The digital landscape has reached a critical turning point, with automated bot traffic now eclipsing human activity for the first time in a decade.
A stark warning comes from the 2025 Imperva Bad Bot Report, released by global technology and security provider Thales. The report highlights how the burgeoning accessibility of AI tools is fuelling a surge in sophisticated, hard-to-detect malicious bots, significantly lowering the barrier for cyberattackers.
The study reveals a reduced barrier to entry for cybercriminals due to the proliferation of AI and Large Language Models (LLMs). These technologies have streamlined the development and scaling of automated attacks, leading to an increase in the volume and frequency of bot activity. Malicious bots now account for 37% of all Internet traffic, a rise from 32% in the preceding year, marking the sixth consecutive year of growth in this category.
Hackers are using AI to analyse the outcomes of their attacks because it allows for iterative refinement of techniques, improving the bots’ ability to circumvent security measures. The emergence of a Bots-as-a-Service (BaaS) ecosystem further exacerbates this by providing readily available bot services to a wider range of threat actors.
The impact of automated traffic is evident across various sectors. The travel and retail industries are facing substantial advanced bot problems, with bad bots comprising 41% and 59% of their respective traffic. The travel sector has become the most targeted overall, accounting for 27% of all bot attacks in 2024, up from 21% in 2023.
Attack patterns in the travel industry indicate a tactical shift. Advanced bot attacks have decreased (from 61% to 41%), simpler bot attacks have increased (from 34% to 52%) suggesting that AI-powered automation has lowered the technical expertise required to launch attacks, enabling less sophisticated actors to employ high volumes of basic bots to disrupt travel websites more frequently.
Advanced AI tools are also being leveraged for cyberattacks. ByteSpider Bot is responsible for the majority (54%) of AI-enabled attacks observed in the report. Other contributors include AppleBot (26%), ClaudeBot (13%) and ChatGPT User Bot (6%).
API-directed attacks pose significant enterprise risk
Application Programming Interfaces (APIs) are another target. A substantial 44% of advanced bot traffic is now directed at exploiting API endpoints. The attacks are not solely focused on overwhelming infrastructure but are increasingly targeting the underlying business logic of APIs. Attackers are deploying bots specifically designed to exploit vulnerabilities in API workflows to facilitate automated payment fraud, account takeover and data exfiltration.
APIs are fundamental to modern application architecture, enabling connectivity, streamlining operations and facilitating personalised customer experiences. Their integral role in functions such as payment processing, supply chain management and AI-driven analytics makes them critical infrastructure and consequently, prime targets for malicious actors.
Financial, healthcare and e-commerce sectors at elevated risk
Financial services, healthcare and e-commerce are the sectors facing the highest risk from sophisticated bot attacks because of their reliance on APIs for critical operations and the sensitive nature of the data they handle.
The financial services sector was the primary target for account takeover (ATO) attacks, accounting for 22% of all incidents. Telecoms and ISPs (18%) and Computing & IT (17%) followed.
The financial services industry’s historical attractiveness for ATO attacks is attributed to the high value of accounts and the sensitive personal and financial data held. The increasing prevalence of APIs within the sector has expanded the attack surface, allowing cybercriminals to exploit vulnerabilities in authentication and authorisation mechanisms to facilitate account takeovers and data theft.
“The surge in AI-driven bot creation has serious implications for businesses worldwide,” said Tim Chang, General Manager of Application Security at Thales.
“As automated traffic accounts for more than half of all web activity, organisations face heightened risks from bad bots, which are becoming more prolific every day.”
