What is MFA?
Multi-factor authentication (MFA) is a security method that requires users to prove their identity using two or more distinct factors before accessing …
A sneaker bot is a software application that automates the process of purchasing limited-edition sneakers from online retailers.
These bots are programmed to:
Sneaker bots offer a competitive advantage because they complete this process faster than a human could manually. This enables buyers to secure desirable shoes and resell them at inflated prices on secondary markets.
One estimate predicts that the worldwide sneaker resale market will be worth $51.2 billion by 2032 with a CAGR of 16.4%.
To start, users input their details (such as bank account information and address) into the bot, which then targets specific websites or products with certain URLs or keywords.
Information is also scraped from the internet about sneakers, such as their price, stock keeping unit (SKU) number as well as the date and time of their release.
Once active, sneaker bots can refresh the product page continuously, detect when shoes become available and make rapid-fire purchases. Other bots will add multiple pairs of sneakers to their carts to reduce inventory and prevent other users from buying them.
Proxies mask the bot’s true IP address and route traffic through different locations to make it appear as if it comes from unique users.
More sophisticated proxies can also mimic human behaviour. For instance, they may browse the sneaker website for a long time before making a purchase or add items to a cart and then abandon them.
Since each “user” has a different IP address and behaves like a human, the sneaker bot can avoid detection and circumvent any anti-bot measures the retailer has in place.
Bots also create hundreds or even thousands of user accounts with distinct email addresses, payment details and addresses to bypass site purchase limits.
This technique – which is sometimes referred to as multithreading – allows the bot to simulate numerous individual customers without triggering the retailer’s detection system.
Some shoe bots target specific brands like Nike, Adidas or Shopify and are designed to work across multiple sites.
The most capable bots can secure a pair of shoes in under a second, which substantially increases the bot operator’s chances of obtaining a pair before they sell out.
Some examples of sneaker bots include:
Sneaker bots vary based on their purpose, with each type impacting both consumers and businesses differently.
Let’s take a look at five of the most common.
Scraping bots, as we mentioned earlier, scrape the internet to collect data on a sneaker’s price and release date. Bots can also automatically alert resellers as soon as inventory levels of a particular sneaker are replenished.
The sole purpose of these is to bypass account-based purchase restrictions. To do this, users instruct the bot to create new accounts in bulk based on a list of email addresses.
Raffle bots target the raffle-based sales models that retailers adopt to avoid bot purchases. In short, bots enter competitions numerous times under different aliases and as a result, skew the odds of winning in their favour.
Otherwise known as checkout bots, FCFS bots can complete a purchase within milliseconds of sneaker drops.
Since these bots are often in competition with other bots, they make as many purchase attempts as possible to secure the sneakers.
After a pair of sneakers has been purchased, cashing out bots automatically list them on resale platforms.
These reseller bots create attractive product ads that appeal to sneaker fans who missed out on the initial launch. To maximise profit, bots also have the capacity to adjust prices based on market demand and monitor competitor prices.
While bots create short-term sales spikes for sneaker companies, the long-term impact on revenue and customer retention is more substantial.
But why should a company care whether its sneakers are purchased by a bot or a customer? The most obvious reason is that a bot cannot form a relationship with a brand.
Buyers who are consistently outbid by bots become disheartened and take their business elsewhere. The fact that sneakers are often resold at exorbitant premiums may further erode the relationship a customer has with a brand.
Businesses also suffer a decrease in revenue because they cannot capitalise on the full purchase price (or value) of the sneakers.
The heavy traffic load generated by bots can overwhelm servers and cause slow load times or even site crashes.
In a case study of a sneaker launch in 2023, it was reported that bot traffic peaked at 2,163 times the level of human traffic and was responsible for 8 million transactions per hour.
The impact of sneaker bots on website performance in the above example resembled that which occurs in a distributed denial-of-service (DDoS) attack.
Protection from sneaker bots requires continuous investment in advanced security measures such as bot detection software, CAPTCHA and multi-factor authentication (MFA).
What’s more, businesses must also factor in the cost of server maintenance and infrastructure improvements to handle sudden traffic spikes.
For many, this becomes an expensive and ongoing arms race to stay ahead of bot developers who are motivated to constantly refine their tools and evade detection.
To address the financial and reputational risks of sneaker bot attacks, businesses have adopted several measures.
Advanced anti-bot software employs AI and machine learning (ML) to analyse traffic patterns.
These tools detect unusual behaviour (such as rapid page requests or identical browsing patterns) to identify potential bot activity and block suspicious traffic in real-time. Others analyse lists of IP addresses previously used by sneaker bots to prevent account creation.
Brands and retailers that drop sneakers can also add their own custom rules and detection logic. For instance, they can block accounts from certain countries and force JavaScript execution to differentiate between bots and the browsers of legitimate users.
Other tools use zero-trust protocols, which means they use strict verification processes for all users.
The success of the zero-trust approach (and the various technologies that support it) rests on the assumptions that:
Brands like Nike and Adidas have experimented with exclusive, invite-only releases or in-app reservations to limit the influence of sneaker bots.
This approach offers a controlled environment where retailers can manually verify participants to some extent, reducing bot penetration and improving customer satisfaction.
Nike drops sneakers on its exclusive SNKRS app where users need to satisfy a number of verification steps. While bot access has been made more difficult, the company says that bot accounts nonetheless comprise up to 50% of all users and that 12 billion bots are banned each month.
In Australia and indeed many other countries, sneaker bots operate in a legal grey area. Currently, there aren’t specific laws prohibiting the use of sneaker bots for online retail.
However, sneaker bots often breach the terms of service set by eCommerce platforms and major brands.
Retailers may also have obligations that relate to:
Summary:
Multi-factor authentication (MFA) is a security method that requires users to prove their identity using two or more distinct factors before accessing …
Imposter scams are a type of fraud where scammers pretend to be trusted individuals, companies, or government agencies to deceive victims into …
Accounts payable fraud is a deceptive practice that exploits vulnerabilities in a company’s payment processes. It occurs when individuals—whether employees, vendors or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.