How the ‘Grinch bots’ are stealing Christmas

When my brother-in-law tried to buy a Barbie gymnast as a Christmas present for my daughter last week, the doll kept disappearing from every online store he visited. Each time he went to add it to his shopping cart, the toy would suddenly vanish from the virtual shelves.

“I feel like I’ve been living online the scenes from 1990s and 2000s movies, where parents fight in toy stores,” he tells me. But instead of just tussles between parents, the battle is now also against bots, which are capable of filling online carts and auto-filling payment details at superhuman speeds.

The Barbie doll is one of countless toys and other popular items that scalpers appear to have set their software upon this Christmas, aiming to buy them up in order to sell them on at inflated prices.

These malicious tools, known as Grinch bots, monitor online inventories in order to identify sought-after products. They are then able to operate in vast numbers to deplete stock on a web-wide scale. They have been around for several years, usually appearing around Black Friday, with internet monitor Cloudflare identifying more than 300 billion shopping bots capable of purchasing goods online.

“Bots are 10 steps ahead – selecting ‘add to cart’ automatically,” Cloudflare’s Ben Solomon wrote in a report on the phenomenon. “Many bots have payment details ready (perhaps even stolen from your account!). The Grinch bots will buy 500 pairs of Lululemon joggers before you even get one. And it’ll do so in seconds.”

The issue reached such high levels during the pandemic that the US attempted to outlaw it.

The Stopping Grinch Bots Act, which came into force on 1 December 2021, made it unlawful to use automated tools to “intentionally bypass a website’s security measures in order to purchase and resell its products or services”.

However, this has done little to stop the trend, with criminals able to operate the bots anonymously to pick off the relatively easy rewards on offer. And the problem has accelerated in 2024 due to the rise in AI tools that help enable the Grinch bots.

A recent report from security firm Imperva found that two-fifths of online shoppers have been thwarted by cyber scalpers, with the figure likely to rise as AI becomes more powerful. Tim Ayling from Imperva told me that AI is making Grinch bots “faster, more targeted and more effective”, leaving parents frustrated and children disappointed.

In response, most consumers surveyed in Imperva’s report said that they were either buying more expensive alternatives or purchasing gifts that are less meaningful. The practice is also having a negative impact on the reputations of retailers, with customers forced to shop elsewhere.

open image in gallery

Imperva, Cloudflare and other cyber security firms are urging retailers to take action against the Grinch bots, which could well involve fighting AI with AI. As criminals figure out new ways to use artificial intelligence to profit from people’s misery, so too do those defending against them.

It may be too late for many shoppers this Christmas, but security researchers are developing methods to identify AI-powered bots and other suspicious behaviour, as well as tools to block them from online stores.

“By identifying high-risk areas and analysing buying behaviour, retailers can limit the amount of bot traffic on their site,” Ayling says. “This will be vital moving forwards, as AI bots will only get better at scalping as they mature, and companies that don’t have measures in place now will lose customers to rivals.”

As for the Barbie gymnast, it looks like it’ll make it under the Christmas tree – but it had to be shipped in from another country.