SecurityMay 30, 202610 min read

Bot Traffic on Ecommerce Stores: Inventory Hoarding, Carding, and the Hidden Tax

Up to 40% of ecommerce traffic is bot traffic, and not the good kind. Inventory hoarding bots, carding attacks, scraping, and fake account creation cost real revenue and skew every metric you measure.

StoreVitals Team

The conversation about bot traffic on ecommerce sites usually shows up as a security topic — DDoS, carding, credential stuffing. The conversation that doesn't happen often enough is about how bot traffic distorts everything else: Core Web Vitals (bots load pages without normal cache states), conversion rates (bots add to cart at high rates and never purchase), inventory availability (sneaker bots hoard SKUs the moment they restock), and analytics (the funnel data is contaminated).

Recent ecommerce bot reports estimate 30–47% of total ecommerce traffic is bot traffic, with about 60% of that classified as "bad bots" (scrapers, account fraud, inventory hoarders, attack tools). The rate is much higher for sneaker/streetwear stores, ticket sellers, and any limited-drop merchandise. Even for ordinary apparel and DTC stores, bot traffic is 10–20% of every metric in the analytics dashboard.

This is a practitioner's guide to what bot traffic looks like on ecommerce, what it costs, and what's actually effective at blocking it without breaking the customer experience.

Categories of Bot Traffic and What They Cost

1. Inventory Hoarding (Sneaker Bots, Hype Bots)

How it works: at the moment of a product drop or restock, bots load the product page, add the SKU to cart in milliseconds, and either complete checkout (if they're sophisticated) or hold the inventory in cart (if they're crude) until they can solve the captcha or hand off to a human "cooker." Examples: Cybersole, Wrath, AIO Bot, Kodai, Nike NSB bots, Polaris.

Cost: real customers see "Sold Out" within seconds of a drop. The inventory sells, but to resellers, not to the customers building a relationship with your brand. Long-term, customer trust degrades because every drop feels rigged. Some brands now intentionally allow this for the short-term revenue; others fight it because the customer experience cost is too high.

2. Carding (Payment Testing)

How it works: attackers obtain stolen credit card numbers in bulk, then need to test which ones are still valid. They use your checkout as the test bed. A bot adds a low-cost item ($1–5) to cart, attempts checkout with a stolen card, and observes whether the charge succeeds. The actual goal isn't to buy your product — it's to validate the card for resale or for higher-value fraud elsewhere.

Cost: Stripe, Adyen, PayPal, and other processors charge fees on every authorization attempt, including declines. A carding attack can run 1,000+ authorization attempts per minute. Visa and Mastercard impose card-testing penalties on merchants whose decline rates exceed thresholds — fines starting at $500 per month and rising. Some merchants get account terminated entirely.

3. Price Scraping and Inventory Scraping

How it works: competitors (or competitor intelligence services like Prisync, Price2Spy, WisePricer) crawl your product catalog daily or hourly, extracting prices and stock levels. The data feeds their own pricing decisions.

Cost: this is the most "morally gray" bot category. Competitive intelligence is normal in commerce; doing it via heavy scraping rather than partner APIs is just cheaper for the competitor. Direct cost: bandwidth and infrastructure load. Indirect cost: your prices and stock levels are visible to anyone willing to scrape, which limits your pricing flexibility.

4. SEO Spam and Scraper Sites

How it works: bots clone your product catalog onto cheap doorway sites with the goal of either ranking for your products and inserting affiliate links, or simply hosting the duplicate content as ad-supported inventory.

Cost: occasional outranking on your own product names. Brand confusion. Often the scraped sites are obviously low-quality so Google penalizes them, but the long-tail variants ("[product name] review," "[product name] price") sometimes rank surprisingly well.

5. Account Creation Fraud

How it works: bots create accounts on your store using temporary email services (Mailinator, 10minutemail, Guerrilla Mail). The goal is to claim sign-up rewards (10% off, free shipping codes, loyalty points) or to stockpile accounts for later use in coupon stacking, loyalty point exploitation, or review manipulation.

Cost: discount code abuse. If your "10% off your first order" code can be re-claimed by creating a new account, bots automate this at scale. Stores that thought their first-order discount cost them 10% margin on real new customers may actually be subsidizing repeat purchases from existing customers via throwaway accounts.

6. Review and Loyalty Fraud

How it works: bots create accounts and post fake reviews (positive on your products, negative on competitors), or game loyalty points programs by completing low-effort earning actions thousands of times.

Cost: customer trust in reviews degrades, your own metrics on review velocity become unreliable.

How Bot Traffic Skews Your Analytics

This is the under-appreciated cost. Even when bots don't directly cost money via card fees or inventory loss, they make every metric harder to interpret:

  • Conversion rate: bot sessions usually don't convert. If 20% of your sessions are bots, your reported conversion rate is depressed by 20% from reality. The marketing team optimizes against a rate that's polluted.
  • Bounce rate: scrapers hit one URL and leave. They register as 100% bounce sessions. Your bounce rate is inflated.
  • Core Web Vitals (field data via CrUX or Vercel/Cloudflare RUM): bots don't trigger RUM measurement (RUM is JavaScript-based; most bots either don't execute JS or are filtered from RUM). This one bias is actually in your favor — RUM data is mostly bot-free. But synthetic monitoring tools can be confused by bot-triggered rate-limiting on your origin.
  • Funnel drop-off: bots add to cart and don't check out, inflating cart abandonment metrics. The marketing team launches more abandoned-cart emails to address what's actually a bot problem.
  • Inventory turnover metrics: sneaker drops sell out in 8 seconds. The reported sell-through time is meaningless because it reflects bot velocity, not customer demand.

