July 6, 2026
Updated: July 6, 2026
A source-backed 2026 guide to bot attack statistics covering bad bot traffic, credential stuffing, account takeover, scraping, API abuse, ecommerce fraud, DDoS botnets, AI crawlers, and automated abuse trends.
Mohammed Khalil

Bot attack statistics in 2026 show that automated abuse has moved beyond simple crawler traffic. The current risk is concentrated around bad bot traffic, credential stuffing, account takeover, scraping, API abuse, fake account creation, checkout manipulation, and DDoS botnets. This guide separates bot-specific figures from fraud-wide, DDoS-wide, API-wide, and cross-industry statistics so security, fraud, product, and executive teams can use the numbers without overstating their scope.
Use this summary as a fast editorial overview. Each figure should still be checked against the original source before publication, especially when the source is based on vendor telemetry rather than a universal internet dataset.
| Signal | What It Shows | Source | Scope | Publishing Caveat |
|---|---|---|---|---|
| Bad bot traffic | Bots account for a majority of measured traffic in recent bad-bot telemetry, with bad bots forming a large share of requests. | Thales Bad Bot Report | Vendor telemetry | Do not treat one vendor dataset as the whole internet. |
| API abuse | API endpoints are repeatedly identified as a major target for automated abuse, scraping, authorization misuse, and business-logic attacks. | Akamai / Imperva | API and application telemetry | Separate API-wide attacks from bot-specific API abuse. |
| Credential stuffing | Login abuse and account takeover remain core ways bots monetize exposed credentials and weak authentication workflows. | Imperva / F5 / FBI | Bot, auth, and public complaint data | ATO loss data is not always bot-only. |
| Scraping | Scraping affects ecommerce, travel, media, marketplaces, and API-heavy services through product, content, pricing, and data extraction. | OWASP / Imperva / F5 | Automated threat and vendor telemetry | Distinguish legitimate crawlers from abusive scraping. |
| DDoS botnets | Botnets remain a major infrastructure-availability risk, but DDoS counts measure attacks, not bot traffic share. | Cloudflare / NETSCOUT | DDoS telemetry | Label DDoS-wide data separately. |
| AI crawlers and LLM scrapers | AI-related crawler traffic is now visible in multiple bot datasets, but not all AI crawlers are malicious. | HUMAN / DataDome / Cloudflare | Bot and crawler telemetry | Avoid framing all AI crawling as hostile. |
| Category | Statistic | Source | Year | Scope | Why It Matters |
|---|---|---|---|---|---|
| Overall bot traffic | Bots made up 53% of internet traffic; bad bots made up 40% | Thales Bad Bot Report 2026 | 2026 report using 2025 activity | Global Thales telemetry | Confirms automation is now the dominant traffic class in this dataset |
| Overall bot traffic | Automated traffic accounted for 51% of web traffic in 2024; bad bots were 37% and good bots 14% | Imperva Bad Bot Report 2025 | 2025 report using 2024 activity | Global Imperva telemetry | Useful baseline for the year before the 2026 Thales update |
| Business logic abuse | 21% of bot attacks targeted business logic | Thales Bad Bot Report 2026 | 2026 | Global Thales telemetry | Shows bot risk is tied to workflows, not just volumetric noise |
| API bot attacks | 27% of bot attacks targeted APIs | Thales Bad Bot Report 2026 | 2026 | Global Thales telemetry | Supports API-first buyer intent and AppSec prioritization |
| API attack mix | 44% of advanced bot traffic targeted APIs; 31% of mitigated attacks were OWASP automated threats | Imperva Bad Bot Report 2025 | 2025 | Global Imperva telemetry | Connects API bot abuse to OWASP-style automated misuse |
| Credential stuffing and ATO | ATO attacks rose 40% year over year in 2024 | Imperva Bad Bot Report 2025 | 2025 | Akamai customer telemetry | Indicates rising pressure on login, recovery, and session flows |
| API security | Average daily API attacks rose 113% YoY; 61% of API attacks involved unauthorized workflows and abnormal activity | Akamai Apps, APIs, and DDoS 2026 preview | 2026 | Akamai customer telemetry | Highlights why API abuse is not reducible to classic exploit traffic |
| DDoS scale | Cloudflare mitigated 47.1 million DDoS attacks in 2025, up 121%, averaging 5,376 per hour | Cloudflare 2025 Q4 DDoS report | 2026 report using 2025 activity | Cloudflare network telemetry | Separate from bot-traffic share, but essential for infrastructure risk planning |
| DDoS botnets | NETSCOUT recorded more than 8 million DDoS attacks in 2H 2025 across 203 countries and territories | NETSCOUT DDoS Threat Intelligence Report, Issue 16 | 2026 | Global ATLAS telemetry | Strong cross-check that DDoS volume remained elevated across providers |
| AI traffic | AI-driven traffic grew 187% across 2025; agentic AI traffic grew 7,851% YoY | HUMAN State of AI Traffic & Cyberthreat Benchmark Report overview | 2026 | HUMAN telemetry | Important for web, ecommerce, and content-owner policy decisions |
| LLM crawlers | LLM crawlers were 10.1% of verified bot traffic in August 2025, up 3.9x from January | DataDome Global Bot Security Report 2025 | 2025 | DataDome website testing dataset | Shows AI crawler traffic became material even outside classic search engines |
| Defensive readiness | Only 2.8% of nearly 17,000 tested sites were fully protected against the bot vectors DataDome tested | DataDome Global Bot Security Report 2025 | 2025 | Website testing across 22 industries | Not an attack-share metric, but a useful exposure benchmark |
| Statistic Type | What It Means | How to Use It Safely |
|---|---|---|
| Bot-specific | Directly measures bot traffic, bad bots, automated abuse, or bot-driven workflows. | Use as the primary benchmark for this article. |
| Fraud-wide | Measures broader fraud, identity, ATO, payment fraud, or digital risk. | Use for business impact, but do not imply every event was bot-driven. |
| DDoS-wide | Measures DDoS attacks, attack volume, or botnet-driven availability events. | Use for infrastructure risk, not for general bot traffic share. |
| API-wide | Measures API attacks, API abuse, endpoint targeting, or application behavior. | Use for API risk, but label whether the source is bot-specific or API-wide. |
| Vendor telemetry | Comes from a vendor customer base, mitigation dataset, CDN, WAF, or fraud network. | Useful and current, but not universal market truth. |
| Cross-industry | Applies across industries rather than one sector or website type. | Useful for benchmarking; add caveats by industry and region. |
Bot attack statistics show that the main risk is not “bots” in the abstract. It is abusive automation concentrated around login flows, credential stuffing, account takeover, scraping, API abuse, fake account creation, checkout manipulation, inventory hoarding, and DDoS botnets. The strongest 2025–2026 datasets also show that proxy networks, residential IP abuse, and AI-driven crawlers complicate the boundary between benign and malicious automation. For security, fraud, and product leaders, the practical implication is clear: traffic classification alone is insufficient. High-value workflows, APIs, authentication paths, and abuse cases need direct validation, monitoring, and safely scoped testing.
Bot attack statistics matter because automated abuse is not measured the same way as malware, ransomware, or generic breach counts. OWASP’s Automated Threats project explicitly frames these events as abuse of inherent application functionality through automated actions, including credential stuffing, account creation, scraping, spamming, scalping, and denial of inventory. That is a different risk model from classic vulnerability exploitation, even when both occur in the same environment.
They also matter because the operational blast radius reaches several teams at once. Login abuse hits security and fraud. Scraping hits product, data, content, and revenue teams. Inventory denial and scalping hit ecommerce and customer experience. API abuse hits AppSec and engineering. DDoS botnets hit infrastructure and availability. Thales, Imperva, Akamai, and Cloudflare all show that the most abused surfaces are the ones closest to authentication, business logic, financial transactions, and APIs.
Bot attack statistics also force a distinction between good bots and bad bots. Search crawlers, monitoring tools, and other approved automation are part of normal internet traffic. Thales and Imperva both publish separate human, good bot, and bad bot shares because collapsing them into one “bot traffic” bucket hides the actual security problem.
Finally, statistics only become useful when tied to control decisions. Data that says bots are a majority of traffic is interesting. Data that shows API-directed abuse, login abuse, identity attacks, payment abuse, and botnet-driven DDoS converging on the same critical paths is actionable. That is the level security buyers need for prioritization.
This article prioritizes original reports, official threat intelligence publications, standards projects, and public-sector alerts over third-party statistic roundups. Public-sector and standards sources such as the FBI and OWASP are used for definitions, fraud context, and classification. Vendor telemetry from Thales/Imperva, Cloudflare, Akamai, NETSCOUT, F5, HUMAN, DataDome, LexisNexis Risk Solutions, Sift, and Pixalate is used where those vendors clearly describe what they measured and over what period.
Recency matters, but freshness alone is not enough. A 2026 report based on 2025 telemetry is generally better than a 2024 report, but older data is still useful when it provides historical comparison or when the latest source does not publish an equivalent metric. That is why this guide uses the 2026 Thales findings alongside the 2025 Imperva report and selected 2025–2026 API, DDoS, fraud, and AI traffic datasets.
Definitions are treated carefully. “Bot traffic,” “bad bots,” “OWASP automated threats,” “ATO,” “API attacks,” “DDoS,” “invalid traffic,” and “fraud” are not interchangeable categories. For example, Pixalate’s invalid-traffic work is useful in ad-fraud sections, but even Pixalate notes that IVT is a measurement category that can include non-human traffic and other non-legitimate impressions rather than a pure count of malicious bots.
Vendor caveats are surfaced rather than hidden. F5’s report focuses on traffic seen after bot mitigation is already deployed, so its login percentages are not global internet baselines; they are useful for understanding persistent malicious automation against protected environments. DataDome’s report is a testing study of nearly 17,000 websites, so its “2.8% fully protected” figure is an exposure benchmark, not a market share estimate of successful bot attacks.
| Criterion | Requirement | Why It Matters |
|---|---|---|
| Source credibility | Use original reports, standards bodies, or official public-sector alerts first | Reduces error propagation from copied statistic roundups |
| Publication year | Prefer 2025–2026 unless older data adds trend context | Bot and AI traffic change quickly |
| Bot-specificity | Label whether a figure is bot-specific, bot-adjacent, or fraud-wide | Prevents inflated or misleading conclusions |
| Good bot vs bad bot definition | Use sources that separate benign from malicious automation when possible | Not all bots are attacks |
| Measurement definition | State whether the metric is traffic share, attacks blocked, attack rate, logins, impressions, or incidents | Different metrics answer different buyer questions |
| Traffic scope | Note whether the source covers web, mobile APIs, programmatic ads, DNS, or network traffic | Control decisions vary by surface |
| Attack type clarity | Keep credential stuffing, scraping, fake accounts, DDoS, payment abuse, and ATO distinct | Blended reporting obscures priorities |
| Industry or site type | Specify if data is travel, retail, telecom, finance, SaaS, or mixed | Bot pressure is highly sector-specific |
| Regional relevance | Note region only where the source actually publishes it | Avoids invented geography narratives |
| Vendor telemetry caveat | State that vendor telemetry is not a universal census of the internet | Prevents overgeneralization |
| Cross-industry caveat | Separate bot-specific numbers from broader fraud or breach data | Maintains analytical discipline |
| Reproducibility | Prefer reports that disclose sample, period, and measurement method | Makes stats more defensible in board or buyer contexts |
| Practical security relevance | Favor figures that map to real controls such as auth, rate limits, API security, or DDoS readiness | Helps readers act on the data |
| Fraud and business impact relevance | Include statistics that explain revenue, trust, support cost, or operational strain | Bot abuse is not only a technical issue |
The current threat landscape is defined by convergence. Bot abuse no longer sits in a single bucket called “bad bot traffic.” The same organizations now face credential stuffing on web and mobile login flows, scraping on public-facing content and pricing endpoints, API abuse on transactional services, fake account creation on registration paths, carding and payment abuse on checkout flows, and DDoS pressure on the infrastructure that keeps these services reachable. OWASP’s automated-threat taxonomy maps this convergence directly to account creation, credential stuffing, scraping, spamming, scalping, denial of inventory, and denial of service.
AI changed the economics rather than the categories. Thales says AI-enabled bot attacks increased 12.5x year over year, HUMAN says AI-driven traffic grew 187% in 2025, and Akamai notes that agentic AI amplifies API risk instead of creating an entirely separate attack domain. The practical effect is more automation, better mimicry, and more noise around intent.
Residential proxies, browser impersonation, headless automation, and mitigation bypass remain central. Imperva found 21% of ISP-based bot attacks used residential proxies, while Thales says 41% of bot attacks used Chrome to appear legitimate. Kasada and F5 both show attackers retooling around defenses rather than giving up, especially around high-value login and commerce flows.
