Cybercriminals are increasingly using generative AI (genAI) tools to evaluate and improve their attacks, a security firm has warned as a new analysis finds automated bots now account for over half of all Internet traffic – and that 72 per cent of this traffic comes from malicious bots.
Automated traffic surpassed human generated activity on the internet for the first time in the 12-year history of Thales’s Imperva Bad Bot Report, whose 2025 incarnation found that automated bots now account for 51 per cent of all web traffic – with ‘bad bots’ up sharply from last year.
Such bots are widely used for benign tasks such as collecting data to train AI systems and collecting pricing data for comparison shopping sites – but they are also being used for malicious purposes such as harvesting personal data, manipulating ticketing systems, and running DDoS attacks.
Malicious bots account for 37 per cent of all web traffic – an “alarming” surge from 32 per cent last year tied to genAI platforms like TikTok’s Bytespider Bot (54 per cent of attacks), Apple’s AppleBot (26 per cent), Anthropic’s ClaudeBot (13 per cent), and ChatGPT-User (6 per cent).
Yet not all of this traffic necessarily comes from those platforms, the Imperva Threat Research team said, noting that cybercriminals often disguise malicious bots as benign genAI scrapers to bypass website security controls.
The proportion of high-volume bot attacks surged from 40 per cent in 2023 to 45 per cent last year – an increase that the report attributes to “the increasing accessibility of AI-powered automation tools, which allow attackers with less technical expertise to launch bot attacks easily”.
AI driven bots’ sustained onslaught “has serious implications for businesses worldwide,” said Tim Chang, general manager of application security with Thales Cybersecurity Products, who warned that firms “face heightened risks from bad bots, which are becoming more prolific every day.”
GenAI finding weaknesses in company APIs
Easy access to genAI platforms is problematic because cybercriminals are using the tools to find and exploit vulnerabilities in victims’ application programming interfaces (APIs) – the ‘backbones’ that manage cloud-based access to victims’ “intricate” business logic, services and data.
After a “significant surge” in attacks on APIs, the Thales team reported that last year, 44 per cent of advanced bot traffic targeted APIs as part of a “deliberate strategy by cyber attackers to exploit API endpoints that manage sensitive and high-value data.”
Bad bots are targeting certain industries more than others. Image: Imperva / Supplied
Financial services, e-commerce and healthcare companies were “prime targets” as hackers manipulated their APIs to conduct automated payment fraud, hijack accounts, and steal data – with criminals exploiting weaknesses in the way they authenticate users and protect data.
Fully 25 per cent of observed attacks were “sophisticated bad bots specifically targeting and abusing business logic”, while a “significant” surge saw account takeovers – such as credential stuffing and brute-force attacks – increase by 40 per cent since 2023 and 54 per cent since 2022.
“The business logic inherent to APIs is powerful, but it also creates unique vulnerabilities that malicious actors are eager to exploit,” Chang said, warning that “it’s vital to understand that the very features that make APIs essential can also leave them susceptible to fraud and data breaches.”
The AI wars are upon us
Cybercriminals’ predilection to target financial services companies had made financial centre Hong Kong the most attacked Asia-Pacific country – accounting for 24 per cent of all bot attacks.
Australia placed third, accounting for 18 per cent of bot attacks due to a “strong financial sector, e-commerce market, and critical infrastructure” that Thales said makes Australia a “frequent target” as cybercriminals use bots to launch credential attacks and automated fraud schemes.
Sophisticated breaches have fuelled a surge in identity fraud that, a recent Entrust report noted, has seen 61 per cent of Australian businesses reporting increases in identity theft, account creation fraud, and digital document forgeries – with 51 per cent reporting username/password breaches.
