Most people think sneaker botting is about speed.
They think it's about having the fastest servers, the best proxies, the most accounts.
They're wrong.
Sometimes it's about finding the door nobody thought to lock.
18 months ago, @botwht and I discovered something that shouldn't have been possible: a way to buy sneakers from Solebox days before they officially released. No camping. No raffles. Just add to cart and checkout while everyone else was still waiting for the drop.
Here's how we pulled it off.
The accidental discovery
It started with a simple bypass for our monitoring tool.
Solebox uses PerimeterX (PX3) to block bots — it's like a bouncer at a club, checking IDs and turning away anyone who looks suspicious. Our original bypass was beautifully simple: we added %3F.ico to the end of URLs.
Why did this work?
PX3 saw .ico at the end and thought we were requesting an icon file (which are usually unprotected). Meanwhile, Solebox's server decoded %3F as ? and processed our request normally.
It was like wearing a delivery uniform to walk past security.
But then Solebox patched it. One day our monitors went dark. Game over, right?
Wrong. That's when things got interesting.
The plot twist nobody saw coming
When hunting for a new bypass, I tried hitting admin routes instead. Something like:
https://www.solebox.com/admin/index.php%3F.icoThe monitor started working again, but something was... off.
Suddenly, I was getting bombarded with "IN STOCK" notifications for sneakers that weren't dropping for another three days. My first thought? The monitor's broken. I'm seeing ghost inventory.
But I decided to test it anyway. I tried adding a pair to my cart.
It worked.
I tried checking out.
It. Fucking. Worked.
We weren't just monitoring — we were shopping
Here's what happened: By hitting the admin route with our bypass, we inherited partial admin privileges. Not enough to mess with the backend, but enough to do one very specific thing:
Buy products that hadn't been released yet.
Think about that for a second. While everyone else was setting alarms for Saturday's drop, we were checking out on Wednesday.
We quickly built a bot that could:
- Generate session cookies (SIDs) with these special privileges
- Add unreleased items to cart
- Complete checkout before anyone knew the shoes were even loaded
It was like having a key to the warehouse.
The logistics nightmare
Of course, having early access created its own problems.
Solebox's warehouse team works fast. Too fast. If we shipped to addresses outside Germany, they'd notice something was wrong and cancel orders. UK addresses? Instant red flag. Everything got marked "return to sender."
Our solution? We shipped everything to German pack stations — basically Amazon lockers for packages. Priority shipping only. Different names, different stations, but all in Germany where the warehouse was located.
Was it paranoid? Maybe. But it worked.
The threat that never materialized
The best part? After Solebox finally patched the exploit, some "apparent" staff member started threatening to sue us. Multiple times. They had screenshots, they had evidence, they were going to take us down.
You know what happened next?
Absolutely nothing.
(Shocking, right?)
Turns out threatening legal action on Discord doesn't actually constitute a lawsuit. Who knew?
What this really means
This isn't just a story about buying sneakers early. It's about how even major retailers with sophisticated security can have blind spots.
Solebox spent thousands on bot protection. They had PerimeterX. They had monitoring. They had all the tools.
But they didn't think about what would happen when someone found a way to inherit admin privileges through a URL trick.
The lesson?
Security isn't just about the front door. It's about every window, every backdoor, every possible entry point. One overlooked route can compromise everything.
For 18 months, we had a golden ticket. Not because we were the best hackers or had the most sophisticated tools. But because we looked where nobody else was looking.
Sometimes the best exploits aren't the most complex ones. They're the ones hiding in plain sight.
And before you ask — yes, the bypass is patched now. This isn't a how-to guide. It's a reminder that in the sneaker game, creativity beats brute force every time.
The real question is: What other "impossible" things are possible right now, just waiting for someone curious enough to find them?
