How Grinch bots are trying to steal Christmas

The Grinch is coming to rob holiday cheer, just not through the chimney. Grinch bots are here to steal Christmas deals online. These virtual scalpers are scanning the internet, buying up all the goodies consumers want for the holidays. They then resell the products on sites like eBay at much higher prices.

‘It’s absolutely legal’

“It’s absolutely legal,” said Jason Kent, a hacker-in-residence for Cequence Security. Kent’s job is to stop bots from buying out retailers.

“They’re usually tech-savvy people that started doing this with Supreme, or sneakers, or something like that. They realize they can just do this anywhere,” he said.

After honing their skills year-round, Kent said these Grinch bots are hitting the holidays hard. Based on his perceptions, activity starts to really pick up in October and sustains until January.

With an already limited supply of hot-ticket items like PS5s, it’s harder than ever to compete against computers.

“What they do, instead of creating an account for themselves, is they go buy accounts, and they’ll have somebody farm out 300 accounts,” Kent explained. “So they’ll be logged in 300 times, there’ll be 300 people against you.”

And there’s perfectly legal software to do this. Take Australia-based KodaiAIO, which claims on its website to be “locked and loaded to destroy releases on nearly all major retailers.”

On social media, the company brags about so-called cookouts, where bots score dozens of gaming consoles or sneakers. The software even shows the suggested resale value on the score. Sophisticated software like this makes it hard to track people down.

“It looks like they’re coming from everywhere instead of just wherever they’re sitting in their basement,” Kent said.

Efforts to outlaw

Some lawmakers are trying to outlaw this practice, recently re-introducing the ‘Stopping Grinch Bots Act.’

“Our Grinch Bots Act works to level the playing field and prevent scalpers from sucking hardworking parents dry this holiday season,” Rep. Paul Tonko (D-NY) said.

But cybersecurity experts like Kent are doubtful simply making the practice illegal will stop people from doing it, especially when their online identity is so well hidden and when the software comes from outside the U.S.

“I don’t think this legislation is going to work,” Kent said. “What I think they need to do with this legislation is just simply turn it around to the retailers, ‘You must put something in place to stop this activity.’”

For now, if you can’t beat the bots, bypass them. A Grinch bot can’t walk into a store to buy that coveted gaming console on the shelf.