When tens of thousands of fans rushed to buy tickets for the Ye Live Concert shows on 6 and 8 June 2026 at the Gelredome in the Netherlands, they weren't the only ones trying to get in. Behind every major ticket sale today, there's an invisible battle being fought: one that most fans never see, but absolutely feel.

Here is the technical breakdown of how Weeztix went from being "battered" by bots (due to its open-API architecture) to becoming an industry leader at beating them and preventing ticket scalping. All whilst keeping its UX as pleasant as clients have come to expect.

The economics behind scalping

Before getting into the technical details, it is worth understanding why events of this scale attract bots in the first place. Ticket scalping is a high-margin business. Buy 50 tickets at €180 each, list them on unregulated secondary markets for €600 apiece, and the return on a single session ranges from 100% to 200%. For a rare event like this, the incentive is significant enough to justify a serious investment in the tooling.

The strategy behind the bots

The dominant instrument for this kind of operation is the sneaker bot, originally built for limited-edition trainer drops by brands like Nike and Adidas. By 2025, a clear migration had taken place. Scalpers realised that concert tickets also offered tall margins with less competition, and they brought tools like Stellar AIO and Adonis with them. Platforms that had never needed to defend against this class of attack suddenly found themselves in the crosshairs.

The bot strategy is as follows: Deploy 10,000 bots to flood the queue. All those bots are spread through the queue, and once they're in, they attempt to reserve as many cheap tickets as possible. Even a 1% success rate can net them 100 tickets and a massive profit. Bots typically won’t purchase all the tickets they reserve; they'll only purchase what they need. This means that certain ticket types, such as early birds, may become available to other buyers again after appearing sold out, making the sale incredibly messy and frustrating for fans.

The bots we faced

The bots we faced during the peak sale of the Ye Live Concerts in the Netherlands fell into three distinct categories, each requiring a different response.

1. Consumer-grade sneaker bots

Now widely available as subscription services, these tools require no technical background to operate. Pre-configured interfaces allow users to target ticketing queues with minimal setup, automating the steps a human fan would take through the platform's front end.

2. Professional scalper bots

A more serious threat. These tools are purpose-built to scalp tickets and are likely operated by (semi-)professional operators. These bots are active at large international events and concerts and are much more powerful than consumer-grade sneaker bots (meaning they make many more requests per second).

3. Invalid order bots

The most disruptive category we encountered was the one that caused the most damage during the first sale. These bots submit floods of malformed requests with no intention of completing a purchase. Their purpose is unknown. The result, however, is lots of additional database noise, forcing expensive validation logic to run repeatedly.

Regular safety measures

We host thousands of peak sales every year, and rarely have any issues. Before we dive into what went wrong during the Ye peak sale we want to run you through the standard measures that we have in place to ensure your peak sales go smoothly:

1. Queue-it

Every Weeztix shop is protected by Queue-it, a virtual waiting room that sits in front of the sale and controls how many users enter the shop at any one time. When demand exceeds a set threshold, visitors are held in an orderly queue and admitted at a managed rate. This protects the platform from being overwhelmed at the moment of launch and ensures that access is distributed fairly, on a first-come, first-served basis.

2. Rate limiting in the stack

Within the application itself, rate limiting restricts how many requests any single user or IP address can make within a given time window. This creates a baseline level of protection against automated tools that attempt to flood the system with rapid, repeated requests. Any traffic that exceeds normal human behaviour is slowed or blocked before it can cause any harm.

3. Real-time monitoring

During every high-demand sale, our team monitors platform behaviour in real time. Traffic patterns, error rates, database load and response times are all tracked continuously, giving us the visibility to identify anomalies as they emerge rather than after the fact. When something unusual appears, we can respond immediately rather than waiting for the damage to compound.

4. Moving shops to Weeztix-hosted pages

For major sales, embedded and floating shops on organiser websites are moved to Weeztix-hosted pages. When a shop runs on a third-party website, traffic management is split between the organiser's infrastructure and ours, which limits what we can control. By hosting the shop in our own environment, all traffic flows through our systems, giving us full visibility and the ability to apply our protections without interference from external infrastructure.

