How to Stop Ticket Scalping: The 2026 Anti-Bot Playbook

If you run a ticketing platform, you already know the pattern. A high-demand drop opens. Within seconds the queue fills with what look like real fans. Inventory empties in minutes. By the time legitimate customers refresh, the entire allocation is on a resale site at four times face value. That's ticket scalping at work, and stopping it requires more than one defence layer.

This guide walks through how to stop ticket scalping in 2026 — what scalper bots look like, why most defences fail, and the layered approach that actually breaks the scalping business model. If you want to know how scalpers got the tickets in the first place, see why ticket scalping is so hard to stop. If you want the artist-side perspective, see what artists do to prevent ticket scalping.

Why "just stop the bots" doesn't work

Scalper bots are not what they were five years ago. The simple User-Agent: ScalperBot/1.0 headers and burst-traffic-from-one-IP signatures are gone. Today's scalping operations look like:

• Residential proxy networks routing every request through a different real consumer IP, so the traffic looks like it's coming from a thousand individual fans on home broadband.
• Real-device farms running actual mobile handsets at scale, so canvas fingerprints, GPU rendering, sensor data and touch events all pass authenticity checks.
• Bulk-created accounts seeded with throwaway emails from Gmail, iCloud and Yahoo (one mailbox impersonating dozens of accounts), aged for weeks before the drop.
• Queue-solver machine learning that learns the timing patterns of your queueing software and outpaces human refresh rates.
• Distributed checkout automation that hits your add-to-cart endpoint thousands of times per second from those residential IPs.

A single CAPTCHA on the ticket page can't see most of this. A simple rate limit on the API doesn't help when the requests come from a thousand different IPs. An account-signup filter doesn't help if the accounts were created two months ago and look identical to real fans until the drop.

The reason ticket scalping is hard to stop is that scalpers attack across multiple layers simultaneously. To stop scalping you have to defend across all of them.

The five places scalpers can be stopped

Scalper bots have to do five things to extract value from a ticket drop. Break any one of them and the operation slows. Break all five and it stops being profitable.

1. Bulk account creation — stop scalpers before the drop

Most scalping operations create accounts weeks before a high-demand drop. The accounts use throwaway addresses from major providers (a single Gmail mailbox can pose as dozens of distinct signups via address variants), come in from disposable-email domains, or originate from VPN, proxy or datacenter networks.

Block these at the signup form and the scalper has no accounts to use on drop day. Specifically:

• Reject signups from networks heavily associated with abuse — VPN, proxy, Tor, datacenter, and ASNs with strong abuse signals.
• Normalise throwaway Gmail, iCloud and Yahoo address variants so one rule catches every variant of the same mailbox.
• Detect disposable-email domains, including newly-registered domains pointing at known throwaway backends.

This is what Prosopo's Spam Filter does on signup forms. It runs before any further processing happens — the scalper's account-seeding pipeline never completes.

2. Pre-queue verification — stop scalper bots before they take a queue slot

When the drop opens and traffic spikes, the queue itself is the next bottleneck for the scalper. Every queue slot taken by a bot is a slot a real fan can't have.

Pre-queue verification on entry uses behavioural and device signals to score every request for trust before it enters the queue:

• Real users have mouse paths, scroll cadence, typing rhythm and tap pressure that vary individually. Real-device farms running orchestration scripts don't.
• JA4 TLS fingerprints reveal the client stack — when a thousand requests share the same fingerprint, that's automation regardless of which residential IP they came from.
• Network-wide behavioural modelling: patterns learned across the entire protected network mean a new scalper toolkit gets recognised the moment it appears anywhere, not after it has already drained your inventory.

Invisible CAPTCHA handles this on the queue page. Real fans pass without ever seeing a challenge. Scalper bots see escalating proof-of-work and image challenges, fail them at speed, and lose their queue slots.

