Instacart shoppers besieged by bots that snatch lucrative orders
Lisa Marsh’s job shopping and delivering groceries for Instacart during the past three years has been unforgiving. Company tipping policies cut into earnings while boycotts and other labor strife created confusion, she said.
Then the global pandemic hit, transforming once mundane trips to Los Angeles grocery stores where she lives into a palpable health risk.
In recent weeks, another problem has emerged: bots that snatch the largest, most lucrative orders out of the hands of other shoppers.
Here’s how it works. Instacart pays contract workers to shop for groceries and deliver them to customers. Normally, the shoppers open the Instacart shopping app and, as orders flash by, click on the ones they want to fulfill. But in order to gain an edge, some shoppers are paying software developers who have created bots — in the form of third-party apps — that run alongside the legitimate Instacart app and claim the best orders for clients.
In this way, the app tilts competition between shoppers but is invisible to customers and doesn’t take business away from Instacart either. The cost of the third-party apps ranges from $250 to $600 in cryptocurrency or bank deposits, according to the darkweb research firm, DarkOwl.
When Marsh opens her Instacart shopping app, she sees promising orders disappear before she can act. “No human can click that fast,” she said. “Instacart needs to fix this. These bots are literally taking the food off my kids’ table.”
While bots aren’t a new problem for Instacart, the recent deluge is different because it comes at a time of white-knuckled expansion for the San Francisco-based startup. The company said customer demand for grocery delivery has surged more than 500% during the pandemic, notching growth its investors didn’t expect until 2025. This makes the platform, which hasn’t expanded its team as fast as its revenue, an attractive target for hustlers.
A spokeswoman for Instacart said the bots affect just a sliver of its more than 500,000 shoppers and that the company has already taken measures to address the issue.
“We take the integrity of the Instacart platform very seriously and have a trust and security team dedicated to monitoring the unauthorized use of the platform which includes all efforts to prevent illicit and fraudulent third-party apps from violating our terms of service,” said Natalia Montalvo, Instacart’s director of shopper engagement and communications.
Instacart said it’s combating bots by cranking up pressure against app makers and banning violators when they find them. The company said it deactivated 150 shoppers found to be misusing the platform and shut down half a dozen sites claiming to sell batches to Instacart shoppers including Instashopper.app, Sushopper, Ninja Hours and Acrobatshopper.
Instacart also recently introduced new procedures such as prompting shoppers to verify their identity with a selfie and not permitting shoppers to switch devices in the middle of an order. Shoppers using the updated app can also choose to review a single order for 30 seconds before claiming it or passing it to another shopper.
“As a result of these measures, we’ve seen a dramatic reduction in the use of unauthorized third-party apps because of the hard work and dedication by our security and legal teams to protect the shopper experience,” Montalvo said. Instacart also last month enlisted the help of security platform HackerOne to battle bots by offering a bounty program, she said.
But as security experts at Amazon.com and other sites have discovered, battling rogue apps is a lot like playing whack-a-mole. As soon as a company thwarts one bot program, a new version of it emerges, usually with a new name.
“If Instacart cared — if it was losing money — they could devote resources to make the jobs of these automatic snipers much harder,” said Bruce Schneier, a cybersecurity expert, author and lecturer at Harvard University, adding that there are ways for companies to detect such bots. “This is a problem that any company that makes money from automation is likely being forced to deal with. Some handle it well. Others don’t.”
In recent months, different Instacart shopper-related apps have come and gone, sometimes using slightly varied titles, such as Ninja Hours, Ninja Shoppers and Ninja Shopper. DarkOwl discovered nearly a dozen active platforms in mid-May advertising openly on YouTube and social media platforms, including Reddit.
First reported @ bloomberg.com