Discover more from tactical_retreat’s stuff
Part 2: Running a bot ring
Unfortunately the name Crab Cartel was already taken
This is part 2 of a 5 part series; the index with links to other sections is here.
If you read Part 1, you should understand why you can’t blame CHD for ruining the game. I personally don’t think you can blame loot bots in general for ruining the game either. But I am responsible for the loot bot CHD used, I used it myself, and I rented it out to a bunch of other people. Here’s the story behind that.
The pure Bulk era
A friend had 10 pure bulk teams in Jan 2022 back when TUS was skyrocketing. He was sleeping through the whole night and missing a whole cycle of mining, which was a travesty. All that money lost! I asked him if he’d be willing to pay a percentage of the money reclaimed if I built a bot for him, and he agreed.
So I built a really shitty bot that I was confident that he could operate. It was web-based; you entered your private key into a form and it would store it locally, encrypted and obfuscated.
It started and ended mines, designed to work with pure Bulk teams. No auto reinforcing.
It turned out to be really tough to test this without actually having crabs. I tried forking the mainnet and testing there, but I couldn’t get the marketplace to sell me crabs. I could have overcome this with some effort, but thinking that I might as well get on the gravy train, I bought 3 pure Bulks and started mining with them.
It immediately became obvious how annoying it was to have to play this game every 4 hours, wake up in the middle of the night, etc. I was very motivated to finish this bot.
Unfortunately, a few days after buying in, the factional changes were announced. Not only was my gravy train ending, but TUS started devaluing.
PvP loot botting
I hadn’t recouped my investment yet, and I was looking at a substantial hit to income. Pure Bulks aren’t the best miners with their tiny Miners Revenge percent.
Rather than take this lying down, I decided to ape into 6 pure Gems, combine them with my 3 Bulks, and form 3 GGB teams. I figured that all the other BBB teams would instantly become lootable by my team, with shitty MR%, making looting feasible.
Of course, I prepared a bot to handle this for me. Looting would only be reasonable by a human for a few days as people adjusted. I wanted a technical edge.
At first things went pretty smoothly, but as the days progressed, competition increased. At the worst point, it could take up to .3 AVAX in failed attempts before securing a loot.
It was obvious that I was competing against people with validator gossip access; they were actually submitting attacks in blocks before the mine actually opened.
I never got this iteration of the bot competitive enough for me to try and compete on gas with other looters, but my attempts would typically land 1-3 blocks away from the mine start.
The difficulty of acquiring a loot caused low efficiency, and the gas required for all the failed attempts ate into profits. It was still considerably more profitable than mining though, particularly since my crabs would have been terrible at it.
At this point I had created a server just for the webhooks and organization around botting, and I had invited a few friends from CHD who had crabs and were interested in getting started. Through word of mouth a few other people got invited to the server. Not too many people used the bot at this stage; it was hard to set up, hard to run, and still pretty early in development.
I believe I was charging something like ‘20% of the extra TUS you think the bot made you’ which was vague and unhelpful to people, and done on the honor system. Later on I switched it to a flat 3%. I wasn’t that happy with the performance of looting and the value added by auto mining didn’t seem worth that much to me.
Apparently I whiffed on this because other botters seem to be charging quite a bit more for inferior products, and people are still willing to pay. One guy is even reselling a copy paste of an open source bot for several thousand dollars.
The Anti-Bot Update
Eventually the Crabada team released an update that gated loots behind a captcha. For a few days it was super easy to manually loot, but eventually it got harder and harder.
Rather than take this lying down, I built a mechanism to simplify acquiring the loots. The bot itself still picked the mine to attack, but it broadcast the details to a webpage you would leave open, which would poll until the mine was ready to be attacked, and then display the captcha. You would solve the captcha, and then it would do the rest of the work.
By eliminating the mine/team selection aspects, locating the server in Singapore, and a few other optimizations, it became extremely easy to acquire loots (1-2 tries per loot).
For a while we had a ‘Solver as a Service’ thing going on where people would get paid to open loots while the team owners were sleeping.
I charged 15% of looted TUS for this service.
This worked, but it wasn’t very scalable or efficient. I looked into various services to automate the captcha solving, but they all used humans and were too slow.
But at some point, someone in the Crabada Discord complained about a service called ‘looting.win’ that claimed to open loots on your behalf. By the time I got there the site no longer worked (due to one of Crabada’s early patches to anti-bot). But interestingly you could submit invalid parameters to the page and get debug output.
By carefully adjusting the inputs I fed to the page I eventually managed to track down the backend service they were using to automatically solve captchas.
Actually signing up and paying for that service was a completely separate nightmare that I will spare you. Paying people in other countries that don’t take crypto makes me realize how useful crypto is for P2P payments.
