An Amazon fulfillment center in Swansea, United Kingdom.

How the Grinch Bots Stole Your Sneakers

Phil Nichols, 45, of the Dallas-Fort Worth area, has been very good this year. In a concession to the pandemic, he’s managed his information technology job for the Internal Revenue Service from home and forgone weekly game nights, as well as restaurant and movie outings. To break up the monotony and also distract from his chronic pain, the disabled veteran plays video games. “You get to get out of your bubble, so to speak, and see a whole new world,” he said. So, when Sony released the new PlayStation 5 game console in mid-November, he decided to reward himself with an early Christmas present.

But when we spoke, Nichols had been trying for more than a week to buy the console online without success. He blames bots, automated computer programs that people use to buy up in-demand items that they then resell for a profit. They function like ticket scalpers who have expanded into sneakers, toys, and electronics. While the nefarious software plagues e-commerce sites all year long, so-called “Grinch Bots” are especially active over the holidays, snatching up the season’s hottest gifts.

When the PlayStation 5 consoles first dropped on Nov. 12, the traffic crashed Walmart’s website. Nichols is sure that bots were beating him to the punch because every time Walmart and other retailers released more consoles, the products were gone in less than five seconds. That’s not enough time to enter payment information and check out, he said: “Clearly a bot can do that, but a human can’t.” (Walmart, along with Amazon and Target, whose customers also experienced problems trying to purchase the console on launch day, had no comment about bot traffic on their websites.)

MATTERS OF FACT: Exploring the intersection of science & society.

Nichols did see evidence that bot operators had snatched lots of the new PlayStations for resale. He could find plenty of the consoles, which retail for $400 or $500 depending on the features, on Amazon, eBay, and social media sites, marked up to as much as $1,800. “It’s a frustrating experience, trying over and over to buy something and getting subverted by bots,” he said. “It feels like I’m just banging my head on the wall.”

Holiday shoppers like Nichols will likely be competing against an unprecedented number of bots this year, said Edward Roberts, application security strategist for the cybersecurity firm Imperva. Based on an analysis of data from more than 6,000 clients worldwide, a recent Imperva report found that the cybersecurity threat to retailers already exceeds last year’s seasonal peak — even before Black Friday and Cyber Monday. “We think it’s going to get worse and that the traffic — one, of extra humans, and two, of extra bots — is only going to grow,” Roberts said.

In particular, Roberts said that he’s seen rising activity from these bots in the last three or four years as their use has spread from buying concert and event tickets to snatching up limited-edition fashion items, collectibles, and electronics. Because bot operators function outside traditional commerce, it’s hard to get a handle on how big the industry really is. “We haven’t seen a report on the size of the resale or scalping market because we suspect there are too many items, listings, and global markets to track,” he said.

Some retailers and manufacturers may secretly be rooting for Team Grinch, said Bruce Schneier, a fellow at the Berkman Klein Center for Internet and Society at Harvard University and chief of security architecture for Inrupt, a technology company focused on giving internet users more control over personal data. “They’ll publicly say it’s awful that people are buying this and reselling it, but they like the publicity, they like the scarcity, they like the fact that a product has such cachet,” he said.

Legislation to make using a Grinch Bot illegal could reduce, if not eliminate, the threat. But first we as a society need to decide this is a form of commerce we don’t want, said Schneier. He’s not optimistic we’ll get there. “We’re terrible at those sorts of conversations,” he said. “We can’t even agree that Facebook destroying American democracy is bad, let alone this.”

Bots are ubiquitous on the internet. On average, about one out of four requests to a retail website is a bot, according to Imperva’s data.

“Some bots are helpful, good bots, such as search engine bots that use machine learning to index content, or customer service bots that help users with questions,” said Kim DeCarlis, chief marketing officer and so-called “security evangelist” with PerimeterX, a company that sells software and services to defend against bots. “Others are sinister bad bots, such as those behind automated attacks on websites and web applications.” Bad bots crash websites, for example, as well as steal people’s personal information, credit card numbers, gift card balances, and reward points.

Online scalping falls into something of a gray area. Online ticket scalping is illegal thanks to the federal Better Online Ticket Sales (BOTS) Act of 2016. But other types of scalping bots are legal-ish, said Imperva’s Roberts. While they may technically violate a website’s terms of service, in practice those rules are seldom enforced. In fact, an entire industry devoted to selling and running bots operates in the open. The most pervasive scalping bots are Sneaker Bots such as CyberAIO, Nike Shoe Bot, and AIO Bot, which can help you snap up designer kicks such as Adidas YEEZYs and Nike Air Jordans for yourself or to sell to others.

Any time there are low-supply, high-demand items, bots are sure to follow, explained DeCarlis. “During a flash sale, as much as 90 percent of website traffic may be generated by bots waiting for the new products,” she said. “Two-thirds of the purchases can be made by malicious bots.” It’s a lucrative business. For sneakers and streetwear alone, the North American resale market is worth more than $2 billion annually, according to the financial services company Cowen.

