In a landmark shift for the digital world, automated bots have surpassed humans in dominating global web traffic for the first time, according to the newly released 2025 Imperva Bad Bot Report. Bots now account for 51% of all internet activity, signaling a profound transformation in the way the web operates — and a growing challenge for businesses and cybersecurity experts alike.
The report highlights that not all bots are benign. A significant share — 37% of total web traffic — is now attributed to malicious bots engaged in activities such as credential stuffing, web scraping, payment fraud, and account takeovers. This marks a steep increase from 32% in 2023, driven largely by advances in generative AI, which has made it easier and cheaper to create highly sophisticated bots.
“Bad bots comprised 37% of internet traffic in 2024,” emphasized the Financial Post, underscoring the mounting cybersecurity threat enabled by AI’s rapid evolution.
These bots are not only more numerous but also significantly more capable. Modern malicious bots can bypass CAPTCHA systems, mimic human browsing behavior with uncanny precision, and disguise their origins by routing traffic through residential IPs and VPNs. This makes them exceedingly difficult for traditional detection systems to identify and block.
The problem extends beyond websites. According to SecurityWeek, bot attacks on application programming interfaces (APIs) have surged, accounting for 44% of all advanced bot traffic. Targeted attacks on APIs primarily focused on:
- Data scraping (31%)
- Payment fraud (26%)
- Account takeovers (12%)
- Scalping (11%)
These findings reflect a broader and more deliberate strategy to exploit critical backend systems. APIs, while essential for modern digital infrastructure — including microservices and cloud applications — present a new frontier of vulnerabilities.
“The business logic inherent to APIs is powerful, but it also creates unique vulnerabilities,” said Chang, a cybersecurity expert cited in the report. He warned that as companies deepen their dependence on interconnected services, their exposure to sophisticated bot attacks will continue to grow.
Some industries are feeling the pressure more than others. The financial services, healthcare, and e-commerce sectors have emerged as the top targets for bot-related crimes. Account takeover incidents, in particular, skyrocketed by 40% year-over-year, with more than 330,000 cases reported just in December 2024.
The scale of the problem is staggering: Imperva reported blocking 13 trillion malicious bot requests in 2024 alone. Yet experts caution that these efforts represent a constantly moving target, as attackers innovate faster than defenses can adapt.
Why It Matters
For businesses, the rise of bot traffic is not merely a technical issue — it carries direct consequences for operational security, financial integrity, and customer trust. Left unchecked, bots can distort analytics, siphon sensitive information, erode online services, and even cause regulatory breaches.
As AI continues to evolve, experts predict that bot sophistication will only accelerate, forcing companies to rethink their entire approach to digital security.
What’s Next
Organizations are increasingly investing in advanced bot mitigation technologies, combining machine learning detection, behavioral analysis, and API security solutions. However, experts warn that no silver bullet exists. Vigilance, proactive monitoring, and dynamic defense strategies will be critical as bots become an enduring and escalating threat.
In this new digital era where machines outpace human users, the battle against bad bots has become not just a priority, but a permanent reality.