Retailers and shoppers need to watch out, because the Grinch bots are about!
Worldwide eCommerce sales reached $5.7 trillion in 2022, up 9.7% from last year. This growth rate is slower than previous years due to macro-economic factors like inflation, but the trend towards greater online consumer spending remains clear.
And as a consequence, inventory-scalping bots, aka “Grinch bots”, are continuing to cause frustrations for holiday season shoppers around the globe.
Over the past few weeks, customers haven’t just been competing amongst themselves to snap up the best deals. They’ve also had to contend with malicious bots that fill out online forms and buy up high-demand gifts in bulk as soon as they become available.
According to estimates by cybersecurity firm Radware, up to 97% of all online traffic to retailer login pages on key dates like Black Friday and Cyber Monday comes from bots.
So what actually are Grinch bots? Who operates them? And what can be done to stop them? We’ll answer all those questions and more in this post.
What Are Grinch Bots?
Grinch bots are automated programs that track trending retail items and purchase online inventory in bulk. When they detect in-demand goods have appeared on a particular website, they proceed to purchase all available stock just seconds after it appears on the market. Meaning legitimate human shoppers are left empty handed and frustrated.
Bot operators then sell the “sold-out” times for double, triple, or even quadruple the original retail price to generate profit. This has been continually happening with the available stock of PlayStation 5 consoles ever since its release in November 2020. As soon as more become available they are snapped up by bots and resold with an extortionate markup.
This nefarious “inventory-scalping” activity goes on all year round. But it’s dubbed “Grinch bot” activity during the gift-buying holiday season, which starts on Black Friday and continues through to the January Sales.
The bots use algorithms to identify the best discounts on the market to maximise resale profit margins. And the most commonly targeted items are typically those that are exclusive or limited edition. Over the years Grinch bots have become more sophisticated and can sometimes detect stock before it’s even appeared on the market by checking the social feeds and product pages of popular retailers.
Bypassing CAPTCHAS & Avoiding Detection
The latest Grinch bots can appear human, even defeating image-based CAPTCHAS by sending them to a human to solve (usually very low paid outsourced workers in developing countries). Like other bots they also mimic human user activity by adding in random mouse movements and other “humanlike” browsing behaviours. They also spread out their activity to use a variety of devices and IP addresses to make suspicious activity harder to detect.
Who Operates Grinch Bots?
Occasionally, Grinch bot operations are run by organised criminal gangs. But reselling items at higher costs isn’t as lucrative as other forms of online fraud which are entirely digitally-based, making them much more scalable.
Because of this, most Grinch bot operators tend to be independent opportunists who see it as a relatively easy way of making some extra cash with little to no risk. For example, in an NBC News article about Grinch bots, an anonymous 20-year-old computer science student outlined the motives and methods behind his own operation:
“A lot of it is bot vs bot. If you’re 50 milliseconds faster, then you can get all the stuff. I’m gearing up my bots to try to purchase limited edition all-black Yeezy sneakers. They retail for $220, but I’ll sell them on for $400 or more elsewhere”
The student claimed he planned to use the money to help pay for school. As Grinch bots are relatively simple to build, anyone with sufficient programming skills is capable of carrying out an attack. But it’s a winner-take-all market. Those with the most sophisticated bots tend to make the lions’ share of profits.
How Common Are Grinch Bots?
Last year, the web performance and security company Cloudflare detected and prevented more than 300 billion bots attempting to “add to cart.”
They arrived at this number by running their bot detection engines on every endpoint that contained the word “cart.” But these 300 billion were just the most successful ones. Most bots were stopped before they were even able to view product details on-page.
So that means last year Cloudflare intercepted trillions of inventory-hoarding bots scouring the web attempting to “steal” high-demand items. But even that’s still not a complete picture of the true scale of the problem. It’s simply what Cloudflare could observe through their systems.
It’s hard to put an exact figure on the number of Grinch bots out there. But one thing is for certain – they’re becoming more prevalent every year as shoppers spend more money online.
And let’s not forget there are other forms of bots performing other kinds of malicious activity too, from stealing card details to defrauding advertisers. According to a 2021 report from Statista, 42% of all internet traffic comes from bots. Not all of this activity is malicious. But a significant proportion of it is, as shown in the graph below.
Are Grinch Bots Illegal?
For years, Grinch / inventory scalping bots existed in a legal grey area. In the US, only ticket scalping bots were specifically illegal, under the terms of the 2016 Federal BOTS Act.
While other types of automated purchases may have violated a website’s terms of service, bot operators faced zero risk of prosecution in a court of law. But that changed last year.
In 2021, a group of US lawmakers introduced the Stopping Grinch Bots Act – new legislation enacted to stop holiday hoarders on the internet. The bill allows the Federal Trade Commission (FTC) to treat inventory scalping as illegal and take action against operators.
It also makes it illegal to work around a security measure, access control systems, or bypass other control measures that services use to maintain the integrity of purchasing rules. The bill prohibits the selling of items obtained this way too.
Legal vs Technological Solutions
While the introduction of this bill highlights just how problematic Grinch bots have become in recent years, it won’t to do much to address the problem. Technology always moves much faster than the legal system. And operators still face very little risk of prosecution.
It’s clear the FTC hasn’t been eager to enforce the BOTS act to protect ticket sales. In the six years since it was signed into law, they’ve only ever filed one lawsuit under the act. And the Grinch bot legislation is unlikely to be any different. So operators don’t have much to fear.
The real solution to the Grinch bot problem will be a technological one. Not a legal one. If all large retailers put in place more robust bot detection and prevention systems (such as those provided by Cloudflare), it would become much more difficult for independent bot operators to profit. But currently not enough is being done.
Advertise to Humans, Not Bots
While Grinch bots primarily hurt consumers, other types of bots cause havoc for retailers.
Bots, fake accounts, and invalid ad interactions are a huge barrier to eCommerce marketing efficiency. They waste budgets by generating clicks and traffic that will never convert.
The fake engagements then skew analytics, causing inaccurate audience data to be fed into automated ad campaigns. As a result the algorithms can end up chasing more of the same junk conversions, leading to more wasted budget.
Our 2021 Global Click Fraud Report revealed that up to 25% of retailer PPC budgets are routinely wasted on fake ad engagements. And the problem is typically even worse during the holiday season. So we built Lunio to eliminate the problem at the source.
Lunio analyses every click on your paid ads across all networks (including Google, Meta, LinkedIn, TikTok and more) to generate dynamic cross-platform exclusion audiences to protect your campaigns from fake clicks, zero-value traffic, and spam leads – instantly boosting overall ad spend efficiency.
We help leading retailers across the globe including Hugo Boss, eBay and M&S save hundreds of thousands every year – which otherwise would have been wasted on invalid traffic. Want to save up to 25% of your ad spend while simultaneously driving greater performance marketing efficiency? Get a demo and trial to test our solution on your own campaigns with zero risk.