The AI Bot Epidemic: The Imperva 2025 Bad Bot Report

The ubiquity of accessible AI tools has lowered the barrier to entry for threat actors, helping them create and deploy malicious bots at an unprecedented scale. Moreover, generative AI (GenAI) simplifies bot development, which is seeing automated threats evolve swiftly. GenAI is helping them grow in sophistication and volume while honing their obfuscation techniques to help them fly under the security radar.

AI is also being used to amplify and simplify attacks and unpack failed attempts helping attackers refine their techniques to evade detection tools with greater precision. These cunning, complex bots put entities in every sector at significant risk.

Surpassing Human Traffic

As the volumes of automated traffic skyrocket, security teams need to adapt their approach to application security, as they are under pressure to fight not only human actors but automated bots that are seemingly always a step ahead.

According to the 2025 Imperva Bad Bot Report, titled “The Rapid Rise of Bots and The Unseen Risk for Business,” automated traffic overtook human activity for the first time in ten years, making up more than half (51%) of all internet traffic last year. This trend has been driven, for the most part, by the rapid adoption of AI and LLMs.

The surge in AI-driven bot creation has serious implications for businesses worldwide. As automated traffic accounts for more than half of all web activity, organizations face heightened risks from bad bots, which are becoming more prolific every day.

Concurrently, the report revealed that bad bot activity has risen for the sixth year in a row, with malicious bots now accounting for more than a third (37%) of all web traffic, a sharp rise from just over 30% in 2023.

Bot Attack Sophistication Trends

In 2024, “advanced and moderate” bot attacks together made up more than half (55%) of all bot attacks. Bot operators are using sophisticated techniques to mimic human traffic and carry out nefarious activities—which is why this type of attack is more difficult to detect and mitigate.

The report noted, however, a marked change in the complexity of bot attacks. Simple, high-volume attacks have soared, now accounting for 45% of all bot attacks, compared to only 40% in 2023. This increase is due, for the most part, to the free availability of AI-powered automation tools, which allow attackers, even those with limited technical ability, to initiate bot attacks with ease.

The use of AI tools also explains that 31% of all attacks recorded and mitigated by Imperva were automated, as defined by the OWASP 21 Automated Threats—a set of automated attacks that employ bots and scripts to exploit web application vulnerabilities at scale, slip past security controls, and disrupt entities in every sector.

Modern APIs Must Fight Bad Bots

Today’s businesses rely on APIs to drive digital transformation, AI automation, and seamless integrations, making them essential for agility, innovation, and competitive advantage. However, this functionality makes them prime targets for bad bots to commit fraud, scrape data, and bypass security controls. In fact, last year, the Imperva research team saw a significant surge in API-directed attacks, with 44% of advanced bot traffic targeting APIs.

“The business logic inherent to APIs is powerful, but it also creates unique vulnerabilities that malicious actors are eager to exploit,” Chang said. “As organizations embrace cloud-based services and microservices architectures, it’s vital to understand that the very features that make APIs essential can also leave them susceptible to risk of fraud and data breaches.”

Residential Proxies Still Hamper Detection

Cybercriminals use residential proxies to disguise malicious bot traffic as legitimate user activity by routing it through residential IP addresses usually associated with home internet connections. This makes it harder for security systems to detect their malicious activities because residential IPs are often viewed as trustworthy. Imperva’s research revealed that 21% of bot attacks use residential proxies provided by ISPs, allowing bad actors to blend in with genuine user traffic and put a spoke in the detection wheel.

ATO and the Power of AI

Also, the number of Account Takeover (ATO) attacks has surged dramatically, rising by 40% since last year and by 54% in the past three years. This surge could be down to threat actors using AI and ML to automate credential stuffing and phishing, making them progressively sophisticated and more complicated to uncover.

The financial services sector was the most targeted industry for account takeover (ATO) attacks, accounting for 22% of all incidents, followed by Telecoms and ISPs with 18%, and Computing and IT with 17%.

A slew of AI tools—ChatGPT, ByteSpider Bot, ClaudeBot, Google Gemini, Perplexity AI, Cohere AI, Apple Bot, and others—are also turning the way users interact with their favorite brands on its head. Students are learning differently, employees working more efficiently, and content is being created faster than ever. On the flip side, these tools are also being used as a new attack vector for malicious actors, with ByteSpider Bot coming top and responsible for 54% of GenAI-enabled attacks.

Recommendations and Solutions

The report also offers a wide range of recommendations to help businesses protect themselves. The table below summarizes these recommendations and maps them to Thales solutions.

For more information and to read the full research findings, download the full 2025 Bad Bot Report.