Bots That Snag The Hottest Fashion While Breaking Social Trust In Commerce

Scarcity on the Internet is the siren song of bot writers. Maybe you’ve lost an eBay bid in the last milliseconds, or missed out on a hacker con when tickets sold out in under a minute — your corporeal self has been outperformed by a bot. But maybe you didn’t know bots are on a buying frenzy in the hyped-up world of fashion. From limited-run sneakers to anything with the word Supreme printed on it, people who will not accept any substitute in wearing the rarest and most sought after are turning to resellers who use bots to snag unobtanium items and profit on the secondary market.

At DEF CON 27 [FinalPhoenix] took the stage to share her adventures in writing bots and uncovering a world that buys and sells purchasing automation, forming groups much like cryptocurrency mining pools to generate leads on when the latest fashion is about to drop. This is no small market either. If your bots are leet enough, you can make a ton of cash. Let’s take a look at what it takes to write a bot, and at the bots-for-sale economy that has grown up around these concepts.

The internet is built with bots in mind and we have Google to thank for this. Their major innovation was moving us off of a curated internet to one that is machine crawled. Everyone wants good Google juice and that means building a site that is friendly to the Google bots that crawl and index the internet. This makes automation for your own purposes quite a bit easier. Namely, the monitor-bots that are used to detect when a retailer has the latest in stock. [FinalPhoenix] demonstrated a simple script that grabs the XML site map, parsing it for newly in-stock items, flagging them when found. But here’s the killer — if your monitor bot is a good one, you can turn it into a discord channel and sell subscriptions to others playing the reseller game, to the tune of $15-30 a month per subscriber.

Example slide of code used in a web-based buy-bot

Once your bot reports stock, the race is on to buy it before anyone else can. For this, you could use the APIs of the site, but that’s time-consuming and a lot easier for retailers to detect and block bot usage. For this part of her botting tools [FinalPhoenix] likes to use web-based bots that go through a browser framework like Chromium and allow obfuscation techniques like scrolling, clicking other items, random pauses, and other simple-minded actions that make your bot appear to be only human. In the examples for this talk, the Puppeteer framework was used for this purpose. In the end, the main role of this part of the bot is to use a verified account to complete the purchase as fast as robotically possible, which is why they’re called buy-bots. Retailers do have some tricks to combat these web-based attacks like adding secret keys in the DOM that need to be sent with the next post, but these are easy to discover and incorporate into the scripts.

This raises up another interesting part of the scheme, the verified accounts. For the best chance at profit, you need multiple accounts, each used just one time to avoid your buy-bot being detected by the retailer. For this, [FinalPHoenix] turns to services that sell accounts in packages of 500-10,000 and cost around just $5-10 per batch.

But wait, here’s where it gets really wild as recursion takes hold. Yes, these buy-bots are for sale (from sites like AIO Bot and usually around $300-1500), but they’re sold in limited quantities so that it’s harder for retailers to notice and take countermeasures. Just like how the clothing was limited release and incentivized bots-wielding resellers to enter the market, there is a secondary market for the bots themselves. [FinalPhoenix] reports that reselling one of these bots can yield $1000-1500 in profit. The same principles apply, and so what we’ve ended up with is bots buying bots to buy clothes. Who knows how many levels of bot-bot transactions there are, but it certainly feels like turtles all the way down.

Bot-based high-speed trading is the real way to make major bank on the securities market. Your average hacker is shut out of that “legitimate” business, but any enterprising programmer has the option of automating whichever reseller market they find most interesting. This breaks the public trust in commerce — buying quality products from a seller connected to their production for a reasonable price. If frustrates the manufacturer, alienates the consumer, but there appears to be little in place preventing it.

17 thoughts on “Bots That Snag The Hottest Fashion While Breaking Social Trust In Commerce

    1. The prices are already extremely high for what the products and everybody knows it. The brands are making money hand over fist. Jacking the prices higher would alienate the fanbase which the company needs to generate hype

    2. Sometimes because other market forces place limits on what the original seller can get away with. E.G. for festival or concert tickets – if the list price is too high, there’ll be a backlash against the band & promotor, and regulators or governments may step in. In practice, people may have to pay more to buy from a tout, but then everyone blames the tours and the band don’t get hate for it.
      Some events the prices are kept low from a genuine desire to not make it exclusive – and often there’s a lottery style thing to get tickets. Of course, for people who couldn’t afford £500 tickets, the chance to buy ‘afordable’ Tickets at £50 and resell at £500 to pay for groceries is very tempting, can’t blame them.

      But for clothing, I can’t see why. There’s plenty of Uber-expensive fashion brands.

  1. Why not add recaptcha to the purchasing channel? Or mandate a linked fb or google account to go through with a purchase?

    These companies like supreme essentially created instant buyers for whatever stock they create, and all the worth is fictitious since scarcity is artificial.

    This is some restructured debt level of shenanigans. Hypebots are the new derivatives. Truly turtles all the way down.

    1. Recaptcha is a good idea (but I suppose there are ways bots could get around it) but as for a mandatory FaceBook or Google account, forget it, I don’t have either and wouldn’t purchase from anyone who forced me to get one to buy their crap.

  2. What is this “social trust in commerce,” of which you write.
    Intentionally limiting production to significantly less than demand doesn’t sound
    very trustworthy to start with. So other people are playing the same game the retailers are playing (but evidently playing it better, since the goods were evidently underpriced to start with).
    Interesting, but the producers broke trust first.

    1. I’d go a step further and say that the bots are actually punishing the shady retailers by making sure their hype machine doesn’t work, which seems great to me. Artificial scarcity is lame.

      1. How do bots make sure the hype machine doesn’t work if the general public isn’t aware of the existence and purpose of the bots. To the public, it looks like the quickly sold out product is just THAT MUCH MORE DESIRABLE, making them that much more willing to buy from the resellers, markup be damned.

        I too question the notion of social trust in commerce. It seems to me that this type of thing is an obvious extension of pure capitalism. Now I’m not arguing that it’s not ultimately destructive, but destruction seems also a preordained outcome of pure capitalism – driven only by the profit motive, things concentrate down to fewer and fewer people extracting more and more from the resource until the whole structure collapses.

        And no, I’m not a socialist or communist or any other *ist. I just think people need to understand that few systems are truly self-regulating, or self-regulating without including massive bubbles and collapses. Once you know the game, you can more safely play or NOT PLAY to help regulate it.

Leave a Reply to weston DeboerCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.