AI-Powered Bots Overtake Human Web Traffic: A 2025 Cybersecurity Wake-Up Call
April 15, 2025
In a landmark shift, automated bot traffic has surpassed human-generated traffic for the first time in a decade, now accounting for 51% of all web activity. This concerning trend highlights the escalating sophistication and proliferation of malicious bots, fueled by the increasing accessibility of artificial intelligence (AI) tools.
According to the 2025 Imperva Bad Bot Report,this surge is largely attributed to the rise of AI and Large Language Models (LLMs),which have drastically lowered the barrier to entry for cybercriminals looking to create and deploy malicious bots at scale. The report, released today by Thales, a global technology and security leader, paints a stark picture of the evolving threat landscape.
These developments signal a meaningful escalation in the cybersecurity arms race, with profound implications for businesses and consumers alike. The ease with which malicious actors can now leverage AI to automate and amplify their attacks demands a proactive and adaptive approach to security.
“The surge in AI-driven bot creation has serious implications for businesses worldwide,” said
Tim Chang, General Manager of Request Security at Thales
.
As automated traffic accounts for more than half of all web activity,organizations face heightened risks from bad bots,which are becoming more prolific every day.
The AI-Powered Bot Revolution: A Double-Edged sword
The rise of readily available AI tools, such as ChatGPT, google Gemini, and others, has created a double-edged sword. While these technologies offer amazing potential for innovation and efficiency, they also empower malicious actors with unprecedented capabilities.
The Imperva Threat Research team found that tools like ByteSpider Bot are being actively used in cyberattacks,with ByteSpider Bot alone responsible for 54% of all AI-enabled attacks. Other significant contributors include AppleBot at 26%,ClaudeBot at 13%,and ChatGPT User Bot at 6%. This democratization of AI-powered attack vectors necessitates a fundamental shift in how organizations approach cybersecurity.
Such as, a small business owner in Iowa might now face sophisticated bot attacks that were previously only within the reach of well-funded criminal enterprises. This requires a vigilant approach to cybersecurity, including robust bot detection and mitigation strategies.
APIs Under Siege: The New Battleground for Bot Attacks
The 2025 report highlights a concerning trend: a surge in API-directed attacks. A staggering 44% of advanced bot traffic now targets APIs,exploiting vulnerabilities in their business logic to perpetrate automated payment fraud,account hijacking,and data exfiltration.
APIs (Application programming Interfaces) are the backbone of modern applications, enabling seamless connectivity and data exchange between different services. Though, their inherent complexity and critical role in business operations make them a prime target for malicious actors.
Chang emphasizes the inherent risk:
The business logic inherent to APIs is powerful, but it also creates unique vulnerabilities that malicious actors are eager to exploit. As organizations embrace cloud-based services and microservices architectures, it’s vital to understand that the very features that make APIs essential can also leave them susceptible to risk of fraud and data breaches.
Consider a scenario involving a popular ride-sharing app like Uber or Lyft. Attackers could target the API responsible for processing payments, manipulating the system to steal funds or gain unauthorized access to user accounts. Similarly, in the healthcare sector, compromised APIs could lead to the theft of sensitive patient data, with perhaps devastating consequences.
| Industry | Impacted API Function | Potential Attack Scenario |
|---|---|---|
| Financial Services | Payment Processing | Automated Fraudulent Transactions, Account Takeover |
| Healthcare | Patient Data Access | Theft of Sensitive Medical Records, Identity Theft |
| E-commerce | Order Management | Inventory Manipulation, Price Scraping, Fake Reviews |
Financial Services, Healthcare, and E-commerce: the Prime Targets
The 2025 Imperva Bad Bot Report identifies financial services, healthcare, and e-commerce as the industries most vulnerable to these sophisticated bot attacks. These sectors rely heavily on APIs for critical operations and sensitive transactions, making them attractive targets for cybercriminals.
The financial services sector,in particular,faces a heightened risk of account takeover (ATO) attacks. According to the report, financial services accounted for 22% of all ATO incidents, followed by telecoms and ISPs (18%) and Computing & IT (17%). The high value of financial accounts and the sensitive nature of the data they contain make them a lucrative target for malicious actors.
