Published: 24/09/2021

Sneaker Bot

A sneaker bot is a software application that automatically buys items on a retail website. The bots are capable of buying many items at the same time, which allows them to obtain all the desired products before anyone else can.

The term “sneaker bot” is used by sneaker collectors to refer to bots used to buy shoes by brands like Nike and adidas to later resell them for higher prices. This practice results in fewer pairs being available for customers not using sneaker bots.

How sneaker bots work

The bot scrapes the website for items that are about to be put on sale. It is programmed in such a way that it knows when an item will be available, what the price of the item is, how many units are for sale, etc.

As soon as an item appears on the website’s list, it starts buying them. The bot buys all items in front of other buyers very quickly (it can buy hundreds within minutes).

Sneaker bot architecture

A sneaker bot has a variety of elements, this includes:

  • The bot itself
  • A proxy server
  • Proxy clients that provide IP addresses

Different types of sneaker bot

Sneaker bots usually comprise several distinct bots that carry out different functions as part of their attack:

Scraping bots

These bots monitor web pages for information such as pricing and inventory data, and when sneakers are available. They work 24/7, unlike humans.

Fake account creation bots

Bot operators use these to generate bulk accounts on retail sites, meaning more purchases can be made whilst bypassing “per customer” buying restrictions.

Account takeover bots

These bots attempt multiple logins with stolen credentials, either by stuffing usernames and passwords or cracking passwords to obtain more accounts or steal access codes for sales.

Scalping bots

Also known as resale bots, these bots fill shopping carts and check out with the desired items in quick succession.

Denial of inventory bots

These bots add sneakers to shopping carts without buying them, meaning others cannot get the sneakers, causing them to pay higher resale prices.

Cashing out bots

Used to validate stolen credit card information and purchase products secured by scalping or denial of inventory bots.

What sneaker bots are used for

Sneaker bots exist due to the high demand for limited products like Nike shoes. When only a small number of pairs become available, they can be resold at prices much higher than their market value because people would do anything to get them even if it means paying a lot of money.

How sneaker bots impact customers and online businesses

Here are several ways in which sneaker bots negatively impact customer experience as well as the bottom line of businesses:

  • Damaged brand reputation - Bots can hoard stock and prevent customers from getting this, therefore customers may get frustrated with the brand, ruining the brand image.
  • Loss of revenue - As customers won’t be able to buy stock, this means that customers may no longer shop with you causing a loss of revenue in the future.
  • Loss of brand loyalty - Even if you make a profit from bots when they purchase your sneakers, bots won’t spread the news about your brand amongst friends and family. Therefore, your customer loyalty may be lost.
  • Slow website speed - Bot traffic can slow down site speed causing customers to get frustrated and lose potential conversions.

Signs of a sneaker bot on your site

One of the most common signs of sneaker bot activity is an abnormal number of sales for a single item in a short time frame. A bot will make many purchases at once and it will be very noticeable if only one user is selling his whole stock within days (hours or even minutes).

This can also adversely affect site performance for your users, as the server may be overwhelmed with artificial traffic causing them to slow down or even come offline.

How to get rid of sneaker bots on your retail website

There are different ways to get rid of them:

  • Use CAPTCHAs. Every time someone makes an account and logs in, they will need to solve a CAPTCHA. However, CAPTHAs are annoying for people who want to buy things via your website.
  • Limit the number of items a single person can buy. This means that if someone is buying 10 pairs at once, only 2-3 pairs will be allowed to enter their shopping cart / win the bidding process. Once they have won those 2-3 pairs, they can no longer buy more until one of the previous orders is processed. However, this can be bypassed by bots creating multiple accounts, or using methods such as jigging and driver interception to manipulate delivery addresses.
  • Introduce a time delay between purchases. For example, if someone buys 1 item from your store within 20 seconds, this person shouldn’t be able to bid on another product before 8 minutes have passed.
  • Use software designed specifically for fighting bots. Bot management solutions are very advanced pieces of software that constantly keep track of what’s happening on your website. Bots are not allowed to buy anything because they’re constantly blocked by the software, so humans can safely use your website without being afraid of losing any items to bots.

The legality of using sneaker bots

Sneaker bots in most cases do not violate any rules or laws because they help people obtain desired items at a competitive price.

However, some eCommerce sites contain terms and conditions which state that automated sales are prohibited. So, if you use sneaker bots frequently, you might get suspended from the website.

Why sneaker bots are dangerous for sites, businesses, and customers alike

Sites that sell high-demand popular products to bots are at risk of being blacklisted by the manufacturers. This can be avoided if you work with them closely so they understand what’s happening on your site and that it’s not due to any negligence or breach of terms.

Customers lose money because they never manage to take advantage of real market prices, which further leads to boycott efforts against the website where bots were found.

How do sneaker bots avoid detection?

Sneaker bots can avoid detection by doing a variety of things such as:

  1. Faking browser fingerprints: Advanced sneaker bots craft custom browser and HTTP fingerprints which allows them to mimic human use on websites.
  2. Emulating human behavior: Effective sneaker bots replicate human shopping behavior, deliberately avoiding detection.
  3. Residential IP addresses: Some sophisticated bots utilize residential proxies to hide their traffic among that of real users. Whilst these are expensive, they have lower abuse rates, making bot detection harder without risking blocking actual customers erroneously.
  4. CAPTCHA bypass: Some bots have CAPTCHA mechanisms, which means that they can solve various challenges like image classification algorithms and numeric puzzles.
  5. Low request volumes per IP address: Rotating IP addresses mean that sneaker bots reduce the number of requests per IP.

Frequently asked questions about sneaker bots

Can I hold sneaker bot operators accountable for their actions?

Yes, you can sue them for any money lost due to their use of bots on your site. However, this is very difficult because they usually hide behind multiple aliases / fake accounts so it’s almost impossible to get in touch with them or get their location/address information.

Where do people buy sneaker bots?

They are typically sold through online forums. People are usually hesitant to use them because of the risk they carry, which is why they usually try to find reputable sellers that can sell them some kind of guarantee. Some bots have a remote server feature so you don’t even need your computer on while the bot operates on your behalf.

How is a sneaker bot built?

It’s usually done in a very sophisticated manner. They employ multiple servers in different geographical locations so they can use one when the other fails. Their code is usually updated several times per day because anti-bot software development companies are always upping their game and releasing new protection tools, so sneaker bot makers have to be quick to come up with new solutions.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.

Required
Required

By registering, you confirm that you agree to Netacea's privacy policy.