Automated traffic now dominates the online landscape, with the majority of activity on the web being attributed to bots rather than human users. According to the latest report from Thales, the prevalence of bad bot traffic saw a significant increase from 32% to 37% last year.
Thales, a French defense giant, released its 12th annual 2025 Imperva Bad Bot Report, which is based on data collected by Imperva’s global network. The report revealed that a staggering 13 trillion bad bot requests were blocked across various domains and industries in the past year alone.
In a surprising turn of events, bot traffic accounted for 51% of total web activity last year, surpassing human interaction for the first time in a decade. Thales attributed this shift to the rise in malicious activity, especially the use of AI and large language models (LLMs) to streamline the creation of bad bots at scale.
The report identified ByteSpider Bot as the leading culprit behind AI-enabled attacks, responsible for 54% of such incidents. This was followed by Applebot at 26%, ClaudeBot at 13%, and ChatGPT User Bot at 6%.
While ByteSpider Bot is a legitimate web crawler operated by ByteDance, the parent company of TikTok, Applebot is the US tech giant’s equivalent. ClaudeBot, on the other hand, is involved in scraping training data for Anthropic’s generative AI assistant Claude.
The report highlighted that certain industries, such as travel and retail, are particularly vulnerable to bad bot traffic. Travel sector experienced a significant increase in bot attacks, becoming the most targeted industry in 2024 with a share of 27% of all bot attacks. However, the share of advanced bot attacks decreased from 61% to 41%, while simple bot attacks surged from 34% to 52%.
Thales suggested that the rise in AI-powered bots is enabling less skilled threat actors to launch higher volumes of simpler attacks. These attacks range from DDoS to custom rules exploitation and API violations. In fact, 44% of advanced bot traffic targeted APIs last year to exploit vulnerabilities in API workflows, carry out automated payment fraud, hijack accounts, and exfiltrate data.
The report also highlighted that financial services, healthcare, and e-commerce providers are particularly susceptible to advanced API attacks due to the sensitive nature of the data they handle. Tim Chang, general manager of application security at Thales, emphasized the importance of understanding the vulnerabilities associated with APIs, especially as organizations adopt cloud-based services and microservices architectures.
“As organizations embrace cloud-based services and microservices architectures, it’s vital to understand that the very features that make APIs essential can also leave them susceptible to risk of fraud and data breaches,” said Tim Chang.
In conclusion, the prevalence of bad bots and their sophisticated tactics continue to pose a serious threat to online security. As technology evolves, it is crucial for organizations to stay vigilant and implement robust security measures to protect against malicious bot activities.