3. Ticket page — stop scalpers at the moment of inventory access

Once a session reaches the actual ticket page, the rules get tighter. This is the moment of value, so defences should be aggressive. Per-request risk scoring on the ticket page does three things:

• Combines all the signals from earlier (IP reputation, device, behaviour, account history, queue time) into a single 0-1 risk score.
• Returns the score to your application so you decide what to do — silent block, force re-verification, slow the response, divert to a holding page.
• Doesn't require any visible challenge for users with a low risk score, so the experience for real fans is unchanged.

This is what Risk Scoring is for. The scoring decision is sub-40ms and the integration is a single API call on cart-add, checkout-start or account-access.

4. The drop API — stop scalper bots at the endpoint they actually target

Many scalpers skip the front-end entirely and go straight for the add-to-cart or release-ticket API endpoints. These often have weaker defences than the ticket page itself — and the scalper's automation can hit them hundreds of times per second from rotating residential IPs.

To stop scalping at the API layer:

• Put the same bot-detection layer in front of your drop endpoints as on the ticket page.
• Deploy at Lambda@Edge, Cloudflare Workers, Fastly or directly inside your backend — wherever your traffic terminates.
• Use Access Control rules to write per-endpoint policy: block specific ASNs, country combinations, TLS fingerprints, or risk-score thresholds for the drop API specifically.

The sub-40ms decision means the API stays responsive for legitimate clients while the scalper's bursts get cut at the edge.

5. Post-purchase — make scalping uneconomic even when individual bots get through

Even with strong front-line defence, some automated purchases will succeed during a high-demand drop. The post-purchase layer reduces their value:

• Identity verification at checkout — link tickets to a real customer identity so resale becomes harder.
• Mobile transfer locks — release ticket entry only via the buying account's mobile app, breaking the resale-to-stranger flow.
• Refund-and-redistribute — flag suspicious purchases (high risk score at checkout, e.g. multiple tickets to a single residential IP over many accounts) and re-release them.

This is policy, not technology — but the underlying signals (risk scores, account fingerprints, network linkage) come from the bot-protection layer above.

How to know if your anti-scalping defence is actually working

A few measurable signals to track:

• Time to inventory depletion — if your full drop empties in under 60 seconds, automation is winning. Real-fan drops typically take many minutes even for the hottest events.
• Buyer/account ratio per IP — multiple successful purchases from accounts with no purchase history, all routing through residential IPs in the same geography, is a scalping signature.
• Resale market price ratio — track the ratio of resale-market list prices to face value for your events. A persistently high ratio after a drop is a sign that automation got through.
• Front-line block rate — how many bot requests your protection layer is rejecting per second during the drop. If your provider can't tell you this number in real time, that's a problem.

Prosopo's bot-protection dashboard reports all of these alongside per-event drilldowns, so you can see what's getting through and adjust before the next drop.

What "stopping scalping" actually looks like

Stopping scalpers one at a time — banning IPs, blocking accounts — is a losing game. The IP is on a residential proxy network with a fresh address tomorrow. The account is one of a thousand pre-seeded ones.

Stopping scalping structurally means making the automation that scalpers depend on uneconomic. Every layer above attacks the automation rather than the individual scalper. Residential proxies stop working if device fingerprints betray the orchestrator. Real-device farms stop working if behavioural signals expose the script. Bulk accounts stop working if signup-time filtering catches them. Queue solvers stop working if pre-queue verification catches them. API automation stops working if the API has the same defence as the page.

Each layer alone can be defeated. Layered, they make the cost of stealing a ticket exceed the resale value — which is the only durable answer to ticket scalping.

If you want to see how this works in practice for ticketing platforms specifically, see the ticket scalping use case or the Forrester Wave 2026 comparison for how Prosopo's approach is rated against other vendors.

Related reading

• Why ticket scalping is so hard to stop — the structural and economic forces behind scalping.
• How do scalpers get tickets before selling them? — the bot stack scalpers use.
• What do artists do to prevent ticket scalping? — artist-side measures.
• Preventing ticketing bots — earlier deep-dive on the bot detection layer.
• Oklahoma moves to stop ticketing bots and protect fans — the regulatory side.