Scalper bots are automated programs that buy high-demand products online faster than any human can click, often completing the entire checkout process in under a few seconds. They monitor inventory, add items to a cart, fill in payment details, and finish the purchase before most shoppers even see the product page load. Here’s a closer look at each stage of how they operate, the ecosystem that supports them, and what retailers and lawmakers are doing about it.
How Bots Find Products Before You Do
The process starts well before a product goes on sale. Bot operators use several types of automated scripts to gain an information advantage over regular shoppers.
Scraping bots continuously reload product pages, sometimes hundreds of times per minute, watching for restocks or new listings. The moment inventory appears, the scraper either alerts the operator or triggers a separate purchasing bot automatically. This is why limited drops sell out in seconds: bots were already watching the page while human shoppers were still typing in the URL.
Footprinting bots take a different approach. If a retailer plans to release a product on a new page that hasn’t been linked publicly yet, footprinting bots test thousands of possible URLs to find the unpublished listing ahead of time. Once they locate the page, they can queue up a purchase before anyone else knows the page exists.
Account creation bots round out the preparation phase. Operators buy lists of fake email addresses in bulk and use bots to generate hundreds or thousands of accounts on a retailer’s site. Each account can place its own order, which lets a single operator bypass per-customer purchase limits.
The Automated Checkout Sequence
Once a target item is in stock, the purchasing bot takes over. It logs into a pre-made account, adds the item to the cart, enters a saved shipping address and credit card number, and completes checkout. The entire sequence can happen in less than two or three seconds, far faster than a person navigating the same screens manually.
Some bots run dozens of these checkout sequences simultaneously across different accounts, each using a different payment method and shipping address to avoid looking like duplicates. The result is that a single operator can scoop up a large share of available inventory in the first moments of a release.
Denial of Inventory: Holding Without Buying
Not every scalper bot completes a purchase right away. A tactic called “denial of inventory” works by having bots add products to shopping carts and hold them there without checking out. Most e-commerce platforms temporarily reserve carted items, which means those units show as out of stock to everyone else.
The operator then lists those items on a resale platform at a markup. Only when a resale buyer commits does the bot finalize the original purchase. If no one bites, the bot releases the cart and the operator loses nothing. It’s a risk-free way to control supply without spending a dollar upfront.
How Bots Avoid Detection
Retailers deploy security systems to catch automated traffic, so bot developers put significant effort into looking human.
Residential proxies route bot traffic through real household internet connections instead of data centers. To a retailer’s server, each request appears to come from a different home address, making it much harder to spot a pattern. More advanced setups use encrypted tunnels (sometimes called Shadowsocks or Trojan proxies) that disguise proxy traffic so thoroughly it passes through firewalls and deep packet inspection undetected.
Browser automation tools like Playwright and Selenium, paired with stealth plugins, mask the telltale signs of a headless browser. They simulate small mouse movements, gentle scrolling, and random pauses between clicks, mimicking the imperfect timing of a real person. Detection scripts that look for automation fingerprints are tricked into treating the session as genuine.
CAPTCHA-solving services handle the puzzles retailers use to verify human visitors. When a bot encounters a CAPTCHA, it sends the image or token to a service like 2Captcha or Anti-CAPTCHA through an API. A real person on the other end solves the puzzle and sends back the answer, often within seconds. The bot plugs in the solution and continues checkout without ever pausing long enough to raise a flag.
Cook Groups and the Botting Ecosystem
Scalper bots don’t exist in isolation. They’re supported by an organized community, most of it running on Discord and Telegram in private, invite-only servers known as “cook groups.” The name comes from sneaker culture, where successfully buying a limited release is called “cooking.”
Cook groups charge monthly subscriptions, typically between $10 and $50, depending on what they offer. For that fee, members get access to real-time alerts about upcoming product releases, detailed guides on which bot software to use, proxy recommendations, and sometimes direct consultations with experienced staff. The stronger groups maintain release calendars and step-by-step tutorials so even newcomers can set up a bot operation quickly.
The bot software itself is a separate cost. Popular sneaker bots, for example, can sell for hundreds of dollars upfront or carry their own monthly subscription fees. Some are so in demand that they resell on secondary markets for more than their retail price. Combined with the cost of proxies and CAPTCHA-solving credits, a serious bot operation might run several hundred dollars a month before a single product is purchased.
What the Law Says
Federal law directly addresses bot scalping in one area: event tickets. The Better Online Ticket Sales (BOTS) Act of 2016 makes it illegal to use automated software to bypass a ticket seller’s security measures or purchase limits. It also prohibits buying tickets under fake identities and reselling tickets that were acquired through those methods. The law covers any public event at a venue with a capacity of more than 200 people, including concerts, sporting events, and theatrical performances.
The FTC enforces the BOTS Act and can seek civil penalties for violations. In 2021, the agency brought cases against three ticket brokers that had used automated purchasing software, IP-masking tools, and hundreds of fictitious Ticketmaster accounts to circumvent ticket limits. Those companies agreed to pay $3.7 million in combined penalties. State attorneys general can also bring their own enforcement actions on behalf of affected residents.
For physical products like sneakers, gaming consoles, and electronics, there is no equivalent federal law. Some states have introduced their own legislation targeting retail bots, but enforcement remains limited. Retailers largely rely on their own terms of service, which universally prohibit automated purchasing, and on technical countermeasures to fight the problem.
How Retailers Fight Back
The arms race between bots and retailers has pushed e-commerce security well beyond simple CAPTCHAs.
Behavioral analysis powered by machine learning tracks how visitors interact with a site: click speed, mouse movement patterns, navigation paths, and time spent on each page. Legitimate shoppers, even fast ones, behave differently from scripts that execute actions in milliseconds. When the system spots inhuman speed or thousands of requests from a single source, it can block the session or present additional challenges automatically.
Modern CAPTCHAs increasingly work invisibly in the background, analyzing user behavior before deciding whether to show a visible challenge at all. This reduces friction for real shoppers while still creating a hurdle for bots. Retailers also layer on two-factor authentication, requiring a code sent to a phone number before a purchase can go through, which makes bulk fake accounts harder to operate.
Raffle-style launches have become one of the most effective structural defenses. Instead of a first-come-first-served drop where speed is everything, brands accept entries over a longer window, then verify those entries behind the scenes before randomly selecting winners. Bot operators who are flagged during verification simply never get selected, and they receive no notification that they were caught. This removes the speed advantage that makes bots effective in the first place.
Virtual waiting rooms serve a similar purpose by throttling traffic onto a site gradually, giving verification systems time to run before visitors reach the product page. Some retailers also randomize product page URLs before a launch, making it much harder for footprinting bots to locate the listing in advance.
Despite all of these measures, bot developers continuously adapt. New evasion techniques emerge within days of a retailer deploying a new defense, which is why high-demand releases still regularly sell out to automated buyers before most human shoppers get a chance.