The Real Reason You Can't Get Tickets to Anything

There's a specific kind of frustration that comes with watching a concert sell out in 47 seconds. You were there at the right time, on the right device, with the right credit card saved, and it still didn't matter. The tickets were already gone, sitting in the inventories of brokers who will list them on StubHub within the hour at three to ten times face value. This is not bad luck. It's the predictable output of a system that has never actually solved its core problem, which is that the tools designed to keep bots out of ticket sales don't work particularly well against the bots trying to get in.

Ticketmaster reports blocking five billion bot attempts every month. (Queue-it) That number is supposed to be reassuring. What it actually illustrates is the scale of the attack surface and the persistence of the economic incentive driving it. The resale market has ballooned to over $15 billion, which means scalpers have enormous financial motivation to keep investing in tools that circumvent whatever defenses get deployed. The BOTS Act, passed in 2016 to make this illegal, has been used to prosecute offenders exactly once in nearly a decade. (Arkose Labs) In March 2025, President Trump signed an executive order directing the FTC to actually enforce it, which is a signal of how little enforcement had happened before. (National Law Review)

How Bots Actually Work in Ticketing

The popular image of a ticket bot is a simple automated script that refreshes a page and clicks "buy" faster than a human can. That was accurate in roughly 2008. Modern ticket bot operations are considerably more sophisticated, and understanding what they actually do makes it easier to see why CAPTCHA and IP blocking fail to stop them.

The attack on a major sale typically happens in phases. Before the on-sale, bots create or acquire fake accounts in bulk, each with unique credentials, phone numbers, and payment methods, specifically to circumvent per-customer purchase limits. One documented case involved a broker using 9,047 separate accounts on Ticketmaster to place 315,528 ticket orders for Hamilton and other high-demand events over two years. (Queue-it) The accounts weren't created at the moment of purchase. They were built and "aged" over time, with minor purchase histories and behavioral patterns designed to look like real users.

When the sale opens, the bots don't wait in the same queue you're in. They use residential proxies that route traffic through real household IP addresses, making them indistinguishable from legitimate users at the network level. They simulate realistic mouse movements, fill forms at human-like speeds, and navigate checkout pages without the hesitation patterns that behavioral analysis tools look for. Advanced bots also target presale codes directly, either by purchasing leaked codes from grey-market services or exploiting vulnerabilities in how ticketing platforms handle access authentication. A security researcher documented a case where adding thousands of forward slashes to a Ticketmaster URL bypassed security protections entirely and exposed discount IDs meant for VIP and credit card presales. (Roundproxies) The exploit was eventually patched, but it illustrates something important: the attack surface is massive, and creative attackers find seams that conventional defenses weren't built to cover.

The entire commercial infrastructure around this is openly advertised. There are services that sell Ticketmaster "Verified Fan" codes, bulk-create phone-verified accounts for brokers, and offer automated registration bots for presale sign-up forms. These are not dark web operations. They exist in plain sight, serving a market of brokers willing to pay for the tools that let them beat legitimate fans to inventory.

Why Verified Fan Doesn't Solve It

Ticketmaster's Verified Fan program is the most serious attempt the industry has made to address the problem at the identity layer rather than the transaction layer. The premise is sound: instead of trying to catch a bot in the act of buying a ticket, build a pre-registration system that filters bots before the sale begins. Fans register in advance, Ticketmaster evaluates accounts using behavioral and account history signals, and selected fans receive unique codes distributed by text message before the presale opens.

It's a genuine improvement over nothing, and Ticketmaster has claimed that less than 1% of tickets purchased through the Verified Fan program end up on secondary markets, compared to double-digit percentages from general sales. (A Journal of Musical Things) But the program has well-documented limitations, and the scalper market has adapted to work around them.

The fundamental issue is that Verified Fan still rests on account-based signals rather than confirmed human identity. Scalpers have built operations specifically designed to generate accounts that pass the program's screening criteria: aged Ticketmaster accounts with purchase history, phone numbers that receive two-factor authentication codes in real time, and behavioral patterns consistent with a real fan who has used the platform over time. Services openly selling Verified Fan codes and pre-screened accounts have existed for years. (presalecodes.com) The program raises the cost of entry, which shakes out the most unsophisticated operations, but it doesn't eliminate the well-resourced ones.

There's also the structural problem of what happens at the moment of sale. Even when Verified Fan filters out a significant share of bot registrations, the fans who do receive codes are competing against accounts that made it through screening, some of which belong to brokers who successfully gamed the process. The Taylor Swift Eras Tour Verified Fan sale in 2022 became a case study in how badly the system can fail under pressure: millions of fan registrations, a server infrastructure that buckled under demand, and enough code-holding scalpers in the queue that secondary market prices hit four figures within hours of the sale opening.

The Real Cost of Bot-Dominated Sales

When scalpers capture a significant share of ticket inventory, none of the money from those inflated resale prices goes to the artist, the crew, or the venue. The excess value gets extracted by anonymous intermediaries, and fans who spend their entire budget on a secondary market ticket arrive at the show with nothing left for merchandise or food. Revenue leakage at that scale is meaningful for the economics of touring, particularly for mid-tier artists who don't have the margin to absorb it the way stadium headliners do. (GeeTest)

The regulatory pressure building around this is real but moving slowly. In September 2025, reports emerged that the FTC was investigating whether Ticketmaster itself was doing enough to comply with the BOTS Act, with questions about whether the platform had a financial incentive to allow resellers to use secondary market infrastructure it also profits from. (Peakhour) That's a question the industry has avoided answering directly for years.

What Actually Works

The approaches that have produced measurable results share a common feature: they address identity before the transaction rather than trying to detect suspicious behavior during it.

France's ticketing model, where tickets are tied to government-issued credentials and resale above face value is prohibited through authorized platforms, has dramatically reduced the secondary market incentive structure. The constraint isn't technical, it's structural: if you can't profit from resale, bot-driven scalping loses its economic logic. That approach works in a regulatory environment built to support it, but it requires coordination across platforms, artists, venues, and lawmakers that the U.S. market hasn't achieved.

Ticketmaster's own head of music articulated the principle clearly years ago: "Bots are about speed and if you make the distribution about speed, you're fighting a very hard battle. If you make it about identity, it's much different." (A Journal of Musical Things) That framing is right, and it's where the industry is slowly moving, but the implementations so far remain account-based rather than human-verified. An account with a long purchase history and a verified phone number is a proxy for human identity, not confirmation of it. Scalpers have learned to manufacture that proxy at scale.

The missing piece is a verification layer that confirms a real, unique human is behind the account, established before the pre-registration window opens and durable enough to travel across sales and platforms. Not a CAPTCHA. Not a behavioral score. Not an account history that a well-funded broker can build by paying people to warm up fake profiles for six months. An actual confirmation that a person is a person, the kind that can't be automated away because the underlying credential is tied to something that can't be generated in bulk.

Ticket bots are a solvable problem. The industry knows what the solution looks like. The gap between knowing and implementing is where the scalpers have lived for the last twenty years, and it's the gap that fan access will continue to fall through until the verification infrastructure catches up to the size of the attack.