A promoter I work with rang me a fortnight ago, properly furious. He’d done a 1,200-cap show in Sydney that sold out in nine minutes. By the time doors opened, around 180 tickets had been resold on third-party platforms at three to five times face. Standard stuff in 2026, you’d think — except this promoter had spent serious money on bot mitigation. Captchas, queue systems, identity verification, the lot. The bots got through anyway.

That’s because the bots aren’t really bots anymore. They’re agentic AI scripts paired with image generators, and they’re solving the kind of challenges that used to stop them dead.

The arms race has changed shape

Five years ago, scalping software was basically a fast clicker with proxy rotation. You could spot it because it failed Turing-style challenges, had giveaway timing patterns, or showed up from suspicious IP ranges. Ticketing platforms got good at filtering for that pattern. Bots got cheaper but also more obvious.

What’s happened in the last 18 months: the same off-the-shelf AI models that everyone uses for chatbots can solve image captchas in under a second, generate plausible Australian addresses and phone numbers, and even pass low-grade identity verification by submitting AI-generated images of “ID documents” that look real enough to fool the kind of automated KYC service most ticketing platforms use.

A ticketing engineer I had a beer with in Melbourne reckoned around 35% of the verification failures on his platform now involve AI-generated artifacts. Not bots failing — bots succeeding with synthetic identities.

What promoters are actually trying

A few things doing real work:

Phone-tied accounts with carrier verification. Not SMS — that’s been hammered for years with SIM-swapping and VoIP — but actual handset verification through carrier APIs. Australia’s three big carriers offer this now and it’s roughly 90% effective at stopping volume fraud. Costs around $0.40 per ticket. Promoters running 5,000+ cap shows are eating that cost willingly.

Behavioural biometrics. How you move a mouse, the rhythm of your typing, the way you scroll. Genuinely hard to fake at volume. Several platforms have rolled this out in the background. The catch: it generates a lot of false positives for older punters who buy tickets differently.

Delayed allocation. You don’t get your ticket immediately. You get a placeholder, and the actual barcode gets issued 48 hours before the show. Cuts the resale market dead because nobody can flip what they don’t have yet. Tour managers love it, scalpers hate it, and a small but vocal minority of legitimate buyers hate it too.

On-the-door ID checks. Old-fashioned but increasingly relevant. The name on the ticket has to match the name on the ID. Works for tier-one acts where the demand justifies the door slowness. Doesn’t work for a 9pm doors club show with a 1,400 punter line.

Why off-the-shelf AI defence is harder than it sounds

This is where it gets interesting. A few ticketing platforms have started bolting AI-driven anomaly detection onto their backend — the idea being that an AI model can spot patterns a rules engine can’t. In principle, sound. In practice, you need someone who actually understands the platform’s data shape to build the model properly, and ticketing data has a lot of weird edge cases that fool generic anomaly detection.

I had a long chat with a ticketing CTO who’d brought in an AI consultancy to help work through their fraud signals. His point: the off-the-shelf tools sold by the big cloud providers are okay for a general e-commerce fraud problem but ticketing has bizarre traffic spikes — a 15,000-cap onsale at 10am can look like an attack to a model that doesn’t know what an onsale is. You need someone who’ll sit down with the actual data, build something that knows what normal looks like for your show pattern, and tune it over multiple onsales. That’s specialist work and most teams don’t have the in-house ML capacity for it.

His view, and I think he’s right: this is going to keep splitting the ticketing world into platforms that take fraud seriously and platforms that just absorb it as a cost of doing business.

What the punters experience

The friction punter side is genuinely annoying. I bought tickets to a show in March, had to verify by phone, then verify again by face match, then wait 18 hours for the ticket to land in my account. I’m in the industry. I know why this is happening. I was still annoyed.

For a casual punter who buys two shows a year, this is unacceptably painful. Promoters are going to lose some legitimate sales because of it. The question is whether those losses are smaller than the scalper losses they’re trying to stop. For tier-one acts with insane demand, the math probably works. For mid-tier shows that are touch-and-go on selling out, the friction might actually kill the show.

Where this is heading

A couple of things I think happen in the next 12 months:

The ACCC will say something firm about resale platforms and identity verification. They’ve been circling this for two years and the political pressure from the live music sector keeps building. I don’t think it’ll be the ban the industry wants, but I think we’ll see real resale price caps.

Major touring acts will increasingly demand stricter onsale controls written into their contracts. I’ve seen one offer rider this year that mandated phone-verified accounts and a one-ticket-per-account limit. Bands aren’t stupid — they know the scalping market is eating goodwill that should be theirs.

And the bot economy will keep adapting. There’s no permanent solution here, only a moving frontier. The promoters who do best will be the ones who invest in monitoring and learn the new patterns fast.

I’ll have more on this when the spring onsale season kicks off. Should be interesting.