How Bad Bots Are Hijacking the Arts: The Hidden Cyber Threat Facing Theatres and Museums

From virtual box office fraud to skewed demand metrics, bad bots are rewriting the script for the theatre and wider performing arts industry.

Just a few months ago Thales released the 2025 Bad Bot Report, highlighting the growing threat that bots pose to both businesses and consumers alike. While we usually talk about the impact of bots on industries like banking, retail, or aviation, the arts sector is not immune. From ticketing abuse to fraud operations, bots are now targeting theatres, museums and live event platforms with alarming sophistication.  

While it might not be talked about as frequently, in the arts, this problem is quieter but just as corrosive. Bots don’t just exploit global supply chains or customer loyalty programs, they’re also undermining culture, creativity, and community.  

These invisible digital actors can steal the spotlight from genuine audiences – and it’s time we paid attention.  

Ticketing Turmoil: Bots and the New Scalping Game

Arts institutions, just like major retailers or airlines, are facing a surge in automated attacks on their digital platforms. Last year, bots accounted for 31% of all traffic to entertainment platforms, with malicious actors using them to hoard tickets, hijack accounts, or test stolen credit cards.  

A key threat is scalping bots – automated scripts that buy up tickets the moment they go on sale, only to resell them at inflated prices. Remember how hard it was to get Broadway tickets to Hamilton? The ticket scalping problem made headlines at the time, but ten years later it’s commonplace on a much wider scale. We’ve also seen the rise of carding bots, which use stolen credit card data to make transactions on ticketing sites.  

One public museum experienced exactly this kind of low-and-slow attack. By stealthily validating stolen card data, bots managed to process fraudulent purchases, disrupt system performance, and generate a damaging wave of financial losses – all before the threat was identified and mitigated. Low-and-slow bot attacks mimic human behaviour to evade detection, quietly targeting sensitive endpoints like login and checkout. As these subtle threats slip past traditional defences, arts organisations must turn to real-time behavioural analysis and advanced bot management to protect access and trust.  

Distorted Metrics, Distorted Strategies

Bots don’t just buy tickets; they distort visibility and data. When automated traffic floods websites and ticketing platforms, it inflates look-to-book ratios and online engagement stats. This makes it difficult for arts marketers to measure genuine campaign success.  

The Bad Bot Report shared a stark example: a global talent agency found that 83% of its website traffic was bot-driven – effectively crippling its ability to assess return on investment on digital campaigns. Imagine this scenario for theatres promoting limited runs or fringe productions. False engagement could lead to misguided ad spend and strategic decisions.  

AI-Powered Threats: Lower Barriers, Higher Risks

The use of AI in bot creation is accelerating. In 2024, automated traffic overtook human traffic for the first time, with 37% of all internet activity now driven by malicious bots, a trend largely attributed to AI tools lowering the technical barrier to launching automated attacks.  

For the arts, this means even small productions and regional venues are vulnerable. A bot doesn’t discriminate by budget – it targets vulnerabilities. Whether scraping seat prices or targeting promotional offers, the threat is both scalable and indiscriminate.  

Why Cultural Institutions Must Think Like Tech Companies

Last year, automation on ticketing sites surged to 86.5%, with bad bots making up a third of that total. Theatres, concert halls, and museums are now digital-first operations, making them a digital-first target.  

Bots exploit gaps in business logic, abuse APIS, and target critical transaction workflows. That’s why the sector needs to adopt some of the same strategies used in other enterprise sectors:  

• Protect checkout and login endpoints with behavioural analytics and rate-limiting
• Monitor for unusual traffic spikes and failed transaction patterns
• Use advanced bot protection solutions to stop scalping, carding, and account takeover attempts
• Regularly audit application logic for vulnerabilities that bots can exploit silently  

Cyber Resilience as a Creative Enabler

Cybersecurity in the arts isn’t just about protection – it’s about enabling fair access, preserving trust, and ensuring that human creativity remains at the heart of cultural experiences. As bots become more sophisticated, so too must our defences.