How Scalper Bots Evaded Detection to Snatch Oasis Tickets

At 8:00 on Saturday, 31^st August 2024, millions of people were poised to be part of pop culture history.

Four days earlier, on 27^th August, seminal Britpop heavyweights Oasis shocked the music world by finally confirming their long-awaited reunion. The reconciliation of brothers Liam and Noel Gallagher sent fans into a frenzy.

For millions worldwide, it was essential to get tickets to one of the 17 announced gigs. The demand was enormous. If the virtual queue to buy a ticket was in the real world, it would have snaked through 40 football stadiums or run the entire length of the UK.

But for others with less honorable intent, this day was something entirely different – A chance to cash in by scalping as many sought-after tickets as possible.

Keeping a Close Eye on Bot Communities

Our Threat Intel Center team has covert access to over 3,000 attacker communities, Discord groups, Telegram channels and illicit marketplaces, which we use to keep our clients ahead of threats targeting them. We have never seen a faster response and development of tools to attack an event than this.

Here’s how bot operators developed the ability to beat the queues and scalp Oasis reunion tour tickets within 36 hours.

How Bot Groups Reacted to the Oasis Announcement

At 8am on 27^th August 2024, official Oasis account posted the following message signaling a reunion tour:

The guns have fallen silent.
The stars have aligned.
The great wait is over.
Come see.
It will not be televised. pic.twitter.com/FaELtNlVMh

— Oasis (@oasis) August 27, 2024

Within three minutes, the first post popped up in an underground community asking how best to scalp tickets. Just 36 hours later, attackers had amassed a virtual armory of ticket scalping tools, primed and ready to launch.

Rapid development of ticketing modules

There are many bots on the market that can automatically buy tickets. Modules enhance these bots, allowing them to target specific sites, bypass defenses, and more. Which modules developers create, update and maintain depends on demand, or what their userbase deems most profitable.

Leading up to the ticket drop, we saw a huge surge in requests within Discord channels asking developers to add modules capable of targeting the sites selling Oasis tickets.

Developers wasted no time in rapidly creating the requested modules. Not only that, but within an incredibly small timeframe they continually refined and updated the modules, testing to make sure they would perform as expected during the ticket sale.

Bot Management and Queue Bypass Tools

Ticketing sites have defenses in place to prevent bots from scalping tickets in bulk, such as bot management tools and virtual queues.

Defense bypass modules are therefore essential for any scalper bot. Developers constantly update these as defenses adapt and evolve, and vice versa.

Bot developers often sell bypasses for popular bot management tools to other developers or users so their attacks can evade detection.

Bot operators also showed huge interest in queue bypass modules. Virtual queues help ticketing sites manage the massive spike in traffic and create a fair “first come, first served” system for purchasing tickets. Bypassing the queue gives bots a huge unfair advantage in securing multiple tickets before they sell out.

Many bot operators either developed their own queue bypass features or collaborated with others to complete their toolset. Chatter amongst users in underground forums and groups indicated that whilst bots did have queue bypasses, they did not appear to be widely sold by specialists as, if too many bots had them, this would reduce the overall effectiveness of the bypasses.

Fake Account Creation

To further enhance their chances of securing tickets, attackers used tools to create large numbers of fake accounts ahead of the drop. These fake accounts flooded the queues, increasing the likelihood of securing tickets before others through sheer volume.

There was also a pre-sale ballot entry process for the Oasis drop. Attackers quickly developed and deployed scripts specifically designed to automate the creation of ballot entries.

The combination of bypassing queues and using an unlimited number of fake accounts gave the attackers the best chance at securing a substantial number of tickets.

Did Bots Succeed in Obtaining Oasis Tickets?

We can’t exactly quantify how many tickets scalper bots snatched, but we do have some indicators that bots enjoyed widespread success.

Countless groups were involved, including those that don’t typically specialize in event tickets, but examining just one group revealed alarming results.