For U.S. consumers, this means a greater risk of identity theft, financial fraud, and compromised personal information. Financial institutions are urged to implement robust multi-factor authentication, anomaly detection, and real-time threat intelligence to protect their customers and their assets.
What specific steps are you taking too protect your online accounts and data?
AI-Powered bots Overtake the Web: An Interview with Cybersecurity Expert,Dr.Anya Sharma
April 16, 2025
Introduction
Archyde News recently spoke with Dr. Anya Sharma, Led Cybersecurity Analyst at Global Cyber Insights, to delve into the alarming findings of the 2025 Imperva Bad Bot Report. The report reveals that automated bot traffic has surpassed human-generated traffic, signaling a significant shift in the cybersecurity landscape. Dr. Sharma offers her expert insights on the implications of this trend and what businesses and consumers need to know.
The Rise of AI-Driven Bots
Archyde: dr. Sharma, the Imperva report highlights a critical moment – bots now represent over half of web traffic. What’s driving this surge in AI-powered bots?
Dr. Sharma: It’s a perfect storm, really. The accessibility of AI tools, including LLMs, has lowered the barrier to entry for malicious actors. They can now create refined bots at scale with relatively little effort. The democratization of AI is a double-edged sword; while it promotes innovation, it also fuels cybercrime.
Archyde: The report mentions specific bots like ByteSpider. Are these AI-powered bots more risky than their predecessors?
Dr. Sharma: Absolutely. Older bots were frequently enough rule-based and easier to detect.AI-powered bots like ByteSpider are intelligent, adaptive, and can mimic human behavior far more effectively, making them incredibly difficult to identify and block. They can also learn and evolve,making them a constantly moving target.
APIs Under Siege: The New Battleground
Archyde: The report also emphasizes the increasing targeting of APIs. Why are APIs such attractive targets for bot attacks?
Dr. Sharma: APIs are the digital glue that connects applications and services. They handle a vast amount of sensitive data and business logic. Attackers know that exploiting API vulnerabilities can lead to significant rewards, including data breaches, financial fraud, and account takeovers.
Archyde: Can you provide a real-world example to contextualize this API vulnerability?
Dr. Sharma: Consider an e-commerce site. A malicious bot could target the “order management API” to manipulate inventory, scrape prices, or even post fake reviews. This could cause significant financial damage and reputational harm to the business.
Industries at Risk
Archyde: The report singles out financial services, healthcare, and e-commerce as particularly vulnerable. What makes these industries prime targets?
Dr. Sharma: These sectors handle vast amounts of sensitive data and financial transactions, making them high-value targets. In financial services, account takeover attacks are a significant threat. Healthcare faces the risk of compromised patient data. E-commerce is susceptible to various attacks affecting both businesses and consumers.
Archyde: What proactive measures should these industries, and consumers, take to protect themselves?
Dr. Sharma: Businesses need to implement robust bot detection and mitigation strategies, including API security, multi-factor authentication, and real-time threat intelligence. Consumers should practice good cyber hygiene: strong,unique passwords,regular software updates,and vigilance against phishing attempts.
The Road Ahead
Archyde: This shift in web traffic from humans to bots has the potential to transform the Internet landscape, and impact your digital life. What long-term implications does this trend have for the future of the Internet and how we interact with it?
Dr. Sharma: The increased prevalence of AI-driven bots will likely lead to an arms race between attackers and defenders. We can expect to see more sophisticated attacks, driving the need for more advanced security technologies. The very structure of the web might change as we find new strategies to separate human traffic from malicious bot traffic. User experience could be affected as businesses implement tougher security measures to protect themselves,and the information we ultimately consume could be targeted by AI manipulation and misinformation.Ultimately, proactive innovation in the cybersecurity sector is key.
archyde: Dr. Sharma, what’s one key takeaway you hope our readers will remember?
Dr.Sharma: The cybersecurity landscape is constantly evolving, and vigilance is now more critical than ever. Both businesses and individuals must proactively adapt to the threats posed by AI-powered bots.
Reader Engagement
Archyde: Thank you, Dr. Sharma, for your insightful analysis. Now, we’d like to hear from our readers. What specific steps are you taking to protect your online accounts and data? Share your thoughts and experiences in the comments below!
