• Over half of the traffic online is now just bots according to Imperva’s Bad Bot 2025 report.
  • Of concern is the fact that 37 percent of all traffic online is now bad bots conducting malicious attacks.
  • Cybercriminals are also using popular AI tools to help in their attacks.

When I was a young nerd, one of the most astounding things you’d hear about was how much of the traffic online was just folks pirating content. In the early 2010s, roughly a quarter of the bandwidth being used online was for piracy, but today, bad bots dwarf that figure.

Cybersecurity firm Imperva has released its Bad Bot Report 2025, and that report, suggests that there are now more bots trawling the hallways of the internet than there are humans.

“For the first time in a decade, automated traffic surpassed human activity, accounting for 51% of all web traffic in 2024. This was largely driven by the rapid adoption of AI and large language models (LLMs), which have made bot creation more accessible and scalable,” writes Imperva.

Unfortunately, this increase has also led to an increase in the number of bad bots (software that performs malicious actions autonomously) online with 37 percent of bot traffic being attributed to so-called bad bots. These are malicious pieces of kit that tend to target APIs being used or run by large corporations. Attacking these APIs can, if successful, give cybercriminals a view of or foot in the door of a target.

This is made more worrying by the fact that attackers are targeting financial services, telecommunications, healthcare and retail sectors with API attacks looking to either glean sensitive information or disrupt operations.

Generally, attackers are using bots to scrape data, conduct payment fraud, takeover accounts and most surprisingly, scalping. Imperva reports that attackers use bots to purchase high-demand items or services, artificially inflating the price for regular consumers.

“In addition to these primary techniques, our report also highlights other methods such as Gift-Card Fraud (~4), Remote Code Execution (~4%), and Session Hijacking (~2%). The common denominator across all these tactics is the exploitation of inherent API vulnerabilities, ranging from misconfigurations and insufficient rate limiting to weak authentication protocols,” reads the Imperva report.

The AI wars are here

There has been much debate among experts about whether cybercriminals are using artificial intelligence and if they are, how they are using it. To be clear, cybercriminals have used AI in the past for deepfakery, to craft more convincing scam emails and more, but utilising the compute power of AI to execute attacks has been a rarity given the costs associated with AI training.

That tide has changed according to Imperva. AI tools including ChatGPT, ByteSpider Bot,
ClaudeBot, Google Gemini, Perplexity AI, Cohere AI, and Apple Bot have all been used in some capacity over the last year to execute cyber attacks.

“AI is enabling attackers to execute a wide range of cyber threats, including DDoS attacks, custom rules exploitation, and API violations. While API violations can involve automated bot activity, they also include broader abuse scenarios, such as unauthorized access attempts and exploitation of misconfigurations. However, bot-driven attacks, in particular, are becoming more sophisticated and harder to detect. In 2024, bad bots accounted for over 16% of all AI-enabled attacks,” writes Imperva.

Attackers are also keenly aware of the measures in place and so, are taking measures to evade detection.

Imperva notes that every company is different and as such, the risks they face will be as unique as the business. There are measures business owners can put in place to mitigate the risk of bat bots upending their company, but that requires action. The amount of bots and conversely bad bots online is only going to grow until eventually, the internet is just a surge of AI bots conversing with each other and scraping copyright-protected material for the latest IP infringement tool.

We highly recommend business owners and decision makers put the Imperva Bad Bot Report 2025 on their reading list for the week. It may prove more useful than you realise. You can find the free report here.