This group boasted up to 1,500 Oasis tickets successfully bought by bypassing queues and automating the checkout process. Assuming they paid the average ticket price of £221.25, and resell for an average of £600 each, they stand to make £568,125 in profit. This example represents just one of the many groups active during this event, suggesting that the financial impact across all the bot groups will be significantly higher.

Even individuals working alone saw success. One lone adversary using an “off the shelf” scalper bot claimed that he secured 230 tickets, which could net him a profit of over £87,000.

Where are Scalped Oasis Tickets for Sale?

Ahead of the sale, Oasis themselves stated that they would cancel tickets bought above face value from sites like Viagogo, SeatGeek, and StubHub, in an attempt to discourage touts.

This only drove scalpers to less official marketplaces. One such example where we found Oasis tickets for sale was SneekMarket, which advertises itself as a private platform for buying and selling tickets. As ticket resale platforms crack down on unauthorised ticket sales, resellers are adapting their tactics. Rather than physically transferring tickets to buyers, some resellers provide buyers with the account login details instead. This allows the buyers to directly access and obtain the tickets themselves, bypassing the need for the reseller to handle the tickets.

Impact on and Backlash from Oasis Fans

Ultimately, there were always going to be far more people wanting to buy tickets than were physically available to. Disappointment was inevitable for most fans.

This fact has not stopped people airing their frustrations on social media and in news reports.

Site availability and glitches

In addition to the bot identification problems, social media posts also highlighted site availability issues during the drop. Customers reported complaints about the ticketing sites crashing or being inaccessible, allegedly preventing them from successfully completing purchases. The presence of bots will have only made these issues worse.

False positives – Humans mistaken for bots

The website told many people, who had spent hours patiently waiting in online queues, that they looked like a bot before throwing them to the back of the line.

This is what we call a false positive and it shows how difficult blocking bots accurately can be. It’s especially frustrating when we know that bots were bypassing such defenses undetected.

We can speculate that many of the telltale bot signals, such as multiple connections from one IP address (if your whole household is on the site trying to get tickets) or rapid connection attempts (hammering the F5 button to refresh the queue), which are not typical human behavior on websites, became so during this specific period. Meanwhile bots knew exactly what to do to look human or simply fly completely under the radar.

Could Ticket Sites Prevent Scalping?

Bots may have won this battle, but we believe we can beat them in the overall war.

Take a holistic, multi-faceted approach

Firstly, you should not leave stopping scalper bots to one line of defense or a single strategy—you need to anticipate what’s coming, block bots before they hit your platform, and assess the data after the drop.

Start with intelligence ahead of the drop

At Netacea, our Threat Intel Center provides vital intel to our customers to mitigate attacks before they even happen.

We investigate who the attackers are, what they’re planning, the tools they’re developing and their overall intentions. We pass this information to our data science team to tune our defenses or to our analysts to understand what will be hit and when.

Real time server-side mitigation

This intel feeds into our Bot Protection platform. We then collect every single request – sometimes hundreds of thousands a second – made to the web platform across all devices and analyze these in real time with our bot detection algorithms.

We instantly flag and block previously seen bad actors, and distinguish novel attackers based on their intent at the server level. This prevents bots from bypassing us using the usual tricks they deploy against client-side bot detection.

Post attack analysis

Additionally, we can pass server logs through our bot detection engine retroactively after all tickets have been sold (even if we weren’t protecting the site at the time of the drop) to determine whether any bots slipped through the net. By matching session IDs to accounts, we can identify which sales bots made, allowing vendors to confidently cancel those tickets and release them back to real people.

What’s Next for Scalper Bots?

As long as attackers can make a profit, they will continue to develop bots. Undoubtedly, scalper bots will continue to evolve, as will the solutions built to stop them – until we beat them so consistently that it doesn’t help them pay their mortgages anymore.

Read up on the fascinating history of scalper bots in our series “The Evolution of Scalper Bots”.

You can also hear our thoughts on the Oasis ticket drop, featuring Netacea co-founder Andy Still, CISO Andrew Ash, and VP Threat Services Matthew Gracey-McMinn, on the Cybersecurity Sessions podcast: