Thales has announced the release of the 2025 Imperva Bad Bot Report, a global analysis of automated bot traffic across the internet. This year’s report, the 12th annual research study, reveals that generative artificial intelligence (AI) is revolutionising the development of bots, allowing less sophisticated actors to launch a higher volume of bot attacks with increased frequency. Today’s attackers are also leveraging AI to scrutinise their unsuccessful attempts and refine techniques to evade security measures with heightened efficiency, amidst a growing Bots-As-A-Service (BaaS) ecosystem of commercialised bot services.
Automated bot traffic surpassed human-generated traffic for the first time in a decade, constituting 51% of all web traffic in 2024. This shift is largely attributed to the rise of AI and Large Language Models (LLMs), which have simplified the creation and scaling of bots for malicious purposes. As AI tools become more accessible, cyber criminals are increasingly leveraging these technologies to create and deploy malicious bots which now account for 37% of all internet traffic – a significant increase from 32% in 2023. This is the sixth consecutive year of growth in bad bot activity, posing security challenges for organisations striving to safeguard their digital assets.
Both the Travel and the Retail sectors face an advanced bot problem, with bad bots making up 41% and 59% of their traffic respectively. In 2024, the travel industry became the most attacked sector, accounting for 27% of all bot attacks, up from 21% in 2023. The most notable shift in 2024 is the decline in advanced bot attacks targeting the travel industry (41%, down from 61% in 2023) and the sharp increase in simple bot attacks (52%, up from 34%). This shift indicates that AI-powered automation tools have lowered the barriers to entry for attackers, allowing less sophisticated actors to initiate more basic bot attacks. Rather than relying exclusively on sophisticated techniques, cybercriminals are increasingly utilising high volumes of simpler bots to inundate travel sites, resulting in more frequent and widespread attacks.
The Rise of AI-Driven Bots: A New Era of Cybersecurity Challenges
The emergence of advanced AI tools, including ChatGPT, ByteSpider Bot, ClaudeBot, Google Gemini, Perplexity AI, and Cohere AI, are transforming not just user interactions but also the methods by which attackers execute cyber threats. According to the Imperva Threat Research team, widely used AI tools are being leveraged for cyberattacks, with ByteSpider Bot alone responsible for 54% of all AI-enabled attacks. Other significant contributors include AppleBot at 26%, ClaudeBot at 13%, and ChatGPT User Bot at 6%.
“The surge in AI-driven bot creation has serious implications for businesses worldwide,” said Tim Chang, General Manager of Application Security at Thales. “As automated traffic accounts for more than half of all web activity, organisations face heightened risks from bad bots, which are becoming more prolific every day.”
As attackers become more adept at utilising AI, they can execute a variety of cyber threats—ranging from DDoS attacks to custom rules exploitation and API violations. While bot-driven attacks have become increasingly sophisticated, they pose significant challenges for detection efforts.
“This year’s report sheds light on the evolving tactics and techniques utilised by bot attackers. What were once deemed advanced evasion methods have now become standard practice for many malicious bots,” Chang said. “In this rapidly changing environment, businesses must evolve their strategies. It’s crucial to adopt an adaptive and proactive approach, leveraging sophisticated bot detection tools and comprehensive cybersecurity management solutions to build a resilient defense against the ever-shifting landscape of bot-related threats.”
Bad Bots Targeting API Business Logic Pose Increased Threat to Modern Enterprises
Recent findings from the Imperva Threat Research team reveal a significant surge in API-directed attacks, with 44% of advanced bot traffic targeting APIs. These attacks aren’t just limited to overwhelming API endpoints; rather, they target the intricate business logic that defines how APIs operate. Attackers deploy bots specifically designed to exploit vulnerabilities in API workflows, engaging in automated payment fraud, account hijacking, and data exfiltration.
Analysis in the report reveals a deliberate strategy by cyber attackers to exploit API endpoints that manage sensitive and high-value data. Implications of this trend are especially impactful for industries that rely on APIs for their critical operations and transactions. Financial services, healthcare, and e-commerce sectors are bearing the brunt of these sophisticated bot attacks, making them prime targets for malicious actors seeking to breach sensitive information.
APIs serve as the backbone of modern applications, enabling connectivity across services, streamlining operations, and delivering personalised customer experiences at scale. They underpin essential functions such as payment processing, supply chain management, and AI-driven analytics, making them indispensable for enhancing efficiency, accelerating product development, and unlocking new revenue streams.
“The business logic inherent to APIs is powerful, but it also creates unique vulnerabilities that malicious actors are eager to exploit,” Chang said. “As organisations embrace cloud-based services and microservices architectures, it’s vital to understand that the very features that make APIs essential can also leave them susceptible to risk of fraud and data breaches.”
Financial Services, Healthcare, and E-commerce Industries Face Heightened Risk
The 2025 Imperva Bad Bot Report provides an in-depth analysis highlighting the industries most at risk. Financial services, healthcare, and e-commerce are the most affected sectors, industries that rely on APIs for critical operations and sensitive transactions, making them attractive targets for sophisticated bot attacks.
The financial services sector was the most targeted industry for account takeover (ATO) attacks, accounting for 22% of all incidents, followed by Telecoms and ISPs with 18%, and Computing & IT with 17%. Financial Services has long been a prime target for ATO attacks due to the high value of accounts and the sensitive nature of the data at stake. Banks, credit card companies, and fintech platforms possess vast amounts of Personally Identifiable Information (PII), including credit card and bank account details, which can be profitably sold on the dark web. Additionally, the growing proliferation of APIs within the industry has broadened the attack surface, allowing cyber criminals to exploit vulnerabilities such as weak authentication and authorisation methods, thereby facilitating account takeovers and data theft.
- TA