5. Sealed Tickets

Sealed Tickets make fraudulent activities such as ticket scalping or counterfeiting on unregulated secondary markets much harder. When a ticket is sealed, it means that the ticket cannot be downloaded until a specific date and time, which is usually very close to the start of the event. Sealed Tickets can be sold on regulated secondary platforms such as TicketSwap and Tixel without issue, even while the tickets remain sealed.

The February 12 sale: what went wrong

When the pre-sale for the first show went live on February 12, we were hit with 15,000 HTTP requests per second. That’s 900,000 requests per minute, roughly a hundred times our normal peak traffic load.

On our end, three specific failures compounded the problem:

• Our rate limiters were too deep in the stack
• The volume of requests overloaded our logger
• Bots had found ways to automate the acquisition of Queue-it tokens.

The invalid order bots exploited this particularly aggressively. By submitting orders without completing seat selection, they forced the system to run heavy validation logic on every request, returning 406 errors each time.

For a show of this magnitude, we expected high traffic, but we couldn’t have anticipated the sheer volume of requests. We’ve previously never had these issues with our peak sales, and suddenly we had to deal with the perfect storm.

What we changed for the second show

For the second sale, we moved our protection even further upstream, closer to the source of the traffic, and on top of all our regular safety measures.

1. Edge-level rate limiting via Cloudflare

The most consequential change was relocating rate limiting to the network edge using Cloudflare, to assess and block traffic at the point of entry. Bots that previously reached the application layer and consumed server resources were now stopped well before that point.

2. Infrastructure to introduce new elements and puzzles

We made an infrastructure change that allowed us to introduce and rotate puzzles in the UI. A small, unexpected action that buyers must complete once they’ve reached the front of the queue before they’re allowed to enter the shop. By rotating puzzles before and during a show, it is much more difficult to pre-program consumer-grade bots to deal with.

3. Shop segmentation by geography

We restructured the sale into three distinct environments, each with its own access controls and payment methods. For example, for this event, we created three different shops for:

• Netherlands and Belgium
• Germany
• Rest of the world: open to all regions, with significantly stricter CAPTCHA enforcement

IP addresses outside the expected geographic regions (e.g., the Netherlands and Belgium for the local shop) are dropped immediately for safety purposes. This meant that a bot network operating in one region could not affect the availability or performance for fans in another.

4. Database offloading

We temporarily disabled Late Personalisation during the peak window. Late Personalisation allows ticket buyers to enter the majority of their details after making their purchase, making the checkout process quicker. The catch is that this is more demanding on our database. For the second sale, we disabled it, freeing up substantial database capacity to handle transaction volume.

The result

The results of the second sale reflected the changes directly: database-related errors fell by 98 percent compared to the first sale. Bot traffic was still present, but it was effectively absorbed at the edge before it could affect the platform's performance, meaning that real fans could load complete their purchases.

The edge protection did what the application-layer defences could not: it reduced the volume of traffic reaching the system to something the platform could handle cleanly.

What this actually proves

We're not claiming to have permanently solved the bot problem. The people behind these tools are persistent: they adapt and perfect their scripts to match our moves, making it a continuous game of cat and mouse, especially for professional ticket scalpers.

However, we are several steps ahead, and the results reflect that. Since the changes we made for the second Ye sale, we have gone on to sell out major events and handle peak sales cleanly, protecting the experience for the fans of clients including Audio Obscura, Thuishaven, Verknipt and ADE. We will continue to monitor developments and adjust where necessary. For large-scale sales today, that means having the tools and capability to hold bots at bay and give real fans a fair shot. It is a capability we have earned the hard way, and one we intend to keep.

A note for organisers and partners

If you are planning a high-demand sale and want to understand how these dynamics might affect your event, we are happy to talk through the specifics. The details above are shared in that spirit: the more openly we discuss what actually happens during major sales, the better placed everyone is to protect their fans and keep the experience fair.

Interested in how Weeztix approaches high-demand peak sales? Feel free to reach out to us via the chat or email to info@weeztix.com.