These bot shoppers are every sneakerhead's nightmare
Security researchers have to contend with millions of bot attacks every day. The most persistent irritant? Shoes.
The next time you're at your computer waiting for the newest pair of exclusive Yeezy sneakers to drop, keep in mind that you're surrounded by bots that are faster and more effective at hitting the buy button on those limited-edition shoes.
One bot, called CyberAIO, has gained notoriety as a surefire way to nab the most coveted collectibles in the $42 billion sneakerhead business. You think iPhones are hard to get on launch day? Expect fans to tussle over the chance to buy a pair of Kanye West's Yeezy Wave Runners, which retail for $300 but have sold for as much as $2,000 in the secondary market. CyberAIO will go to work when a new pair comes out on Saturday.
The bot is so effective at buying exclusive sneakers online that the people tasked with supporting it don't even want a salary. They just want to use the bot to nab the latest pair of sneakers themselves.
CyberAIO's speed and its ability to stay one step ahead of companies' defenses give fans a leg up on the competition. But using it isn't cheap. Lucas, the bot's creator, charges people £200 (about $256) up front for the right to use the bot, with another £50 subscription fee charged every six months. (Think of it as a sort of Netflix, but purely for buying shoes.) Lucas, however, grants no more than 100 licenses a month, which keeps them a hot commodity.
On one Slack channel for sneakerheads, a user offered to pay $2,750 for a CyberAIO license.
Cyber AIO represents just one way bots are invading our lives, in this case competing against us online for that latest pair of Nike Air Maxes. It's not just shoes -- the same happens with streetwear and even Funko Pop figurines. Bots represent a hot trend in the tech world, touted by the likes of Google and Facebook. They're already widespread across the internet, offering useful features like helping you fall asleep. Others have more nefarious purposes, like scooping up all those Kendrick Lamar concert tickets in seconds, before you even have a chance.
Since bots can move at a pace no human can match, scalpers online are taking advantage of their skills to make massive profits. In May 2017, the New York attorney general's office went after six companies that used bots to resell hundreds of thousands of concert tickets after hiking up the prices.
One company bought 1,012 tickets to a U2 concert at Madison Square Garden in a minute -- nearly 17 tickets a second.
In 2016, Congress passed the Better Online Ticket Sales Act (BOTS Act -- ha ha, get it?), but the legislation only outlawed bots for buying tickets. Everything else is still fair game. And it means that when you try shopping for rare items online, you've got some serious competition.
"When these very big sales are going on," said Moshe Zioni, a director of threat research at security company Akamai, "close to 100 percent of the traffic is bots alone."
Bot imitating life
Given people's obsession with sneakers, it's no surprise a bot that focuses on footwear inspires such awe.
"Sneaker bots have a really big community. They're probably one of the more popular bot communities out there," said Ali Mesdaq, director of digital risk engineering at cybersecurity company Proofpoint. "There's storefronts; there's markets online; there's so many places."
On a WTB (want to buy) Slack channel from Shoeplex, a user offers to buy Cyber AIO for $2,750.
For months, one unnamed bot identified by Akamai had been gearing up to fool security software designed to make sure only real people were buying sneakers off a major shoe company's website.
The programmers knew what Akamai's detection program looked for, and spent hundreds of hours recording thousands of "human" interactions on the same website. Think mouse movements, clicks and typing patterns that reflect how you and I use a computer -- not the immediate and automatic way a machine would.
When it came time to buy sneakers, this bot could slip by, insert prerecorded actions from a real human, dart to checkout and clear the shelves. Akamai's software couldn't tell the difference because the bot was so sophisticated, said Josh Shaul, vice president of web security at Akamai.
The attacker clearly had inside information, he said. The bot's creators knew that Akamai's detection remembered data for only 30 minutes at a time, so even if a bot was blocked, it could return in 30 minutes and appear to be a completely new visitor. The attacker also knew what the detection program looked for and how to work around it perfectly.
After months amassing all that human interaction data, the bot struck in July, successfully faking out Akamai's software. All this for multiple pairs of sneakers.