I charged 25% of looted TUS for this service.
Looting Takes Off
Now that I had a fully automatic looting bot, a lot of people were interested in using it. Using the bot would 3x-4x your income over mining. I onboarded a lot of new users, and the existing users of the bot just kept compounding their gains into more teams. It was pretty crazy watching the total number of loots increase from day to day.
Along with other data I was collecting, I was able to produce reports on who the most prolific looters were. Three of the top 10 were users of my bot, and quite a few of the top 100. We probably would have had more top 10 users if I hadn’t recommended people keep it to 10-15 teams per account.
Here are the stats for the day before the ‘loot point’ change went into effect:
At our peak we accounted for about 15% of all mines looted per day. I didn’t put a lot of effort into tracking most stats, but peak earnings were about 450K TUS, so users of my bots earned about 1.8M TUS that day.
Eventually Crabada changed things so that we were required to mine 1x per 4x loots. The whole time I had recommended that people always acquire teams that they would be happy mining with since looting could break at any time (more on that next) so I and other users generally were able to configure teams to be 231MP. Between the high MR of most of our teams, and the extra time per day from reduced mine times, income only dropped about 35% with this change.
It certainly didn’t hurt that by the time this came, I had made enough improvements to the bot that users were getting numbers like these:
Example post-loot point stats for the CHD bots below. I could not find a screenshot with the really big numbers prior to that but just imagine these numbers doubled:
Anti-Bot Work by Crabada
It probably wasn’t noticeable by the average user, but the Crabada team was actually really proactive about patching issues with the anti-bot patch, and just in general making my life more difficult.
I actually only started compounding my gains into more teams several weeks into having an auto loot bot because I was so worried about the possibility that they would permanently break us.
They tended to change things in the middle of the night (for me) meaning I would compulsively wake up every couple of hours to check Discord for pings. It ruined my sleep for weeks. I eventually even set up a pager app and gave some people access to page me. At the peak, for every hour that looting was down, about a thousand dollars of my money caught on fire.
Here are a couple of short stories from this time. If I remembered all the details, I could probably write a novel about it.
In the first iteration of anti-bot, it was actually possible to solve the captcha in advance, save the results, and apply it to any mine you wanted to loot. I used this feature to my advantage in the first version of the 'assisted looting’ bot.
They patched that within the first couple of days, but it was super smooth sailing until they did.
At one point they broke us for a few days, and I couldn’t figure out what they had done differently. The bot would just run, and fail to loot. I had set up a channel where everyone’s bot would dump their loot announcements. When that channel went quiet, we immediately knew something was wrong.
On the verge of giving up, suddenly someone’s bot started securing loots. After questioning, apparently the only thing they had done was attempt to loot manually. VirtualQuery wrote a script that just randomly clicked on things in the Crabada UI and that was enough to unblock looting. I eventually refined this down and incorporated a ‘captcha spammer’ into the bot.
Auto looting failure and betrayal
At some point Crabada inserted themselves into the captcha flow by having the GeeTest code use its servers as a proxy. This was relatively easy to defeat by using my own server as a proxy.
But once again a few days later, they managed to break auto looting and I couldn’t figure out why. I had wracked my brains, checked everything repeatedly.
Out of desperation, I tried reaching out to other people that had been identified as loot botters. Most of them were dead ends, but one person seemed to have an idea about what he was doing, although he didn’t actually have auto looting working. I shared some of the details of my setup, including how I was using the back-end captcha solving service.
Surprisingly, he managed to figure it out, and shared the fix with me, which was really embarrassing (the solver service was too efficient, needed to artificially add latency). We were back in business, and since that point I don’t think things were ever broken for more than a few hours at a time.
Sadly I soon found out that he had betrayed me, taken the details he had learned from me and brought them to the Crabada devs. As far as I know nothing ever came from that.
The perfect opportunity
I doubt I’ll ever find something like this again. There were just too many specific factors that lined up to make this profitable.
A highly profitable activity that was susceptible to automation abuse.
A medium barrier to entry (owning crabs) but no high barrier to entry (no validator required).
An ever-increasing technical barrier (the Crabada dev team efforts) that locked out inferior devs (reducing competition) while still being within my technical capabilities.
Required experience included writing bots, reverse engineering, HTTP and Web3 APIs, writing custom web proxies, monitoring and debugging just to get the basics working.
Scaling up to serving a lot of users required a lot of other skills, particularly since everything had to be accessible to non technical people.
A friend (VirtualQuery) who knew a lot of people, was willing to put his reputation on the line vouching for me, and basically handled the BizDev aspect.
A surprising number of people willing to basically blindly trust me with their assets. Even though technically they were running the bots on their own vms, realistically none of them knew what they were running.
Up Next: Part 3: Bot technical details