How DataDome Stopped Millions of Ticket Scalping Bots Targeting a Global Sports Organization
Between January 8–13, 2026, a global sports organization was targeted by a scalping attack. Over six days, attackers launched more than 16 million malicious requests from 3.
How DataDome Stopped Millions of Ticket Scalping Bots Targeting a Global Sports Organization
Between January 8–13, 2026, a global sports organization was targeted by a scalping attack. Over six days, attackers launched more than 16 million malicious requests from 3.9 million unique IP addresses—all targeting the checkout flows in an aggressive attempt to scalp tickets.
DataDome’s Galileo Threat Research team successfully disrupted this attack, deploying real-time protections that blocked all 16 million malicious requests while maintaining seamless access for legitimate customers. The result? Zero disruption to genuine fans and zero tickets lost to scalpers.
Key metrics of the scalping attack
1
6
+
m
i
l
l
i
o
n
malicious requests
3
.
9
m
i
l
l
i
o
n
unique IPs involved
1
3
3
.
6
3
requests per second at peak
attack duration
C
h
e
c
k
o
u
t
flows targeted
Overview of the attack
The graph below (Figure 1) illustrates the malicious bot traffic detected and blocked during the attack by DataDome’s detection engine. At its peak, the attack reached a max velocity of 133.63 requests per second.
The attackers targeted the checkout flows, where tickets are temporarily reserved, attempting to monopolize inventory before genuine fans could complete checkout. The sheer volume of unique IPs involved—nearly 4 million—signals a professionally organized fraud operation with access to substantial infrastructure resources.
Left unchecked, this attack would have resulted in damaged brand image, loss of customer trust, and potentially regulatory scrutiny for ticket distribution practices.
Figure 1: Number of malicious bot requests blocked per 2-hour window
Distribution and characteristics of the attack
Top countries of origin
Traffic originated from five primary countries:
United States: 56%
Canada: 19%
United Kingdom: 18%
Germany: 4%
Spain: 3%
This distribution suggests threat actors strategically positioned their infrastructure in major markets to blend with legitimate user traffic patterns. Mimicking expected geographic distribution is standard tradecraft for advanced scalping operations.
Figure 2: Geographic distribution of request origin
Infrastructure profile
Analysis of Autonomous System Numbers (ASNs) revealed that the attackers relied heavily on major network providers. The top five ASNs included:
AS7922: 39%
AS7018: 21%
AS701: 14%
AS5089: 13%
AS2856: 13%
They are all associated with datacenter and network infrastructure services.
This infrastructure diversity serves two purposes: it distributes attack traffic across multiple networks to avoid triggering rate limits, and it provides fallback options if any single network gets blocked. Leveraging infrastructure across multiple major providers indicates that attackers prioritized both operational resilience and evasion capability.
Technical fingerprint
The most common user-agent in the attack traffic was Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36. This mimics a legitimate Chrome browser on Windows 10, one of the most common user configurations globally.
The attackers also deployed evasion attempts designed to blend with legitimate user traffic patterns, including the use of CAPTCHA-solving services to bypass traditional bot detection mechanisms.
How was the attack detected & blocked?
DataDome’s Galileo Threat Research team rapidly analyzed the attack patterns and deployed enhanced detection mechanisms specifically calibrated for this threat profile. Our AI-powered detection engine identified and adapted to the evolving attack in real-time, analyzing request patterns, behavioral anomalies, and infrastructure usage to distinguish malicious bots from legitimate users with high precision.
The detection improvements deployed for this attack focused on four key areas:
Request pattern analysis: Legitimate users browse event details, compare seating options, and hesitate before purchasing. The bot traffic skipped these steps entirely, moving directly to cart operations with machine-precision timing intervals.
Behavioral inconsistency detection: Real users generate expected client-side signals—mouse movements, scroll events, JavaScript execution. The scalper bots lacked these signals, flagging their automated behavior as inconsistent with human interaction.
Infrastructure correlation: By cross-referencing IP addresses with known datacenter ranges and proxy service providers, DataDome identified infrastructure commonly associated with bot operations. This context, combined with behavioral signals, enabled high-confidence blocking decisions.
Real-time adaptive protection: As the attack evolved over five days, our AI models continuously updated detection logic. When attackers shifted tactics or introduced new IP ranges, DataDome adapted quickly, maintaining consistent protection without manual intervention.
The result: zero impact on legitimate ticket sales. Fans accessed tickets without friction, while 16 million malicious requests were stopped before reaching the checkout system.
Protect your website from scalping attacks with DataDome
Ticket scalping attacks impact more than your bottom line. When bots monopolize inventory, customers lose trust, regulatory attention increases, and control over product access and pricing shifts to secondary markets.
This attack demonstrates the sophistication of modern scalping operations: 3.9 million IPs, distributed datacenter infrastructure, and CAPTCHA-solving capabilities—all designed to bypass traditional defenses. These operations are organized, well-funded, and constantly evolving.
DataDome’s AI-powered detection engine analyzes intent in real-time, identifying automated behavior across hundreds of signals, not static rules that attackers easily bypass. This approach delivers protection that matches today’s scalping sophistication, while keeping legitimate transactions frictionless.
Book a demo to see how DataDome stops scalper bots in under 2 milliseconds.
*** This is a Security Bloggers Network syndicated blog from Blog – DataDome authored by Jérôme Segura. Read the original post at: https://datadome.co/threat-research/how-datadome-blocked-a-ticket-scalping-bot-attack/
About Author
