Every Taylor Swift drop, every Yeezy release, every PS6 restock turns into the same scene: thousands of items gone in 90 seconds, immediately listed on StockX or eBay at 4×. The buyers are not your fans. They're 12 GPUs in a Romanian data center renting residential proxies and antidetect browsers.

If you sell anything that's both scarce and resold for profit — concert tickets, limited sneakers, console restocks, designer drops, NFT mints, presale slots — you have a bot problem. And if your defense is "we have reCAPTCHA on the cart page," you don't have a defense.

How modern ticketing & drop bots actually work

The "drop bot" software market is professional. Tools like AIO Bot, Cybersole, Wrath, Stellar AIO, and Soleslayer cost $200–$1,200/year and ship with active Discord support. They're optimized for exactly two things: speed of checkout, and evading exactly the kind of defenses you've been told to install.

A typical drop run looks like this:

  1. Pre-positioned tasks — the operator queues 200–2,000 "tasks" pointing at your specific product URL. Each task is a separate session with a unique fingerprint.
  2. Residential proxy assignment — each task pulls a fresh US residential IP from BrightData, Smartproxy, IPRoyal, or NetNut. From your access logs, every request looks like a different home Comcast user.
  3. Antidetect browser session — Kameleo or GoLogin gives each task a unique canvas hash, WebGL renderer, audio fingerprint, timezone, and screen resolution. Browser-fingerprint matching gives you nothing.
  4. Captcha solver pre-warmed — 2Captcha and CapSolver hold a queue of solved tokens. The bot does not "solve" your captcha; it pastes one in 0.4 seconds.
  5. Coordinated burst at T-0 — at the second the drop opens, all 2,000 tasks attempt checkout simultaneously. From your servers' point of view, you got a flash flood of legitimate-looking US residential users.
The brutal math. If you list 1,000 units and a single operator has 2,000 tasks running, that operator's expected take is 30–60% of your inventory. Add five other operators competing and your real fans get nothing. They go on Twitter and blame you.

Why traditional defenses don't work here

reCAPTCHA / hCaptcha

Cost to solve a reCAPTCHA v2 in 2026: $0.0006 in 9 seconds via 2Captcha. For a $400 ticket marked up to $1,200, an operator can spend $0.06 on captcha solving per attempt and still net 999.94 dollars. CAPTCHAs are a tax on real users at this point. (Long version: bot detection without CAPTCHA.)

IP rate-limiting

Every single request comes from a different residential IP. A blanket per-IP limit blocks zero bots and blocks plenty of real users behind shared NAT (university campuses, mobile carriers, corporate VPNs). Negative signal-to-noise.

Account-age requirements

Bot operators farm aged accounts months in advance. There's a whole subculture on the BlackHatWorld and Nulled forums dedicated to it. A drop bot's account pool is older than yours.

Browser fingerprinting (canvas / WebGL / audio)

This was the answer in 2020. In 2026, antidetect browsers rotate every fingerprint surface per session. The Kameleo "profile" you're trying to identify is gone after one purchase.

What actually works in 2026

Stopping drop bots requires signals that survive residential-proxy rotation and per-session fingerprint rotation. Three categories:

1. Behavioral signature of automation

No human can fill a 6-field checkout form in 280ms. No human moves the cursor in a perfectly straight line from product card to "Add to Cart". No human's scroll velocity has zero jitter. Drop bots overwhelmingly do all three. Behavioral analysis costs nothing for real users (it's passive) and is extremely expensive for bots to fake convincingly.

2. Network reputation beyond IP

Even when residential proxies hide the data-center origin of a request, the proxy provider is identifiable. The exit IP belongs to a known BrightData range, or shows up in 47 different account signups in the last hour, or has a TLS JA3 fingerprint inconsistent with the User-Agent it's claiming. Per-IP reputation fails. Per-network-pattern reputation works.

3. Persistent visitor identity

The single most useful signal is: "is this the same browser session that already attempted checkout 14 times in the last 60 seconds, despite each attempt coming from a different IP?" A persistent visitor ID survives incognito mode, IP changes, and most fingerprint rotation. With it, you stop counting requests and start counting sessions. The bot operator's 2,000 tasks become 2,000 visitor IDs, and you can rate-limit those.

How Sentinel handles ticketing & drops

Sentinel is built for exactly this case. On every request you get back:

  • Bot / automation flag — Puppeteer, Playwright, Selenium, headless Chrome, plus the dedicated drop-bot signatures.
  • Antidetect browser flag — Kameleo, GoLogin, AdsPower, Multilogin, Dolphin, Octo. The "real Chrome with fake fingerprint" tier.
  • Residential proxy flag — separately from datacenter VPNs. Identifies traffic from BrightData, Smartproxy, NetNut, IPRoyal, ShadowNode pools.
  • Persistent visitor ID — single stable identifier across IP rotation and incognito windows.
  • Session velocity — count of attempts by the same visitor ID across your last N seconds.

The full evaluation runs in under 40ms. You can call it from your edge worker before the cart endpoint even fires.

Integration: a checkout-protected drop

Add the SDK script to your drop landing page. It runs asynchronously on load, so the token is always ready by the time the user clicks "Buy":

<script async src="https://fp.sntlhq.com/agent"></script>

On your backend, in front of POST /api/cart/checkout:

const verdict = await fetch('https://sntlhq.com/v1/evaluate', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer sk_live_YOUR_KEY',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ token: req.body.sentinelToken })
}).then(r => r.json());

const d = verdict.details;
const block =
  d.isBot ||
  d.isAntidetectBrowser ||
  d.tamperingScore > 0.7 ||
  (d.isResidentialProxy && d.sessionAttempts > 2) ||
  d.sessionAttempts > 8;

if (block) {
  // Don't reserve inventory. Don't even call your DB.
  return res.status(429).json({ error: 'high_traffic_try_again' });
}

await reserveInventory(...);

Note the layered policy. A residential proxy alone doesn't trigger a block — plenty of real fans use NordVPN. Residential proxy plus third checkout attempt does. Tampering score above 0.7 alone does.

What changes after deployment

Sites that put this in front of their drops typically see:

  • Drop-bot share of inventory falls from 30–60% to 2–5% within the first event.
  • Real-user complaints drop sharply — fans actually get items. Twitter sentiment improves measurably.
  • Resale-market floor prices normalize, since the artificial scarcity created by mass-bot purchases collapses.
  • Server load at T-0 drops, because the worst spike is the one Sentinel turns away at the edge before it ever hits your inventory tables.

Get started

Free key at sntlhq.com/signup. 1,000 requests/hour on the free tier — enough to test against a real drop. Higher tiers scale to seven-figure event peaks. The Node SDK is @sentinelsup/sdk.