In a significant shift in global internet usage patterns, automated bot traffic has surpassed human-generated activity for the first time in a decade, according to the 2025 Imperva Bad Bot Report.

The 12th annual research study reveals that bots now account for 51% of all web traffic, with malicious bots making up 37% of internet traffic - a concerning increase from 32% in 2023. This marks the sixth consecutive year of growth in bad bot activity.

"The surge in AI-driven bot creation has serious implications for businesses worldwide," said Tim Chang, General Manager of Application Security at Thales, which recently acquired Imperva.

"As automated traffic accounts for more than half of all web activity, organizations face heightened risks from bad bots, which are becoming more prolific every day."

AI Lowers Barriers for Cybercriminals

The report attributes this dramatic shift to the rise of generative artificial intelligence and Large Language Models (LLMs), which have significantly reduced the technical barriers for creating sophisticated bots. These accessible AI tools enable less skilled actors to launch more frequent and widespread attacks.

Researchers identified several AI platforms being exploited for malicious purposes, with ByteSpider Bot responsible for 54% of all AI-enabled attacks. Other significant contributors include AppleBot (26%), ClaudeBot (13%), and ChatGPT User Bot (6%).

The travel industry has become the most targeted sector, accounting for 27% of all bot attacks in 2024, up from 21% in 2023 The report notes a shift from sophisticated to simpler attacks in this sector, with advanced bot attacks declining from 61% to 41%, while simple bot attacks increased from 34% to 52%.

API Business Logic Under Attack

One of the most concerning trends highlighted in the report is the surge in API-directed attacks, with 44% of advanced bot traffic now targeting APIs. Rather than simply overwhelming API endpoints, these attacks exploit vulnerabilities in the business logic that defines how APIs operate.

"The business logic inherent to APIs is powerful, but it also creates unique vulnerabilities that malicious actors are eager to exploit," Chang warned. "As organizations embrace cloud-based services and microservices architectures, it's vital to understand that the very features that make APIs essential can also leave them susceptible to risk of fraud and data breaches."

Financial Services Most Vulnerable to Account Takeovers

The financial services sector emerged as the most targeted industry for account takeover (ATO) attacks, accounting for 22% of all incidents, followed by Telecoms and ISPs (18%) and Computing & IT (17%).

The report explains that financial institutions remain prime targets due to the high value of accounts and sensitive data they manage. The proliferation of APIs within the industry has broadened the attack surface, allowing cybercriminals to exploit vulnerabilities such as weak authentication and authorization methods.

A Growing Bots-as-a-Service Ecosystem

The report also notes the emergence of a growing Bots-as-a-Service (BaaS) ecosystem, where commercialized bot services make sophisticated attack capabilities available to less technical actors. This democratization of attack tools, combined with AI's ability to help attackers learn from failed attempts, creates a rapidly evolving threat landscape.

"In this rapidly changing environment, businesses must evolve their strategies," Chang emphasized. "It's crucial to adopt an adaptive and proactive approach, leveraging sophisticated bot detection tools and comprehensive cybersecurity management solutions to build a resilient defense against the ever-shifting landscape of bot-related threats."

The 12th Annual Imperva Bad Bot Report analyzed data collected from across Thales' global network in 2024, including the blocking of 13 trillion bad bot requests across thousands of domains and industries.

Download THE 2025 Bad Bot Report here.