AI-driven bots make up half of web traffic: Report

Automated bot traffic surpassed the human-generated type for the first time in a decade, constituting 51 percent of all web traffic in 2024, according to a recent report.

This shift is attributed to the rise of artificial intelligence and Large Language Models, which have made it easier to create and scale bots for malicious purposes, the report said.

The 2025 Imperva Bad Bot Report, released in late April by cybersecurity firm Imperva, drew from data collected in 2024, including the blocking of 13 trillion bad bot requests across thousands of domains and industries.

It compared bot traffic between 2023 and 2024, and found bad bots to be most prevalent in the gambling, gaming, automotive and travel sectors.

Of the total bot traffic, 37 percent were found to be malicious activities, including data scraping, payment fraud, account takeovers, theft of credentials and distributed denial-of-service, or DDoS. DDoS attackers make websites unavailable to legitimate users by flooding the sites with queries.

With the help of AI, bad bots can mimic human behavior — including mouse movements and clicks — making them difficult to detect and block, said the report.

"The surge in AI-driven bot creation has serious implications for businesses worldwide," said Tim Chang, general manager of application security at Thales, a global cybersecurity company.

The emergence of advanced AI tools — including ChatGPT, Byte-Spider Bot, ClaudeBot, Google Gemini, Perplexity AI and Cohere — has transformed the methods by which attackers execute cyber threats.

For instance, bad bots automatically crack outdated mobile applications that do not enforce mandatory updates, write codes to increase attack volumes and collect large quantities of sensitive data.

In 2024, Imperva blocked an average of 2 million AI-powered cyberattacks daily.

Such traffic typically comes in the form of social media post hijacking, where bots produce inflammatory or empathetic messages to rouse viewers to engage with the content, said Jan Sysmans, Appdome's mobile app security evangelist based in Singapore.

"The people behind these bots are trying to propagate their own agenda and create tension to spark a flame," he added.

"There isn't a standard way these bots approach (hijacking). It just encourages users to engage in the content, which influences their algorithm. Subsequently, users will get fed more of such inflammatory or empathetic content, creating an echo chamber effect."

Globally, the travel sector is the most targeted, accounting for over a quarter of all bot attacks. It is trailed by the retail, education and financial services sector, according to the Imperva study.

Notably, travel websites face an increase in simple bot attacks, possibly launched by less sophisticated criminals using AI tools.

Disrupting travel

These attacks include "seat spinning", where bots simulate the booking process of flight tickets up to the payment step, without completing the purchase. This hogs tickets and denies potential customers access to them, disrupting airline businesses and jeopardizing their reputation.

AI tools flooding travel websites with traffic may also inflate the demand and costs of tickets.

Online retailers faced threats, including scalping, credential stuffing, gift card fraud and DDoS — all year round in 2024 as opposed to just during festive seasons in 2023.

Scalping involves buying many of the same items such as limited edition goods or concert tickets at the usual price and reselling them at higher prices.

Credential stuffing involves taking over someone's online account using stolen usernames and passwords.

Financial services, telecom, healthcare and retail are the most targeted industries for bot attacks on application programming interfaces, or APIs.

These sectors depend on APIs for critical operations and sensitive transactions, making them prime targets for such sophisticated bot attacks.

APIs act like a bridge between applications, allowing them to share data. For instance, an e-commerce platform that accepts credit card payments or bank transfers is linked via APIs to the payment service firm or the bank.

Bots typically steal customer information or competitive intelligence, abuse promotional mechanisms and exploit vulnerabilities in checkout systems for fraud, according to the study.

"Businesses need to take steps to protect themselves from bots and online fraud," Imperva said, urging businesses to implement multifactor authentication measures and real-time bot detection to protect customers.

On how internet users should protect themselves from falling prey to the effects of bad bots, Sysmans said: "It is going to be very hard, with how advanced AI and technology is now. But one must always be vigilant and ask, 'Is this too good to be true?'"

THE STRAITS TIMES, SINGAPORE