“It’s a frustrating experience, trying over and over to buy something and getting subverted by bots,” Nichols said. “It feels like I’m just banging my head on the wall.”

As Nichols discovered, human shoppers are no match for the bots. The automated programs zip through purchases in milliseconds, said DeCarlis. To circumvent product limits, bots often mask their internet protocol (IP) address, the unique string of digits linked to a device, and use a network of proxy IP addresses so they appear to the site as different shoppers. Operators can further increase their advantage by hacking a retailer’s website to get the URL, or web address, for a product before it’s revealed to the public.

What about Captchas, those I’m-not-a-robot puzzles visitors to a website are forced to complete before accessing certain pages? It turns out that bots have been able to read wavy words and identify streetlights in photographs for a while now. In a 2016 study, researchers at Columbia University demonstrated that readily available artificial intelligence tools for image recognition could solve over 70 percent of the challenges from a widely used Captcha system.

Captchas are one of the techniques used to filter out bots, but more sophisticated attacks require additional defenses, said Roberts. For example, behind the scenes the website may command your web browser to return an image or complete a calculation to prove that a bot isn’t faking its identity. And software may track how you navigate the site — evaluating how fast you move through the site or even how you move your mouse — to make sure you’re human. Advanced bot protection software also includes machine learning algorithms capable of detecting the behaviors of the most sophisticated bots.

Of course, bots are constantly getting better at mimicking humans. “It’s an arms race,” said Roberts. “If we do something that changes something and that improves our detection methods, the bot operators are sitting there with their teams trying to get around those detection methods.”

Several members of Congress would like to shut down the arms race over scalper bots with new laws. In 2019, a bicameral group introduced the Stopping Grinch Bots Act, which would make it illegal both to circumvent website security measures to buy products or services and to try to sell them. Democratic Representative Paul Tonko of New York, who spearheaded the effort, said that he intended to reintroduce the bill next year and expects it to have a better chance of passing under a Biden administration.

Grinch Bots are aptly named according to Tonko because they are “devious and unfair.” It’s especially disheartening to him to see them so active this year when millions of Americans are avoiding shopping in person to reduce the risk of catching Covid-19. “Our Grinch Bots bill will make it possible for smaller retailers to have a fair shot at stocking these items for their loyal customers and will restore fairness for consumers so that they’re not paying inflated prices because a few unscrupulous people took advantage online,” he said.

Everyone I interviewed thought that while a federal law would dissuade some of the big players, especially those operating in the open, it wouldn’t kill off Grinch Bots. After all, four years after passage of the BOTs Act, ticket scalping continues. Because bot operators are clever at avoiding detection and many are outside the U.S., the law is unlikely to have much impact according to a 2018 report on event ticket sales from the Government Accountability Office. While state attorneys general in New York and Washington have reached financial settlements with ticket brokers accused of violating scalping laws in recent years, the Federal Trade Commission has taken no enforcement actions.

Retailers are going to have to be more proactive, said DeCarlis. “While legislation may keep legitimate operators from circumventing rules, it is really the retailers that need to adopt intelligent bot mitigation technology that uses machine learning and behavior analytics to accurately differentiate between malicious bots and humans.”

The “tricks” websites use to deter Grinch Bots work marginally well, said Schneier, who calls himself a public-interest technologist. “But, yeah, it’s a problem.” Because ultimately you are not fighting bots, but human nature. Outwitting the system to buy and sell to your advantage is a time-honored tradition. “It’s largely not a computer problem, it’s an economic problem,” Schneier said.

Manufacturers and retailers could make products less attractive to bot operators by not creating artificial scarcity, for example, or by not hyping a release. If you didn’t announce the exact date and time of a release, said Nelson, “you might be able to defeat some bots.”

But, of course, hype is part of the game.

Nichols had his heart set on playing the action-adventure game “Marvel’s Spiderman: Miles Morales” on the PlayStation 5. “I want the ‘prettier’ version that looks better and is faster,” he said. But he’ll wait until he can buy it legitimately. “I’m not giving those scalpers any money,” he said. “I’m not encouraging their behavior.”

Does he think a law would help? Possibly, said Nichols, if it was written properly: “But it really is difficult to navigate.”

Manufacturers and retailers also need to work on the problem, said Nichols. “They’ve got some pretty smart folks that can solve it,” he added.

He agreed to talk to me, he said, because he wants companies to know that Grinch Bots really do hurt their customers. Even so, Nichols hasn’t given up. He and his girlfriend will be quarantined away from family and friends over the holidays so he’d love to have a new toy for entertainment. “I am hoping,” he said, “to get lucky before Christmas.”

UPDATE: In a previous version of the piece, Edward Roberts was incorrectly referred to as “Edwards” on second reference. His name has been corrected.

Teresa Carr is a Colorado-based investigative journalist and the author of Undark's Matters of Fact column.