The 2026 US sneaker bot landscape — and what it means for which exit class still works

Every year around March — ahead of the spring drop calendar — we write a short operator-view piece about where the US sneaker and hype-retail market actually stands. This is the 2026 version. It's shaped by three things: what our own customers are reporting on drop-day performance, what we see on our gateway logs at the class-of-exit level, and what the major anti-bot vendors have rolled out since mid-2025.

Short version: the arc of 2023–2025 hardened the US sneaker stack meaningfully, and a workflow that worked on SNKRS in 2023 does not work on SNKRS in 2026. What still works is narrower, more carrier- specific, and more expensive. But it works.

What actually changed, 2024 to 2026

Three things shipped across the anti-bot stack in the last 18 months:

1. Kasada's client-side attestation got meaner. The v4 runtime that deployed to SNKRS web and to most Kasada-fronted Shopify Plus merchants in mid-2025 added both a WASM-based device attest and a live-pinned TLS fingerprint check. The old "just randomise your Chromium build" approach started getting caught in Q3 2025.
2. Shopify Plus started selling Kasada to merchants bundled. The commercial impact: anti-bot posture on hype Shopify stores is drifting from "varied by merchant" to "uniformly Kasada." If you have a solution for Kasada, it works on more stores. If you don't, you lose more of the calendar.
3. SNKRS iOS added a device attestation layer. Apple's DeviceCheck and App Attest, shipped as SNKRS-side checks, add a signal the server uses to score the authenticity of the client device. The practical upshot: a perfect iOS-shaped HTTP request with a plausible mobile IP that can't produce a valid App Attest token gets silently deprioritized.

Which exit class still holds, April 2026

SNKRS web

• Still works: US ISP on Comcast or Spectrum in the expected region, paired with careful TLS fingerprint matching (JA4 + HTTP/2 SETTINGS frame).
• Still works, with effort: US 4G on T-Mobile/Verizon, if the session is fresh and the queue entry is outside peak contention windows.
• Doesn't work reliably anymore: plain US residential (rotating). The session persistence isn't enough for Kasada's runtime check.
• Doesn't work at all: anything announced from a datacenter ASN.

SNKRS iOS

• Still works: US 4G on a real carrier SIM with a device that can produce valid App Attest tokens. That last part is the gatekeeping layer now, not the proxy.
• Doesn't work: anything without App Attest, regardless of proxy choice.

Adidas Confirmed

• Still works: US residential sticky or 4G, same as 2024. Adidas Confirmed's stack didn't get the Kasada upgrade SNKRS got.
• New: Adidas started pushing opt-in biometric verification on some drops in late 2025. If you're in a biometric-verified drop, proxies aren't the bottleneck — the human-in-loop is.

Shopify Plus (hype tier)

• Still works (when Kasada is tuned conservatively): US 4G, US sticky residential, US ISP.
• Harder (when Kasada v4 is at default tuning): only US ISP + careful client fingerprinting, or US 4G on a fresh session.
• Varies by merchant: Kith, Aime Leon Dore, Supreme and Palace all tune differently. Ask, then test, before assuming.

Footlocker / JD Sports US

• Still works: US 4G on T-Mobile or Verizon. Carrier mobile has been the strongest exit class for Footlocker for three years running and that hasn't changed.
• Doesn't work reliably: US residential, US ISP. The challenge-response fingerprint vendor they use is explicitly downweighting non-cellular exits.

Nordstrom, END., DSM

• Soft-target range. Residential works fine. ISP works fine. Mobile works fine. The anti-bot posture hasn't meaningfully changed here.

The BOTS Act line — what 2026 enforcement looks like

The Better Online Ticket Sales Act has been US law since 2016. Its enforcement posture shifted materially in 2024 when the FTC announced a civil penalty framework and the DOJ took over criminal enforcement. The 2025 enforcement actions — the two we know about, anyway — both involved proxy operators who were selling tooling explicitly for primary-ticketing bypass.

The line, as it now sits:

• Primary ticketing (Ticketmaster, See Tickets, AXS, DICE). Hard no from us. We filter these domains at the gateway level and we refuse to sell to customers whose stated workflow intersects primary ticketing.
• Ticket resale (StubHub, SeatGeek, Vivid Seats, the secondary market). Legally different but operationally adjacent. We don't sell for scraping-to-resell-price-arb here either.
• Sneaker retail. Not a BOTS Act domain, but the FTC has been sending Section 5 inquiry letters to the largest US retailers on their own anti-bot posture, which has the indirect effect of making those retailers more aggressive about challenging automated traffic. Expect this to get harder, not easier.
• BOPIS and single-store inventory games. Legal gray area we stay out of.

What Proxaro does NOT sell for, explicitly

For April 2026 the list is:

1. Any primary ticketing platform (BOTS Act).
2. Any workflow whose stated purpose is "create accounts at scale on SNKRS / Confirmed / Shopify Plus stores for resale purposes" where the account creation itself crosses a clear TOS line we can't indemnify.
3. "Drop aggregator" services that resell our gateway to thousands of downstream operators — we sell to operators, not to operators' hosting middlemen.

If you're building something that's on the edge of one of these, talk to us first. We say no more often than we say yes, but the conversation is worth having.

The tactical takeaway

Drop-day in 2026 is a three-proxy problem, not a one-proxy problem. Warmup on residential. Gate-crossing on carrier 4G. Queue-hold on ISP. None of the three alone carries the drop; the stack does. The operators who still catch drops consistently are the ones who budgeted for the whole stack and accepted that the cheap middle of the market isn't the way in anymore.