The simple, joyful, act of buying the latest console – a twice-decade dopamine hit like no other – has become a rage-inducing misery in 2020 and 2021.
Why? Because of scalpers who employ fast-buying bots to scoop up hundreds of consoles in the time it takes for your finger to press “order”.
They are using increasingly sophisticated bots to do this and becoming more organised to spot opportunities, often working in large groups. For regular gamers who want to buy a console, this has caused huge frustration and anger towards scalpers who are profiting from reselling consoles at huge markups.
But scalpers I’ve spoken with say their intentions are misunderstood and their negative public image isn’t justified.
“There seems to be A LOT of bad press on this incredibly valuable industry and I do not feel that it is justified, all we are acting as is a middleman for limited quantity items.” said Jordan, who co-founded The Lab, a private group that advises paying users on how to scalp (known as a “cook group”).
Jordan claims to have secured 25 PlayStation 5 units in January and resold them for £700. The most expensive recommended retail price for the PS5 is £450. This, he feels, is no different to how any other business operates.
“Essentially every business resells their products. Tesco, for example, buys milk from farmers for 26p or so per litre and sells it on for upwards of 70p per litre. No one ever seems to complain to the extent as they are currently doing towards ourselves.” The backlash from angry gamers has led to death threats, Jordan claims, which have been reported to police.
I put Jordan’s analogy to some frustrated gamers who have been trying to buy the Sony console for weeks. One, who didn’t want to be named, said “he is deluded. He doesn’t get he’s another layer of profiteering in his own Tesco analogy. He’s not Robin Hood.”
Bypassing security checks
Jordan’s success has been replicated by other users in The Lab. Jordan’s business partner, Regan, shared images of mass purchases of in-demand Supreme gear using a bot called Velox.
The screenshots show that not only is the bot fast at checking out (the fastest is 2.3 seconds for a Supreme x Smurfs Skateboard), but it also manages to bypass 3D Secure to make the transaction happen.
3D Secure is an additional layer of security which verifies that the buyer is the legitimate card owner. It is a requirement in the UK for all websites processing card payments (if the payment card supports it). This usually redirects buyers to another site, which is owned by the bank, for authentication. But the Velox bot used for these supreme purchases bypasses the protocol for a faster checkout.
I asked web security and performance consultant, Edward Spencer, how this bypass this works.
“I suspect the 3D Secure payments page is being by passed by using a card that has not had 3D Secure enabled. Generally, all cards provided by EU banks must have 3D Secure enabled. If you called your bank and requested that 3D Secure was disabled for your card, they’d refuse. So I would guess that they are using cards associated with banks that are from outside of the EU, and are probably pre-paid. The shops could probably thwart these guys by banning all non-3d Secure transactions”.
But there’s more to scalper success then bypassing 3D Secure. Another person I spoke with, who only wanted to be quoted as “Alex”, attempted to build his own bot to buy a PS5. But his was a website scraper that automated purchases, which, as Alex explains, isn’t quick enough.
“There are bots that interact with servers, and there are bots that interact with the web browser – mine interacted with a web browser. So it can only go as fast as a website will let you go. It works faster than a normal human, but there are other bots that, you know, people would be selling for thousands of dollars that will beat my bot every time.”
He continued: “so I know, for Walmart, there was an open API for their stock. Some of these bots could add a PS5 to their shopping cart, and then they could purchase it from there.”
Alex is right that scalpers and cook groups are finding innovative ways to get stock before anyone else. On January 25th cook group Express Notify found a way to buy PlayStation 5 units from UK retailer Argos a full day before the official stock drop, ordering several consoles. Argos eventually shut down the loophole.
Exactly how these bots bypass safeguards, or “interact with servers”, as Alex put it is a bit of a mystery. Spencer speculates that the creators of these bots have “sniffed” the web traffic between the web browser or mobile app of an online store, and the servers.
“Right now I can open Google Chrome and go to any online store, press F12 and I’ll get the developer tools up. All I’ve got to do is go to the network tab, and then maybe add a product into my cart , and observe how my browser is talking to the server that hosts the website. There will typically be network calls to an API running on the server that reveals information – in a computer and human readable way – about products and stock levels.
“So this API isn’t intended to be used by 3rd party developers, but a 3rd party developer could use it if they worked out how. It’s reverse engineering the online store’s API. This isn’t exactly sophisticated. Sites can mitigate this with tried and tested anti-request forgery techniques but unfortunately many sites just don’t bother.”
I contacted several bot makers and cook groups to ask how their tech works, but none were forthcoming apart from those quoted in this story. If you have any information you’re willing to share, then get in contact.
The scalpers I did speak with operate as a business, in some cases with full time staff. Because of the potential money on the table, the scalpers employ a lot of techniques to gain an advantage over regular buyers and other bot users. Jordan explained that because of bot competition, he has to be vigilant of opportunities.
“Our group monitors hundreds of websites waiting to notify members of restocks. The website I was able to get checkouts from was GAME, which the monitors notified us at around 10am GMT that PS5 stock had been loaded onto the backend of the website.
“It is pretty simple to set up as all the top tier bots have in-depth guides or really simple interfaces. All I needed was the product ID, a few unique billing profiles and proxies (proxies allow us access websites from different locations whether it be country or city specific). We have this all in place ready before any restocks happen to give us the best chances of purchasing. If you are slow, even with a bot, you will miss out on the product.”
GAME issued the following statement in reply to Jordan’s claim.
“PlayStation 5s continue to be in very high demand and that demand far outweighs current supply. We have strong measures in place to help ensure that our “1 per customer” statement is maintained to allow for as many individual customers to successfully purchase as possible.
“All pre-orders are subject to automatic checks and order updates such as cancellations following these checks take place after a customer will have received a valid order confirmation email.”
Jordan didn’t want to name the bot they used to complete the purchases, but they did say that “ you will have seen it plastered amongst the media recently due to the PS5 shortage.” In late January, the team behind a bot called Carnage boasted about helping users secure 2000 PS5s. The Carnage bot team could not be reached for comment.
Both Regan and Jordan say that they are, ultimately, helping people by giving them financial opportunities to resell consoles at an inflated price. “I mainly just try and help others now, that’s all that really matters to me. The whole group came about near the start of the first UK lockdown and it makes me so happy that I can help people make some extra money for themselves.
“We do a lot for charity as well. I myself or collectively as a group donate to charity almost monthly at this point. Most notably over the past month we donated a large portion of our membership fees to a foodbank local to me.” I asked for details of the food bank to confirm Regan’s donation but he didn’t provide their information.
Employing the use of bots doesn’t guarantee a purchase of any hot ticket item, but it can massively improve your chances. What this means for the consumer is that the already limited pool of available product – which has been exacerbated by supply chain issues related to Covid – shrinks even further. Regan says this means average buyers will always struggle.
“Your average person who just wants one of the consoles to use struggles to get close. A lot of these sites have very minimal or easy to bypass bot protection. They often release stocks at stupid times or without any form of schedule. A retailer I won’t name released stock of the PlayStation 5s in the extremely early hours of the morning. Which shows the lack of care on their part. The only people who will have known about those restocks will have been people with monitors inside of cook groups.”