Learning about threat actors from sneaker bots (or consumer bots) 👟​

#security #infosec #cybersecurity #bots #sneakers #sneakerbots #productsecurity

What is a sneaker bot? Nike, Adidas, and other fashion brands have been doing limited release editions of their products for decades. It goes back to the early days of people waiting in line with a raffle ticket and hoping their number got called. Nowadays though, that process is all done online with apps and websites controlling the raffle. The same process has been in use for years with concert tickets (cough Taylor Swift kerfuffle cough) and more recently with Playstation 5s and high-end graphics cards.

Due to the economic strategies of these products there will never be enough created to meet the demand of the public. If Nike says that there will only be 100 pairs of this pair of Jordans, that just means they are even more exclusive than ever and thus will be worth more. To someone looking to make a profit, it is in their best interest to acquire as many of those pairs as possible so they can resell them on the secondary market for many times the original price to people who want the thing and will pay any price for it.

Consider the Jordan x fragment collection, and its star shoe the Jordan 1 Retro High Fragment or “frags”, released in December 2014. It retailed for a modest $185. Using data from Stockx, one of the most popular sneaker secondary markets, we can get some data points about what it’s price is right now 8 years later.
(See attached image - https://stockx.com/jordan-1-retro-fragment )

Notably, you’ll see two figures that are important: a 2078% price premium and an average sale price of $4093. For a pair of shoes that sold for $185. The return on investment here is absurd. You would be hard pressed to find many investments that yield that level of return.

If you’re a consumer who missed out on that limited edition $185 opportunity, your only option now is to either a) get extremely lucky at a thrift shop or b) pay 4 grand (technically there is a 3rd option of paying for counterfeits, but that's outside of the scope of this discussion). The only reason they are worth that much is because of the limited quantity. Nike could make the shoes until nobody bought any more pairs, but they would no longer be “exclusive” and thus be far less marketable. Nike is no longer a shoe company - it’s a lifestyle company where shoes just happen to be part of that brand. They’re selling the image and idea of exclusivity, sometimes backed up with materials science and technology on their actual athletic wear, so that they can charge a premium price. A basketball jersey may only cost $20 to make and $20 to sell across the world, but if it has NFC with your phone that lets you look up the player's stats in real time, they can charge $150 for it.

So now that we've established that there is a significant profit motive behind purchasing limited release of shoes and flipping them on the secondary market, and the prestige motive of owning the most in-demand sneakers, we can start talking about bots.

The next post will cover what bots are, the basics of what they do, and why they have been so effective historically.

Post 1 of ??, more to follow later.