‘Bad Bots’ rewriting the rules of internet traffic

• 
  
  AI-generated malicious bots indistinguishable from genuine.
  
  


• 
  
  Organisations’ traffic needs behavioural scanning.
  
  

The

13th annual Bad Bot

report has been released by Thales, highlighting how automation, driven by AI, is reshaping today’s digital infrastructure. Studying 2025 bot activity, the report helps organisations in different industries prepare for the future through data and insight from the Thales Threat Research and Security Analyst Services teams. Security leaders and business stakeholders can therefore see how automation is impacting various facets of global businesses, including application availability, operational costs, and site performance.

Good bots, bad bots: AI-driven automation evolving

According to the Bad Bot report, AI-powered automation has evolved from an emerging trend into an important element of internet infrastructure. Over the last year, bot activity has increased more than tenfold with daily blocked requests increasing from 2 to 25 million. Not only is the sheer scale of this growth noteworthy but the normalisation of automated traffic becoming part and parcel of how the internet operates is significant, becoming “foundational to internet traffic.”

Organisations should accept that automation is permanent and a dominant part of the internet, the report states. Not all bots are bad but they all carry some sort of risk and managing this risk is important to maintain for future security.

The report found that AI agents are emerging as a third category of automated traffic, with more traditional “good” and “bad” bots. These agents are interacting with APIs and applications to collect data and are used in attempts at performing tasks for users. Therefore, behaviours that were once considered as suspicious are now being treated as safe and legitimate, changing how traffic might be managed.

It’s becoming harder to spot the differences between safe and malicious automation as both now function via identical workflows and infrastructure. The result? Intent is more difficult to detect as this only becomes clear over time or through patterns. Automation has become more human-like, according to the report, so distinguishing helpful activity from harmful activity is increasingly complex.

Automation blind spots

Despite AI-driven activity rising in the internet, visibility remains limited. Currently, only traffic that identifies itself or triggers security controls can be detected, leaving a large portion of automation completely unverified. Organisations only get part of the picture, as tracking the true scale of AI-powered risks is almost impossible.

With bots accounting for more than 53% of all web activity in 2025, it’s clear to see the changes to how digital services are being consumed. Unfortunately, this comes with rising malicious activity with bad bots making up 40% of that traffic.

Many bot attacks are happening against APIs, with 27% targeting API endpoints. Here, attackers can access sensitive data and interact directly with important application features. Furthermore, 21% of all attacks align with

OWASP

automated threat categories, showing that automated abuse is widespread and not rare or isolated.

The most common attack types over the last 12 months include general automation, like credential stuffing and brute force attacks, API violations, and business logic abuse (workflows being exploited). Attackers are targeting how applications function rather than their technical vulnerabilities, thus security risk is increasingly centred on protecting how applications are used in real-world workflows. Even if the software is technically secure, attackers can still exploit it through certain means, which is, to say the least, somewhat worrisome.

AI central to the rising sophistication of bot attacks

Approximately 58% of bot attacks are now considered “moderate or advanced,” using techniques like CAPTCHA bypassing and behavioural mimicry. Simpler attacks have also surged over the last year by over 230%, “driven by AI lowering the barrier to entry and letting attackers with limited expertise deploy automation at scale.” This introduces two fresh threats in the form of continuous low-level noise mixed with advanced, adaptive attacks.

The greatest impact is being felt by high-value sectors, particularly the financial services which accounted for 24% of all bot attacks and 46% of account takeover incidents. It comes as no surprise that there is a strong correlation between automation and direct financial gain, something traditional attacks have in common. Retail and travel are other sectors that have been heavily affected, especially by business logic abuse targeting pricing manipulation and inventory. In travel and airline sectors, for instance, bots targeted APIs, affecting availability and bookings.

Account takeover (ATO) continues as one of the most dangerous threats, despite the growing use of protection methods like multi-factor authentication. Bots are able to exploit the reuse of credentials, resulting in financial loss and regulatory penalties for businesses worldwide.

Evolving bots require new detection methods

Modern bots are becoming more effective at blending in with legitimate internet users, learning to mimic real browsers and implement realistic interaction patterns, the report states. As a result, classic detection methods like IP analysis are now less effective. Instead, behavioural analysis and long-term pattern recognition is now important to successful detection.

Whether we like it or not, bots are not one-off threats but are continuously evolving and adapting tactics based on earlier failures, which in turn blends in with existing behaviour patterns.

AI only exacerbates the cycle, helping attackers refine their attacks for improved efficiency. The report suggests organisations must adopt defence strategies that can also adapt to these advanced threats, not relying on more traditional, static protection already in place.

Business logic, another primary attack method on the rise, is where bots are targeting core user flows, like logins and transactions, instead of prioritising code-level vulnerabilities. Using legitimate requests at scale, these attacks are difficult to detect without a detailed picture of standard behaviour.

The Bad Bot report forecasts an internet that is increasingly machine-populated. AI-enabled automation will enhance threats, letting attacks happen more quickly and making them harder to detect. Large language models (LLMs) are birthing a new age of threats and data manipulation.

(Image source: Pixabay, under


.)

Want to experience the full spectrum of enterprise technology innovation?

Join

TechEx

in Amsterdam, California, and London. Covering AI, Big Data, Cyber Security, IoT, Digital Transformation, Intelligent Automation, Edge Computing, and Data Centres, TechEx brings together global leaders to share real-world use cases and in-depth insights. Click

here

for more information.

TechHQ is powered by

TechForge Media

. Explore other upcoming enterprise technology events and webinars

here

.