"They waited and waited until there was an actual moment with a sale to happen, and they used all the tools in their tool kit," Shaul said. "We have not seen that level of investment and time and energy and building for exploits or bypasses in other markets."
March madness
There was a major sale almost every day in March. And -- surprise -- during the same month, the people at Akamai saw one of the year's highest rates of bot activity.
Sole Collector's sneaker release calendar listed an Adidas collaboration with musician Pharrell Williams, Nike's collaboration with NBA star LeBron James and several Air Jordan releases.
Nike was also celebrating its "Air Max Day" campaign, in honor of a pair of sneakers released on March 26, 1987. With that came a series of rare releases, including a pair of Sean Wotherspoon Air Max 1/97s, which Complex ranked as the best sneaker of 2018.
They sold for $160. Resellers put them on the market for as high as $600.
Akamai provided CNET with data on bot traffic versus human traffic on one of the key release dates (though because of client confidentiality, it didn't offer details). The chart shows bot traffic completely eclipsing the efforts of humans to buy sneakers throughout the day.
Traffic from a sneaker release in March, showing bot traffic eclipsing human traffic.
One prolific unnamed botnet sent more than 473 million requests to visit the website. Two other bots that weren't as popular still managed to hit the website with 18 million and 9.4 million requests.
Because the sneakers are so valuable to resellers and collectors, the bots designed to snag them are also in high demand.
"In the past, these bots would be in the hands of specific hackers that know their stuff," Zioni said. "But now it's a prolific business to release it or sell it for others to use."
Proofpoint's Mesdaq said that CyberAIO is constantly popping up as a highly recommended bot on social media. For a bot to work, it has to be in limited supply -- if everyone had the bot, no one would really have an advantage. That's why CyberAIO keeps the number of new licenses each month steady at 100. However, the 16-year-old from England faces a daunting, if perhaps unsurprising, challenge.
"We have to try to stop these bots trying to get our bots, which is quite ironic," Lucas said.
Shop till you bot
Despite how lucrative CyberAIO is, Lucas looks at the sneaker bot as a part-time job -- he's still a student. He said his parents know about his side hustle and are perfectly fine with what he's doing.
Lucas doesn't see any issues with the bots either, though he's seen people complain to companies, saying it isn't fair they can't buy these shoes without paying for an expensive bot. If anything, he noted, the hype around sneakers selling out only helps the companies. He's just helping them get there faster, he said.
"If a pair of Yeezys were released tomorrow and they didn't sell out, the hype around Yeezys would die down," he said.
He officially launched the bot last June, and it now has about 1,700 subscribers. Lucas attributes his success to speed. As in Olympic racing, being able to shave off seconds is crucial for sneaker bots.
"If you want a bot to succeed, it needs to be the best -- faster and more reliable," he said. "It'll check out in 3 or 4 seconds compared to 11 seconds. It drastically improves your chances of getting what you want."
CyberAIO's features, listed on its website.
He first created his own bot in February of 2017, to get a pair of Yeezys. Lucas saw his friends reselling clothes for three times their value, and he wanted in. He then started selling the bot to his friends and improving its features.
When he started, CyberAIO supported only one store. Now customers can use it to buy immediately from 130 different shops.
Nike and Adidas didn't respond to a request for comment. Foot Locker, which also owns the Footaction site, didn't respond to a request for comment. Lacoste, which is also listed on Cyber AIO's page, didn't respond either.
Lucas' staff of two developers and six customer service representatives are paid to keep ahead of security researchers trying to protect sneaker sales from bots. Cyber AIO updates itself every three days with new workarounds and fixes for paying customers.
"They catch up to you and it's a cat-and-mouse game where you're trying to improve your product," Lucas said. "If you find the right opening, you should be able to get the edge."
First published Oct. 25, 5 a.m. PT
Corrections, 6:15 a.m.: This story initially misidentified the source of a quote. The quote about the size of the sneaker bot community is from Ali Mesdaq; 8:45 a.m.: The price of CyberAIO is £200.
Taking It to Extremes: Mix insane situations -- erupting volcanoes, nuclear meltdowns, 30-foot waves -- with everyday tech. Here's what happens.
Culture: Your hub for everything from film and television to music, comics, toys and sports.