The NFT hunt: humans vs. bots

Scalper bots used to buy highly desired items like sneakers and PS5s are now being used to snatch up widely popular non-fungible tokens (NFTs).

An item you were so eagerly looking forward to buying was sold out in mere minutes? There’s a good chance you were competing against bots and simply stood no chance of getting there first.

If you wanted that item badly, you’ve probably tried to look for it on a resale market. Most likely, you’ve succeed. Only that it cost you way more.

That’s how scalper bots operate. Scalper bots, also known as sneaker bots or grinch bots, target high-demand or limited supply merchandise and snap it up faster than human users. The items are then sold for higher profit.

Bots that snatch up popular items like sneakers have been available to the public for years, not just to experienced hackers with access to the dark web. Recently, bot developers have set their eyes on a new, quickly rising market of NFTs, which now exceeds $25 billion.

In contrast to the sneaker bots, bots that target NFTs can’t be bought off-the-shelf yet, and actors who want to purchase and later resell popular NFTs for higher profits mainly develop them themselves. But it might be only a matter of months before we see more user-friendly bots on the market, easy to buy for anyone looking to manipulate the NFT market.

Sold out in mere minutes

I’ve been closely following Netacea reports on sneaker bots. In Q3 2021, the company pointed out that scalper bots started snapping NFTs. “Over the course of 2021, we have observed the buying of NFTs early, in the hope they will become as valuable as Bitcoin in the near future. As with all digital, commodifiable trends, scalpers too are getting ahead in bidding on and buying NFTs faster than any human is able. Their aim is to resell the unique,” Netacea said.

There are ample examples to illustrate the statement. In September 2021, Time magazine announced a new collection of NFTs, consisting of 4676 tokens and offering unlimited access to its website through 2023. Tokens, each priced at around $310, were sold in minutes. According to Coindesk, bots snatched up many tokens despite Time’s efforts to deter bots by capping the number of NFTs per address.

“Just like the resell market for sneakers, NFTs are a prime opportunity to buy and resell for a massive profit. Not only are NFT bots buying up and manipulating the NFT market, but they are doing so at an alarming rate that far exceeds that of sneaker drops,” Sam Crowther, Founder and CEO of Kasada, a cybersecurity company focusing on AppSec and anti-bot solutions, told CyberNews.

Kasada researchers have determined bots are utilized 50 times more for NFT drops than sneaker drops. In one case of an ultra-rare NFT drop, they determined that the limited inventory was gone within 90 seconds, and 30% of all the sessions used bots. For comparison, on average, 0,5% of sessions during hype sneaker drops are bots. 66% of the NFTs in the case analyzed were available for resale at a 20x markup within a week for a massive profit.

“If consumers thought that buying special sneakers was difficult and frustrating due to bots, wait until they try scoring a coveted NFT digital collectible. Because of the sheer volume of bots in use at the time of a drop, their chances of success are even smaller,” Crowther said.

Situation is yet to become worse

According to Crowther, people who are using bots to buy NFTs are usually making the bots. At the moment, there's no off-the-shelf bot solution.

"It's inherently a technical space which complicates things because there's a learning curve. And now, the bots need to be built for specific tools and sites that they have never been built before. It is more complex," he said.

Meanwhile, the sneaker bot market is more mature. "Here is a sneaker bot. You choose which shoes you want."

Eventually, Crowther believes, maybe within the next year, there will be NFT bots that are off-the-shelf. "But for now, it's still pretty much people figuring out what works well and how they should be commercializing it," he said.

There's a higher risk involved in snatching up NFTs instead of buying sneakers using bots.


"Whether they know that or not, I'm not quite sure. The behavior we see, they are just in this to make a quick buck. They want to buy a thing and flip it as quickly as possible. If I buy a thousand NFTs from a thousand different projects, I only need ten or twenty of those projects to be very successful, and then I make a lot of money," Crowther said.

He reckons that the situation is yet to become worse once there are commercial off-the-shelf NFT bots 'because that's when the masses come in and start adopting these technologies.'

"We are starting to see the inklings of it. One or two small groups are starting to publish their success but don't have a publicly released bot yet. I would say that in the next twelve months, we will see quite a lot of NFT bots in the same vein as we do sneaker bots where you go and pay 1000 dollars and get access to it," he said.

What’s the solution?

Crowther highlighted that bot operators looking to obtain NFT digital collectibles are some of the most collaborative and intelligent in the industry.

“It's important to deploy modern anti-bot technology that's agile enough to stop them, as bot operators have figured out how to work their way around the earlier generation of anti-bot defenses,” he said.

He listed three principles of a modern approach:

1. Zero trust philosophy - assumes all requests are proven guilty until proven innocent; stops new attacks never seen before by identifying the traces of automation. This is different than just simply looking for suspicious behaviors, as bots nowadays look and act like humans

2. Strike back - deters retooling and reverses engineering scripts by changing the playing field and by making automated attacks too expensive to conduct

3. Invisible defenses - keeps defenses invisible without impacting the customer experience and eliminate the need for CAPTCHAs

More from CyberNews:

Crypto miners are taking over the internet

Apple pays over $100k bounty over a Mac webcam hack

Here's how a hacked satellite can impact your life

More than 40 billion records were exposed in 2021

The UK encourages local organizations to brace for Russian state cyber attacks

Ransomware affiliates discuss prison life amidst REvil arrests

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked