Hacked - Shopbots and Sneakerheads
Episode Date: May 26, 2020Jordan Bloemen & Scott Francis Winder discuss the shockingly lucrative world of robots that wait in lineups. If you like the show and want to make sure we can keep making it, please subscribe and if y...ou can visit https://www.patreon.com/hackedpodcast and show us some love. Also - don't forget to check out our loving sponsors: Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
What put the story on your radar?
Because you found this one.
You know, sometimes a guy just needs new kicks.
Is that what it was?
You were shopping for sneakers,
and there was some you knew you weren't going to get?
Yeah, of course.
There's so many things now.
You know, drop cultures become such a big part of society
that there's so many things that if you want them,
you literally had to pay your resale
an aftermarket price for,
which is, you know, ludicrous often.
So, you know, a person with skills
looks at other ways to acquire those things.
Did you end up buying one of these things?
One of these pieces of software
that we're going to spend some time talking about?
No.
I didn't get in the pool.
So this all starts about a decade ago
on a street corner in Canada.
There's a lineup of people wrapped around the block
and standing in that line is this young guy named Paul.
Paul was big into basketball.
And through basketball, he started getting into this other thing.
This whole other hobby he was sort of walking alongside,
but a little too close to and slipped it.
It was always what I would do with my dad,
or I would go with friends, and I would go line up.
It's the hobby that found him on this street corner,
waiting in this lineup.
And it was a lot of fun.
Talking about sneakers.
What drew me to sneakers was actually basketball.
I played basketball when I was in grade seven,
and then one of my good friends loved the retro Jordans.
On September 15th, Nike created a revolutionary new basketball shoe.
1985, black and red.
On October 18th, the NBA threw them out of the game.
There's a famous story about these sneakers.
Jordan got fined $5,000 every day.
every single game he wore them because they weren't regulation.
Fortunately, the NBA can't stop you from wearing them.
And Nike paid that fine every single game of the year because they understand marketing.
Air Jordans from Nike.
Anyway, Paul gets into sneakers.
In basketball, the sneakers was the one thing that you had the ability to choose
and you could kind of like go with your own style with the sneakers.
So I was always pretty big into having like the flashy sneakers even like as far back as
when I was in the seventh grade.
Which back then meant standing in lineups.
So then beyond that, I was open to the culture,
and then I would go with my dad even to line up at the mall
for the sneaker releases and stuff like that.
Used to be, people like Paul would rush out to buy the sneaker at the store
the day it came out.
As more and more consumers start shopping online,
it becomes a rush to complete the transaction
the second the sneaker goes up for sale.
And here is where the bots show up.
On the day these shoes go up for sale, the minute, the second they go on sale, there's this window of time, very brief, in which thousands of humans frantically compete to complete a cart checkout.
They fight to buy the sneakers fastest.
Bots, tiny programs that complete basic tasks, are good at fast.
So some people have created bots that race to buy sneakers for them,
robots that complete checkouts faster than any human could ever hope to.
The people who make the sneakers hate this.
In recent memory, there's a couple European skate shops
that posted like digital pictures of the shoe
and then put it at a very similar retail price
and made it like abundantly clear to a manual user
that they're digital photos and there were no refunds for the digital photos,
but obviously if you're a bot and you're running the keywords like Eric Koston
or whatever, it's going to check out, and it won't read that this is a digital product,
no refunds. So they kind of got everyone screwed over like that.
In June of last year, one sneaker company put up a trap
and tricked a robot and its owner into buying the wrong pair of $10,000 sneakers,
$10,000 being a life-changing amount of money and it being bad press for a sneaker company to ruin a person financially, they gave the money back.
The resale market for sneakers, now this is just reselling, is worth $2 billion.
And it is a massive ecosystem of individual buyers, websites, companies, and platforms, all making money off of what seems at first glance like a basic issue of supply and demand.
That kind of a system, with that kind of money flowing through it, sooner or later, people are going to hack it.
Maybe not in a fishing scheme Trojan horse DDoS attack kind of hack, but a hack nonetheless.
And the people buying the sneakers probably aren't the only ones.
My name is Jordan Blumen.
And I'm Scott Weinder.
And this is shopbots and sneakerheads here on hacked.
If you had to guess, how much would you say your collection is worth?
A lot.
More than I would like to admit.
It's a substantial investment, though.
I never really saw them as an investment, to be honest with you.
I always just saw them because I would like them and I would collect them.
And obviously, it's similar to a car.
Once you drive it off the lot, it decreases in value.
So I wear a lot of my shoes, and they have just.
decrease in value for that reason. It's never been an asset or something like that to me.
I wanted to understand how this all went from lining up outside of a store with your dad to shopbots.
Because for Paul, every sneaker may not be its own asset, but they are certainly assets.
We said earlier and we will say it again, the sneaker resale market alone is worth $2 billion.
So how does that happen?
You eventually hit a point where the shoes that you want don't release the local foot locker anymore.
And then you have to start looking at these boutique shops and stuff like that
where they release the specific collaboration or the specific shoe that you're looking for your collection.
So that's probably the start of that.
As you dive deeper in the collection and you want to find different pairs of kicks like that,
you have to look other places.
where it started for me. And then you realize how incredibly difficult it is to get these pairs of shoes.
And even probably 10 years ago, probably even like five years ago, none of this bot stuff existed.
And even if it did, it didn't exist very well. But as you continue or as I continued through that,
you start to realize that these programs are a thing. No matter how much you complain about them,
they're never going to go away.
No matter how much you complain about resellers,
they're never going to go away.
And it's just like a part of the culture as sad as it is in a sense.
Like I've done my fair share of complaining and all that.
So I eventually was like this is getting me nowhere.
Maybe I should figure it out.
So let's figure it out.
Say I want to make just like a ton of money reselling sneakers.
Two billion bucks.
I want a piece of that pie.
Generally, the retail price of most all-in-one sneaker bots are between $250 to $400.
That is Botter Boy in Nova.
He's like a sneaker YouTuber, does a lot of work with bots.
In another video of his, we get to see how this $250 to $400 software works.
So, Nova, the young guy, Nova is trying to pick up some gear, cop a drop from the brand Supreme.
The first release I'm going to go for is in about 20 minutes.
This is a website I haven't gone for yet, but after that I'm going to speak a little bit more on my predictions on how I think I'm going to perform today.
It might not be the usual cookout that I'm expecting for high stock releases.
So let's go for this release for now and let's see how I do.
We can actually see what software NOVA is running.
So while he is selling two different bots through like affiliate programs,
links in the text description below the video.
The one that he's using is called TSB, the shitbot.
The shitbot, Nike shoe bot, any of these,
they all work in generally the same way.
Yeah, as I said earlier,
I'm not the best on the technical side exactly on how they work
like inside and out,
but basically the summary of what it is
is it's an auto-checkout program
which greatly expedite the speeds of a checkup.
Picture an Excel spreadsheet.
rows and columns.
So you put in your info and you make profiles,
which include your billing, shipping address, your credit card information,
and then you create tasks.
In the context of a bot, each row is a task, a goal for the bot.
So tasks would basically be analogous to a person trying to check up.
In the columns of that task, the user sets the website they're buying from,
keywords, which is where you put the shoe name, a parameter for size, color, proxy addresses
in case the seller is tracking to see where orders are coming from, and then this big, fat,
green start task button.
So then you take a task, and once you start a task, it works very quickly depending on
your setup and your proxies and your server, which all are important in increasing your
speed and reliability of your bot.
And then as your tasks go through, they can ideally check up.
Phil's in the task, hits the start button, and this little robot gets to chugging.
Cop and sneakers.
Oh.
Why didn't I check these beforehand?
Okay, the keywords I used was GS, but they had it spelled out grade school.
Dude, I should have checked this section before running.
Damn it, ETR was a cook.
I fucked up.
Punched in the wrong keywords.
See, the bot only does a...
exactly what you tell it to do.
It's interesting.
As these tasks are running, you can actually see the web page on his screen just crushing
through these transactions at like bought peak speed.
Some of the sites have CAPTCHAs and he's just sitting there telling Google, there's a fire hydrant,
there's a fire hydrant, as fast as he can to prove that there's a human behind these transactions,
which there isn't really.
Nova does fine.
Turns out some of the sites he's using started taking this new payment processor.
We had, you know, mixed bag results.
That release was super duper annoying,
mostly because foot sites were absolutely destroyed and down for quite some time.
Nobody really knows what's going on.
There's a lot of payments being ghosted.
There's a lot of charges, not too many emails.
So therefore, I can't really make, like, your standard checkout recap.
Because I really don't know myself how much I actually got.
it's gotten to a point where I can justify the reselling a little bit because I pay resale for most of my collection.
So it's kind of like I have to resell to pay resale if you get what I'm saying.
That seems to be a lot of what the culture is.
I don't think there's anyone that purely collects, collects, collects, and has never resold a pair of shoes anymore.
Because the fact is you're going to have to pay resell down the line.
So you want to offset that cost a little bit.
there are people in sneakers definitely that are only in sneakers for the money and that's a little
different. I would put them in a different bracket than some other people that would resell and
engage in reselling in order to down the line purchase a pair of shoes that they wanted.
People who are only in it for the money, people who are in it for the love of sneakers.
We're going to talk about the people behind these bots right after the break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world
where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is fully full.
of deterministic agents that handle whole entire workflows. Humans stay in the loop and on the loop
to validate the critical decisions and keep everything trustworthy. And all of this is just off
running on their secure operations graph. A constantly updating intelligence engine fueled by more
than 9 trillion telemetry events every week and over a decade of real world incident response.
The system reasons on real signals and real context not synthetic training data. And the result is
the new Aurora agent SOC. It's the first SCC that is agent-Legiate.
by design, you get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions. The automation frees your concierge
Air's security team to focus on higher value strategy and proactive risk reductions while the
agents handle the grind. If you want to see what trustworthy, production-ready AI and security
operations actually looks like, go to arcticwolf.com slash hacked.
Bots are everywhere. Bots are everything now. Like, there's bots in game chats and
Twitch chat rooms. There's bots that answer questions. There's bots that talk to you. There's
bots that look things up for you. There's bots that take over your computer. You know,
there's a variety of different kinds of bots.
These are shot bots.
I think bot, in my memory,
originated in video games.
So anything that was essentially a non-player character,
an MPC, was a bot,
essentially an AI participating with you in the game.
So we got two different types of people using these bots.
We've got people who are reselling shoes at a profit
to offset buying resold shoes at a lot.
loss. We've got people who are reselling as a business, buying shoes they'd never wear to resell
them again at a profit. It's easy to say, okay, Paul seems kind of like the former, maybe Nova,
and truthfully heaps of people on YouTube are the latter. But my sense is that most people in this
world are floating somewhere in the middle, reselling when it makes sense, buying the shoes you love.
and at 200, 300, 400, 400 bucks,
buying a bot kind of makes a lot of sense for both groups.
It's really useful if you can afford it
if you're trying to grab a pair for yourself,
and it makes complete sense if you're treating this like a business.
Can you kind of take me through the bots you've used over the years?
Yeah, so what I used to run, is I used to run before I kind of left for a while
was called dashy, dashy.
dash e.io
and that bot
was the first one I ever got
and it did
amazing. Like it was awesome.
And
that was probably my biggest one.
So then they start putting in
I don't exactly know
the technical side behind the anti-bot
measures. I'll have to probably ask Shopify
how that one works. But it would
just
decline a lot of payments
and throttle
proxy IPs and whatnot.
So if it was suspicious,
it would kick you to the back of the queue
and make your ping speed a lot slower,
at least to my knowledge.
I mean, I'm not very knowledgeed in this anti-bought stuff.
I just know that it existed,
and it made me pretty angry.
What bought are you using right now?
What's your current go-to?
Well, I've had this one Kodi
AIO for almost a year now.
So I got it right before I kind of died down on my commitment to botting.
And it's been fantastic.
I also run, what I'll start run?
Sorry, I'm just trying to look them up now.
So Kodi, what bot I also run?
Splashforce, sometimes, even though I've never got anything with that.
I still ran Dashie for a while and just sold it recently.
Resold.
Yeah, and that's pretty much the ones that I use on the daily basis.
You resold the reselling software.
I did.
I just have been trying to consolidate the bots that I don't use as much
into, I guess, ones that I'll use more.
So I'm selling off the ones that I don't find work as well for me anymore
and getting ones that I think do.
Botting is pretty interesting in the sense that there are very good bots
and bots that are widely regarded as the best bot,
but most of it actually has to do with the user's understanding of the bot,
because some people may have, like, CyberSol.
CyberSol resales for about $4,000 US dollars at the moment,
but some people may have this bot and not check out anything,
just because they don't understand it and they haven't practiced with it.
And then there's other bots that are more in air quotes,
its entry level, which are regarded to be something like Dashy.
And Dashy would have, what is, it's about $100 right now.
But it has a higher monthly renewal.
So you have to pay about $50 a month of upkeep to keep your license.
Did you say that Cybersole resells for $4,000?
Yeah, $4,000 US dollars.
$4,000 American dollars to repurchase one of these.
apps. For, I was curious, the shitbot that Nova was using, if we kick over to their website,
awash and poop emojis, how much does the shitbot run for? If you go over to the buy section,
they currently have a one-year license listed for $9,99. What is going on here? So here's my read on
this. The shitbot doesn't actually run for that. They will sell.
you a $10,000 license, but seeing as it usually retails for about $300 a year, that price is a
fuck-off price. This is artificial scarcity. Once they sell a certain amount, they ratchet up the
price to stop sales. Then, there are only so many copies of the app in the wild, at which point
the resale market kicks in, with people buying and selling the software to each other at a
markup. Sound familiar? Scott, is scarcity in software
I feel like I know the answer to this.
Is scarcity in software ever a thing?
God, no.
The first one costs everything.
The second one costs nothing.
You can make a million copies of it.
I imagine the reason why you'd want to have some scarcity
and something like this is because if everybody had it,
you essentially are creating your own arms race.
And then all of a sudden your bots, you know, not valuable anymore.
So there theoretically could be a conceivable reason
to why you'd want to keep it.
it's somewhat scarce.
But as far as software in general, absolutely not.
Like Microsoft is Microsoft for a reason.
Copy paste, make a new...
Yeah, print on the DVD.
Cut it, cut it, cut it, cut it.
You know, the first one costs $2 billion.
The second one costs one cent.
Out of curiosity, I looked up, you know,
kind of the Rolls Royce of bots in 2020,
and Paul's numbers check out.
Code I, which is rarely restocked,
runs for between $4,500 and $6,000 on the resale market.
plus some monthly fee.
When these sneakers drop,
is there anybody actually standing in line at this point
or is it just robots racing to complete this transaction?
I guess in a sense, is it just whoever has the best bot
gets the sneakers?
Actually, I don't think it's exclusively the bots going up against each other.
I think these anti-bot measures have actually done a decent job.
These anti-bot measures, Scott, I guess,
how do you imagine these bots worked
and how do you imagine people go about keeping them out of the lineup, so to speak?
The early bots, I think, would rip apart the HTTP get and put requests,
which are coming from your web browser to submit forms.
So they could essentially figure out exactly what data was passing from your web browser to the server,
and then they could quickly replicate that.
So one of the first anti-bot measures was ways to stop that from happening.
So if you weren't interacting with the website, then the put request from the form wouldn't satisfy the website's requirements or the server's requirements.
So I think that's probably the big first anti-bought measure.
It probably worked a lot like RSA keys, like each web page that you loaded up had an embedded number or something in it, that if the submission from the form didn't also include that embedded number, you rejected it.
Pretty easy, pretty straightforward.
Really easy to get around because all you would do is scrape the page,
pull that number out and include it in your submission.
You know, they're probably having to get far more complicated now
because I'm sure they're into some pretty crazy things
where I think the bots now have to essentially replicate human interaction.
So they're literally pretending to surf the internet for you
using probably a real web browser or some form of API that manifests.
itself is a real web browser, because if it doesn't, then the back end of the server probably
rejects it.
Usually, like probably about a year to two years ago, it would have just been a bot battle,
to be honest.
But now at least some manual users go by, it's still very bot dominated.
And so, like you said, it definitely is kind of a battle between these bots, which have
thousands and thousands of users fighting, especially on Shopify for 50 pairs.
Say a company makes a sneaker for $100.
They know it'll sell out at $100.
But they also know that if someone was to turn around
and resell those sneakers for $300 or $400 or $500,
no one would blink an eye.
Which kind of got us wondering.
Are there any sneaker companies reselling their own stuff?
We asked Paul that question right after the break.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just,
what happened, but why these attacks succeeded, and most importantly, what businesses can do
to fortify their defenses for it's too late. You're going to walk away with real insights in how
threat actors are evolving, how defenders are responding, and what strategies can help you
stay ahead of the next big breach. It's not fear-mongering. It's practical, actionable, intelligence
from experts in the trenches. Register now at arcticwolf.com slash hacked.
You know, with manufactured scarcity comes a higher margin of value that you can generate.
It totally wouldn't surprise me if, you know, especially small players aren't essentially reselling their own product
because I just don't think that there's a reason why you wouldn't.
You know, why would you sell something, a sweatshirt that says, you know, something, something social club on it for, you know, $180 and then watch a reseller sell it for $650 when you're an independent artist.
Like, why wouldn't you then just sell it for 650?
I know, like, you know, Nike probably can't do that.
Adidas probably can't do that.
But I imagine there's a lot of people that live in the drop culture,
not just in sneakers that are doing that.
Yeah, the culture wouldn't like it, but there's no law gains to it.
Not only is there no law against it, it just makes economic sense.
I make a sneaker that I sell for 100 bucks.
I know that people will buy it for 200 bucks.
Are there any rumors of, like, big companies reselling their own product?
Yeah, there are.
There's a lot of stuff surrounding a lot of backdoors,
which is when they would just directly sell them out the back to a resell service.
I know there's some things that go on occasionally with skate shops that do that,
and they'll sell their SB dunks out the back door
in order to get the revenue for the shop.
But I mean, obviously, that's to keep the shop sustaining
and get a little bit more revenue, which is okay.
I mean, the way that I see stuff like that is
there's likely a reason for it.
There's also rumors in the states
because I can't remember a footlocker as a share in goat,
which is a large resale platform,
or the other way around.
I think it's Footlockers as a share in goat.
And there's a lot of rumors about them directly backdooring stock to Goat.
Foot Locker did invest $100 million into the reselling app Goat in 2019,
but beyond some sneakerhead YouTube channels discussing a rumor,
we could not confirm it.
So here's where we end up.
What started out as a lineup eventually became this online queue.
What started as people reselling product at a markup
to cover the cost of buying marked up product swelled into this $2 billion industry.
As an aside, if sneaker reselling was a company,
it wouldn't quite make it out of the Fortune 500,
but it wouldn't be that far off.
And in the middle of all of that money,
really kind of driving it, are these young people,
like Paul and Nova, engaged in this never-ending fight with these sellers,
who may or may not be fixing the fight,
probably not.
And what has turned into this never-ending arms race
of bots and hacks to complete transaction
at ever-accelerating rates.
What started out with sneakers
has swollen into this.
Do you think this ever goes back?
It's kind of hard to say.
For when they implemented that Shopify bot protection,
a lot of people are like ripped
that's the end of botting.
But it's realistically,
the bot companies are,
incredibly smart and the developers behind that are obviously incredibly smart. So it seems kind of like a
boxing match between the site developers and the bot developers, which is kind of interesting.
In terms of botting as a whole, I don't think it's going away anytime soon. I think it's really
gaining traction, which is what causes the resale on these bots to go so astronomically high.
I think there's a lot of people that have really started to kind of catch wind of what's going on here in sneaker culture,
and they have a perception that it's very easy to get your foot in the door and make a lot of money doing so.
So there's a lot more people, even that I notice surrounding me that are getting involved in this and asking about bots.
Scott, where do you think this, I guess to borrow Paul's term,
this whole boxing match, where does
where does that boxing match
go from here?
I think they've created
a game and
there's always going to be people to play.
They've manufactured
scarcity. So they're withholding
product that people want to drive up
the value of it, which then drives
of the value of it in the secondary market,
drives up the desire to own it.
As long as they do that,
there will be a higher demand.
They could just make more shoes, but, you know,
they're not doing that because, you know, marketing.
But as long as there's the game, there'll be players, you know.
Thanks for listening, everybody.
A bit of a different episode for you.
Hope you enjoyed it.
We're going to be back next month with another episode.
Since we are producing once a month right now,
a big, big thing you can do to help the show out is comment and share.
Both help us out with the sort of mystical podcast app algorithms.
If you want to chat with us, you can find us on Twitter at Hacked Podcast.
And if you want to really show us some love, wherever on Patreon, patreon.com slash hack podcast.
Thank you so much for listening.
Catch you on the next one.