker bots on eCommerce, retailers, and online providers?

There are several ways that sneaker bots negatively affect the customer experience which in turn has detrimental consequences for business’ bottom line:

• Damaged brand reputation. Bots scooping up all your inventory (or even just making it look that way through inventory hoarding) hurts your customer experience. Bots shut them out of sneaker drops and other high-demand items, causing frustration and influencing their perception of your site as unable to meet their needs. That means that not only will they look elsewhere for their immediate wants, but also in the future, keen to avoid another disappointment.
• Loss of revenue. Because bots scoop up your inventory, you don’t get to create new customers (and possibly evangelists) or service customers with whom you already have a relationship, impacting their loyalty to your site and your ability to establish consumer preference. That impact unfortunately has long-term consequences of potentially siphoning off revenue in the future. Even though you’ve made money by selling your sneaker supply to bot operators, they have no brand loyalty to your site and won’t be coming back to make add-on purchases or browsing for additional merchandise. They won’t be recommending your online store to their friends or socializing their new kicks they purchased from your store, as real consumers would. That means you have to work harder to attract authentic consumers and likely have to spend more money doing so.
• Increased infrastructure costs. If you’re dealing with automated traffic to your site, you’re likely paying for bandwidth and infrastructure costs (and the human resources to support them) that aren’t necessary. Scanner and monitoring bots create enormous traffic spikes, often 10-100x of normal operations, unnecessarily costing you money.
• Slow site speed. Bad bot traffic slows down your site, introducing latency, which drives consumers crazy, causing them to abandon your site and decreasing authentic conversions.
• Skewed web metrics. Fake bot traffic skews analytics, making it hard to understand how real consumers are behaving on the site, so you’re unable to accurately optimize for conversions.
• Poor conversion rates. If you’re not subverting bots from the login or checkout process, you’re introducing friction to the shopping experience for legitimate consumers, which significantly reduces conversion rates.

Beating the Bots at their Own Game

While sneaker bots are relatively easy to use, they are becoming much more advanced, and therefore, increasingly difficult to catch and stop. Traditional approaches to bot mitigation fall short, as they rely on rules, heuristics, or risk scoring which aren’t able to detect bots before they do their damage. That’s because these approaches let bots in so they can identify them; however, bots are able to look and act like they are authentic people, and therefore they can evade detection. It’s like a wolf dressing in sheep’s clothing to infiltrate the herd sneakily but successfully.

What’s needed to fight sneaker bots is a modern anti-bot solution that stops bots from even getting into an eCommerce companies’ infrastructure in the first place and makes it financially unviable for them to operate. But how?

• For starters, we believe the best approach is an architectural one that relies on zero trust. This no-rules approach can stop bots without having to inspect behavior or device and network attributes, including those never seen before.
• Second, removing the economic incentive at the heart of the sneaker bot model does wonders to stop them cold. This can be accomplished through an asymmetric cryptographic proof-of-work challenge that exhausts the compute resources of automated attacks, wrecking their ROI and making it too costly to continue.
• Lastly, because bots are constantly updated, another way to strike back is to make it difficult for bot operators to retool and reverse-engineer defenses or even to build new bots that can bypass detection. This can be done through proprietary obfuscation as opposed to open-source tools, such as using polymorphic techniques that change dynamically, frustrating operators.

The bottom line is that when it comes to automated technology like sneaker bots, the only way to fight them is also through automated technology, and these three approaches together help beat bots at their own game.

How Kasada Can Help Deter Sneaker Bots

To address the evolving sophistication of bots, Kasada recently upgraded its award-winning bot management platform to provide real-time defense against advanced bots not caught by other methods. These improvements include:

• 1500% increase in the number of client interrogation sensors to detect even the stealthiest automation, without having to let requests into infrastructure
• New obfuscation techniques that make it frustrating and expensive for attackers to retool
• And lastly, an enhanced cryptographic challenge that destroys the ROI of bot operators.

Kasada works with global retail providers to help secure billions of dollars of eCommerce transactions every month. In this example below, monitor bots, disguised by using residential proxy networks, scan for inventory availability at a rate of 4 bots for every legitimate shopper. Once coveted inventory is identified, sneaker bots immediately attempt (and fail) to purchase inventory at a scale of 6x traffic compared to pre-drop levels. Inventory is depleted in approximately 30 minutes while ensuring bots didn’t provide an unfair advantage to those wishing to make a purchase. Monitor bots resume their work looking for new in-demand inventory.

With sneaker bots on the rise, eCommerce businesses must defend their operations against malicious automation. To learn more about these various types of bots and what you can do about this increasing problem, join our webinar, “How the Democratization of Sneaker Bots Is Tying Up the Entire eCommerce Industry” with Aite Group.

Register now to save your seat!

*** This is a Security Bloggers Network syndicated blog from Kasada authored by Kasada. Read the original post at: https://www.kasada.io/sneaker-bots-evolution-ecosystem/