Introduction
The rise of automated traffic, particularly malicious bot activity [1] [2] [9], has become a significant concern for online security. According to the latest Imperva Bad Bot Report, automated traffic now surpasses human online activity [3], with bots accounting for over half of all web traffic. This trend poses serious implications for businesses [6], as the sophistication of generative artificial intelligence (AI) enables the creation of more advanced and numerous bots, increasing the risk of cyberattacks.
Description
Automated traffic has now surpassed human online activity [3], accounting for 51% of all web traffic [2] [3] [5] [6] [7] [8] [9], according to the latest Imperva Bad Bot Report. Malicious bot traffic has risen to 37%, with this increase attributed to the growing sophistication of generative artificial intelligence (AI). This advancement allows less experienced attackers to create a higher volume of low-quality bots, leading to a surge in simple bot attacks. The report is based on data from Imperva’s global network [3] [5] [7], which analyzed 13 trillion bad bot requests across various domains and industries [3] [5] [7] [8].
ByteSpider Bot has emerged as a significant player in this landscape, responsible for 54% of all AI-enabled attacks [1] [3] [4] [6] [7], followed by AppleBot (26%) [4], ClaudeBot (13%) [1] [3] [4], and ChatGPT User Bot (6%) [1] [3] [4] [6]. While ByteSpider is a legitimate web crawler operated by ByteDance [4], AppleBot is associated with Apple [4], and ClaudeBot is used for scraping training data for Anthropic’s generative AI assistant [4], Claude [1] [3] [4]. The rise of AI-driven bot creation poses serious implications for businesses [6], as automated traffic now constitutes more than half of all web activity [6], increasing the risks associated with bad bots.
Bad bots are utilized in various attacks [4], including DDoS attacks and API violations [4]. In 2024, 44% of advanced bot traffic targeted Application Programming Interfaces (APIs) [1], a significant increase from just 10% targeting applications [2] [9], indicating a shift towards API endpoints that handle sensitive data [2] [9]. The financial services [1] [2] [4] [5] [6] [7] [8] [9], healthcare [1] [2] [4] [5] [6] [7] [8] [9], and e-commerce sectors are particularly vulnerable [1] [4] [6] [7] [8], accounting for over 75% of all API attacks [2] [9]. The financial services sector is the most targeted for account takeover (ATO) incidents [1] [5] [6] [7] [8], representing 22% of such attacks [2], followed by Telecoms and ISPs at 18% [5] [8], and Computing & IT at 17% [5] [8]. ATO attacks have surged by 40% [2] [9], highlighting the growing threat to organizations. Tim Chang [3] [4], general manager of application security at Thales [3] [4], emphasized that while APIs are essential [4], their inherent business logic creates unique vulnerabilities that malicious actors seek to exploit [4], especially as organizations increasingly adopt cloud-based services and microservices architectures [4].
The travel and retail sectors are also significantly impacted [5], with bad bots constituting 41% and 59% of their traffic [5] [6] [7] [8], respectively [5] [6] [7] [8]. The travel industry has become the most attacked sector [2] [5] [6] [7] [8] [9], with bot attacks rising from 21% to 27% of all incidents in 2024, and 48% of web traffic to travel sites comprised of bad bots [2] [9]. However, there has been a decline in advanced bot attacks within the travel sector [5] [7] [8], dropping from 61% to 41% [5] [8], while simpler bot attacks have surged from 34% to 52% [5] [8]. This trend indicates that AI tools have enabled attackers to execute more basic bot attacks [5] [8]. As automated traffic exceeds half of all web activity [7], organizations face heightened risks from bad bots [7], which are increasingly adept at mimicking human behavior, complicating the task for security teams to distinguish between bots and legitimate users. Common evasion tactics include the use of residential proxies [2] [9], faking browser identities [2] [9], and AI-assisted scripting [2] [9]. Given the significant business risks posed by bad bots, advanced mitigation strategies are essential to combat fraud, financial losses [1] [2] [5] [6] [7] [8] [9], and security threats [2] [9].
Conclusion
The increasing prevalence of automated and malicious bot traffic presents significant challenges for businesses across various sectors. As AI continues to evolve, the sophistication and volume of bot attacks are likely to grow, necessitating robust security measures. Organizations must prioritize advanced mitigation strategies to protect against fraud, financial losses [1] [2] [5] [6] [7] [8] [9], and security threats [2] [9]. The future of online security will depend on the ability to adapt to these evolving threats and implement effective defenses against the ever-growing risk posed by bad bots.
References
[1] https://www.archyde.com/ai-bots-dominate-internet-traffic-thales-report/
[2] https://www.imperva.com/blog/2025-imperva-bad-bot-report-how-ai-is-supercharging-the-bot-threat/
[3] https://www.itpro.com/security/ai-is-helping-bad-bots-take-over-the-internet
[4] https://www.infosecurity-magazine.com/news/bot-traffic-human-activity-threat/
[5] https://www.thalesgroup.com/en/worldwide/defence-and-security/press_release/artificial-intelligence-fuels-rise-hard-detect-bots
[6] https://securitymea.com/2025/04/15/ai-fuels-rise-of-hard-to-detect-bots/
[7] https://cpl.thalesgroup.com/about-us/newsroom/2025-imperva-bad-bot-report-ai-internet-traffic
[8] https://www.businesswireindia.com/artificial-intelligence-fuels-rise-of-hard-to-detect-bots-that-now-make-up-more-than-half-of-global-internet-traffic-according-to-the-2025-imperva-bad-bot-report-94406.html
[9] https://securityboulevard.com/2025/04/2025-imperva-bad-bot-report-how-ai-is-supercharging-the-bot-threat/
