Philippe Vallée | EVP Digital Identity & Security
More About This Author >
Philippe Vallée | EVP Digital Identity & Security
More About This Author >
The curtain goes up at 8 PM sharp. The theatre is sold out, every seat accounted for, every ticket purchased. Yet as the lights dim, rows of empty seats stare back at the performers. The missing audience members aren't running late. They were never coming at all.
Those tickets were bought by bots.
As someone who's spent decades in cybersecurity and many evenings on the theatre stage myself, I never expected these two worlds to collide. But they have: Bad bots have become a solid threat to the wider arts industry. From ticketing abuse to fraud operations, bots are now targeting theatres, museums, live events, and their audiences with alarming sophistication.
Earlier this year, we released the 2025 Bad Bot Report. While automated attacks are often associated with sectors like banking, retail, or aviation, our latest findings show a troubling expansion. Bots no longer limit themselves to supply chains or loyalty programs, they are now a growing threat to culture, creativity, and community.
These invisible digital actors are quietly stealing the spotlight from genuine audiences. And it's time we paid attention
Ticketing turmoil: The silent attacks and the new scalping game
Arts institutions are now prime targets for automated attacks. In 2024, bots made up 31% of traffic to entertainment platforms, used by attackers to snatch up tickets, take over accounts, and test stolen credit cards before anyone notices. The threat is growing fast and it’s getting harder to stop.
A major threat comes from scalping bots; automated scripts that grab tickets the second they go on sale, then resell them at inflated prices. Around ten years ago, a ticket scalping issue made headlines when it became nearly impossible to get seats to Broadway’s Hamilton. Today, these incidents are no longer news, it’s a widespread, everyday problem – and a silent but major threat to the cultural sector.
Meanwhile, carding bots continue to rise, using stolen credit card data to exploit ticketing systems and carry out fraudulent transactions.
One public museum fell victim to a low-and-slow bot attack. By quietly validating stolen card data, bots processed fraudulent purchases, disrupted systems, and caused significant financial losses before the threat was even detected. These bots mimic human behavior to avoid detection, targeting login and checkout points. As these threats slip past traditional defences, arts organisations must turn to real-time behavioral analysis and advanced bot management to protect access and trust, and in turn, protect the cultural sector at large.
The hidden cost of fake traffic
Bots aren’t just used for purchasing tickets; they also interfere with reliable data tracking. High volumes of automated traffic can artificially boost website metrics, making it challenging for arts marketers to understand real audience behaviour or measure the effectiveness of their campaigns.
The Bad Bot Report revealed a case like this exactly: a global talent agency discovered that 83% of its website traffic came from bots, making it nearly impossible to evaluate the return on digital campaigns. For theatres promoting limited runs or fringe shows, this kind of false engagement could easily lead to wasted ad spend and poor strategic choices.
AI lowers the barrier to entry
In 2024, automated traffic surpassed human traffic online, with 37% driven by malicious bots. Much of this shift is fueled by AI tools that make bot creation faster, cheaper, and harder to trace. The technical barrier to launching complex attacks has never been lower.
For the arts sector, this means no venue is too small to be targeted. Bots don’t care about size or budget, they exploit weaknesses wherever they find them. Whether scraping seat prices or exploiting promotional offers, these attacks are scalable and increasingly indiscriminate.
My cybersecurity advice to a sector I love: Why cultural institutions must think like tech companies
Last year, automation on ticketing platforms soared to 86.5%, with a third of that traffic coming from malicious bots. Theatres, museums, and concert halls may be rooted in tradition, but they now operate in digital-first environments. That makes them digital-first targets.
To keep up, arts institutions must begin thinking like technology companies. That includes:
Protecting login and checkout endpoints with behavioural analytics and rate-limiting
Monitoring for traffic anomalies and repeated failed transactions
Using advanced bot mitigation tools to prevent scalping, carding, and account takeovers
Auditing application logic regularly to patch silent vulnerabilities
Cybersecurity may seem far removed from the mission of cultural institutions, but today, it is central to preserving it. Digital trust and fair access are critical to the long-term sustainability of the arts.
Because when the curtain rises, those seats should be filled by the people the performance was meant for.