What Actually Works to Block Bots

Tier 1: Free / Low Effort

  • Cloudflare Bot Fight Mode (free tier): blocks the most obvious bots based on browser fingerprinting and behavioral analysis. Catches maybe 30–50% of bad bot traffic without any false positives on real customers.
  • Cloudflare Super Bot Fight Mode (Pro plan, $20/mo): catches more sophisticated bots, including those that use real browsers. Catches maybe 70% of bad bot traffic.
  • reCAPTCHA v3 on signup and checkout: doesn't show a challenge; runs invisible scoring. Free to use up to 1M assessments/month. Catches account-creation bots and carding bots effectively.
  • Rate limiting at the CDN edge: Cloudflare and Vercel both offer rate limiting rules. A common config: max 10 add-to-cart actions per IP per minute. Catches inventory hoarding bots that hit at hundreds of requests per second.

Tier 2: Paid / Effective

  • HUMAN (formerly PerimeterX), DataDome, Kasada, Akamai Bot Manager: dedicated bot management platforms. Pricing typically $1,000–$10,000+ per month depending on traffic. Catch 95–99% of bad bots. Used by major sneaker brands, ticket sellers, and high-value DTC.
  • Cloudflare Turnstile: Cloudflare's CAPTCHA alternative, free, less intrusive than reCAPTCHA. Effective on signup, checkout, and high-risk pages.

Tier 3: Structural / Customer Experience Tradeoffs

  • Account-required purchase for drops: require an account created at least 30 days before drop date. Eliminates throwaway-account bot purchases at the cost of one-time customers.
  • Queue systems for high-demand drops: Shopify Plus's "checkpoint" feature, Queue-it, or NoFraud's Queue. Customers wait in a line; bots can wait too, but the playing field is leveled.
  • Card-not-present 3DS enforcement: requires the issuing bank's authentication for every transaction. Drops carding success rate to near-zero because bots can't complete the 3DS challenge. Tradeoff: 5–10% checkout abandonment from real customers who don't complete 3DS.

What Doesn't Work

  • User-Agent blocking: trivial for bots to override. Don't waste time on this.
  • Honeypot fields: only catches the most naïve bots. Sophisticated bots inspect the form and skip honeypots.
  • IP blocking individual addresses: bots use residential proxy networks with millions of IPs. Blocking one address blocks the bot for 30 seconds.
  • Increasing the difficulty of an interactive CAPTCHA: bots use human-solving services (2Captcha, Anti-Captcha) at $1–3 per 1,000 CAPTCHAs. Increasing difficulty just pushes real customers away.

The Carbon Cost

Less-discussed angle: bot traffic costs energy. Every bot request consumes server CPU, network bandwidth, and (for stores using cloud-rendered pages) edge compute. Industry estimates suggest 20–30% of total data center energy is consumed serving bot traffic. For sustainability-conscious DTC brands, blocking bad bots is a measurable Scope 3 emissions reduction.

What to Audit Now

  1. Compare your server logs to your Google Analytics sessions. Server log requests typically 2–5x analytics sessions. The gap is mostly bots that don't load the JS analytics tag.
  2. Check your Stripe (or other processor) dashboard for the authorization decline rate. If it's above 10%, you may have an active carding problem.
  3. In your Shopify/WooCommerce admin, look at sign-up activity. If you have a daily pattern of signups from generic email domains (mailinator, etc.), you have account creation fraud.
  4. Check Cloudflare's analytics (or your CDN's equivalent) for "threats" or "bot" tagged requests. If it's a large absolute number, you're already being attacked — just verify the protection is on.
  5. Review your top-traffic URLs for unusual concentration. If 60% of your bot traffic hits the same 5 SKUs, those are the targets — usually high-resale-value or scarcity items.

The Underlying Truth

Bot traffic on ecommerce is a problem that compounds quietly. The marketing team works with metrics distorted by bots; the security team blocks the most visible attacks; the operations team handles inventory and customer complaints downstream of all of it. Nobody owns "the full bot problem" at most stores, which is why it doesn't get fixed. Stores that take it seriously (a quarterly review of decline rates, bot-traffic percentages, and inventory drop analytics) typically find low-hanging fruit worth tens of thousands of dollars annually in either direct loss avoidance or improved analytics signal-to-noise.

Run a StoreVitals scan. We won't classify bots for you (that requires real traffic data) — but we will check whether your store has the foundational protections in place: Cloudflare or equivalent bot management active, CAPTCHA on signup, rate limiting on cart/checkout endpoints, and the security headers (CSP, X-Frame-Options) that make bot frameworks slightly harder to deploy against you.

bot trafficsecurityfraudanalytics

See these issues on your store?

Run a free scan and find out in seconds.

Run Free Scan