As we move further into 2025, the digital landscape is undergoing a silent but powerful shift—automated traffic, particularly that driven by malicious bots, has officially surpassed human interaction on the web. According to the latest findings from Thales’ 2025 Imperva Bad Bot Report, the rise of bad bots, many of them powered by artificial intelligence, marks a critical turning point in how we understand and secure our online environments.
Now in its 12th year, this comprehensive report paints a stark picture: bot traffic now constitutes 51% of all internet activity, with “bad bots” alone climbing from 32% to 37% in just one year. The data, compiled from Imperva’s global network, shows that these bots are becoming more sophisticated, thanks largely to AI and large language models (LLMs), which make it easier than ever for cybercriminals to deploy bots at scale.
The problem is no longer abstract or limited to obscure corners of the web. From travel agencies to online retail giants, the effects are being felt across nearly every sector. This growing trend raises urgent questions about cybersecurity readiness and the real-world implications of increasingly intelligent, automated threats.
Key Insights from the 2025 Bad Bot Report
- Majority Web Traffic Now Automated: For the first time in over a decade, automated bot traffic has overtaken human-driven traffic, hitting 51% in 2024.
- Bad Bots on the Rise: Malicious bot traffic rose significantly, accounting for 37% of all internet traffic, up from 32% the previous year.
- AI Fuels Bot Surge: The proliferation of AI tools and large language models has made it easier to create and launch sophisticated bots.
- Key Offenders Identified: ByteSpider (ByteDance) led AI-powered attacks with 54%, followed by Applebot (26%), ClaudeBot (13%), and ChatGPT User Bot (6%).
- High-Risk Industries: Travel and retail sectors were top targets. Travel accounted for 27% of all bot attacks, with retail close behind.
- Shift Toward Simpler Attacks: Simple bot attacks are now more common, rising from 34% to 52%, while advanced bot attacks dropped from 61% to 41%.
- API Exploits on the Rise: 44% of advanced bot traffic targeted APIs, aiming at payment fraud, data exfiltration, and account takeovers.
- Sensitive Sectors Under Fire: Financial services, healthcare, and e-commerce face the highest risks from API-targeting bots due to the nature of data involved.
- API Vulnerabilities a Key Concern: The report highlights that APIs, while vital for modern web infrastructure, present exploitable weaknesses.
- Quote from Thales: Tim Chang emphasizes that APIs, despite being crucial for cloud-based services, are increasingly vulnerable to fraud and data breaches.
What Undercode Say:
The rising tide of AI-driven bot traffic reflects a pivotal moment in internet security—one where automation no longer just supports user experiences but actively undermines them. The fact that bots now generate more traffic than humans online is both a technological achievement and a glaring security red flag.
ByteSpider leading the charge in AI-powered bot activity raises crucial ethical concerns. As a legitimate crawler owned by ByteDance, its use in malicious campaigns suggests a deeper issue of how public tools and platforms can be manipulated. While Applebot and ClaudeBot follow closely, it’s the ease with which attackers repurpose these tools that reveals a systemic failure in bot governance and detection.
The report’s analysis of attack distribution between sectors is particularly revealing. Travel companies, possibly due to fluctuating demand and dynamic pricing models, appear to be ideal targets for scrapers and scalpers using bots. Meanwhile, retail platforms, which deal with massive inventories and user databases, present equally rich grounds for exploitation.
A notable insight is the shift from complex to simple bot attacks. While at first glance this might suggest a reduction in sophistication, it actually reflects broader access to AI tools by less experienced threat actors. In other words, cybercrime is becoming democratized—available to virtually anyone with an internet connection and a script.
API exploitation remains a massive concern. The very elements that make APIs useful—automation, data access, integration—are now being flipped to the advantage of bad actors. Since APIs are the backbone of many microservices and mobile platforms, a breach here can cascade into multiple layers of system compromise.
Security solutions, then, must go beyond firewalls and traditional endpoint protections. AI needs to be leveraged not only to detect bots but to predict their behaviors and intentions. Behavioral analytics, anomaly detection, and AI-driven threat modeling could be the next line of defense against this evolving threat.
As organizations expand their digital ecosystems, especially through cloud-native applications and third-party integrations, maintaining visibility and control over bot activity becomes imperative. Businesses must deploy bot management platforms that do more than just block known signatures—they need dynamic, adaptive defenses capable of analyzing traffic in real-time.
We’re entering an era where cyberthreats are no longer just orchestrated by skilled hackers but by automated AI agents. Defending against them will require a paradigm shift in how we think about identity, intent, and intelligence on the internet.
Fact Checker Results
- The 51% bot traffic figure is corroborated by multiple cybersecurity firms tracking global web activity trends.
- ByteSpider and Applebot are confirmed as legitimate crawlers but are often repurposed for unauthorized scraping.
- API attacks have indeed risen sharply, with independent reports validating the surge in automated fraud and data exfiltration.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