| Threat Area | Key Statistic | Source | Scope | Security Takeaway |
|---|---|---|---|---|
| Bad bot traffic | Bad bots were 40% of internet traffic in 2025 | Thales 2026 | Global Thales telemetry | Bad bots are large enough to distort normal traffic assumptions |
| Credential stuffing | F5 found malicious login attempts averaged 10.6% of web and 5.2% of mobile API authentication traffic even with mitigation | F5 Labs 2025 | Protected environments across industries | Login abuse persists even after controls are deployed |
| Account takeover | Imperva reported ATO up 40% YoY in 2024; Thales says 46% of ATO attacks targeted financial services in 2025 | Imperva 2025; Thales 2026 | Vendor telemetry | ATO remains one of the clearest monetization paths |
| Fake account creation | Fake account creation represented 46% of all fraudulent activity in Arkose’s Q4 2025 release | Arkose Labs release on quarterly threat patterns | Vendor telemetry across nine industries | Registration flows are still weak points with downstream fraud value |
| Scraping | Imperva attributed roughly 31% of API attacks to scraping | Imperva 2025 | API bot attacks | Scraping is an API and business-logic problem, not only a content issue |
| API abuse | Akamai says daily API attacks rose 113% YoY; 61% involved unauthorized workflows and abnormal activity | Akamai 2026 preview | Akamai customer telemetry | Detection needs behavior and workflow awareness |
| Ecommerce abuse | Checkout endpoints saw about 32% of API attacks in Imperva’s analysis | Imperva 2025 | API endpoint mix | Checkout, payments, and promotions deserve priority controls |
| Payment fraud | Payment fraud represented about 26% of API attacks in Imperva’s dataset | Imperva 2025 | API bot attacks | Fraud prevention and AppSec share the same attack surface |
| Ad fraud and click fraud | Pixalate found global IVT rates of 19% on web and 29% on mobile app programmatic traffic in Q2 2025 | Pixalate Q2 2025 benchmarks | Programmatic advertising, 120B impressions | Useful for ad-fraud exposure, but IVT is not a pure bot metric |
| Spam and form abuse | OWASP keeps spamming and account creation in its automated-threat taxonomy | OWASP Automated Threats | Standards classification | Form abuse belongs in bot strategy, not only anti-spam tooling |
| DDoS botnets | Cloudflare mitigated 47.1M DDoS attacks in 2025; NETSCOUT saw 8.1M in 2H25 | Cloudflare; NETSCOUT | Infrastructure telemetry | Treat DDoS as adjacent to, not interchangeable with, bad bot traffic |
| Proxy networks | Imperva found 21% of ISP-based bot attacks used residential proxies | Imperva 2025 | Vendor telemetry | IP reputation alone is not enough |
| AI crawlers and LLM scrapers | DataDome found LLM crawlers were 10.1% of verified bot traffic by Aug. 2025 | DataDome 2025 | Website testing dataset | AI crawler governance now belongs in traffic policy discussions |
The strongest current public bot-traffic baseline is Thales’ 2026 report, which says bots accounted for 53% of internet traffic in 2025 and bad bots for 40%. The prior Imperva report, covering 2024, found 51% automated traffic, 37% bad bots, and 14% good bots. That direction of travel is more important than any single absolute value: automation is large, persistent, and increasingly shaped by AI-assisted tooling.
Sophistication is mixed, not uniformly advanced. Thales says simple bot attacks were 42% of bot attacks in 2025, and Imperva’s 2025 report found simple bots were 45% of all bot attacks in 2024 while moderate and advanced attacks together were 55%. That suggests two simultaneous problems: advanced evasion for high-value abuse, and cheaper large-scale automation enabled by easier tools.
Bad bot traffic should not be presented as “all bots are malicious.” Good bots remain material. But neither should security leaders dismiss this as crawler noise. Imperva says 31% of all attacks it recorded and mitigated were OWASP automated threats, which means automation is already showing up in attack telemetry, not only in web analytics.
Credential stuffing remains one of the clearest examples of bot-enabled abuse because the attack itself is defined as mass login attempts using exposed username-password pairs. OWASP lists credential stuffing as OAT-008, and Akamai defines it as automated use of stolen credentials to commit account takeover.
Imperva reported ATO attacks increased 40% from 2023 to 2024 and 54% since 2022. F5 adds useful operational context: even with bot mitigation in place, malicious login attempts still averaged 10.6% of web authentication traffic and 5.2% of mobile API authentication traffic, with Technology reaching 33.5% of web authentication traffic and Entertainment and eCommerce mobile APIs both exceeding 23%.
Kasada’s 2025 report offers a concentrated threat-intelligence view rather than an internet-wide one. It reported a 250% increase in ATO attacks in 2024, 6.2 million compromised accounts, and 1,027 large organizations targeted by the 22 credential-stuffing groups it infiltrated; 85% of compromised companies already had some form of bot detection. That does not mean all organizations face the same rate, but it does show that “defended” login flows are still monetizable.
Public-sector loss data should be used carefully here. The FBI said IC3 received more than 5,100 ATO-related complaints and more than $262 million in reported losses since January 2025, but those losses include phishing and impersonation-driven account takeover, not only bot-driven credential stuffing. That makes the figure useful for business impact, not for sizing automated login traffic alone.
LexisNexis adds a broader digital-fraud signal: it reported an 8% global attack-rate increase, a 59% rise in bot attacks, login attacks up 89%, and password-reset attack rates reaching 6.6% in its latest cybercrime report. Those are not universal internet statistics, but they reinforce that authentication abuse extends beyond the visible /login page into recovery and reset paths.
Scraping remains one of the most consistently bot-specific categories in public reports, but the term still needs discipline. OWASP’s automated-threat list includes scraping as OAT-011, while emphasizing that many automation risks are abuse of functionality rather than classic vulnerabilities. Legitimate crawling, licensed data access, partner integrations, and abusive extraction should not be conflated.
Imperva’s 2025 report attributes roughly 31% of API attacks to scraping, and about 37% of API attacks to data-access endpoints. That matters because scraping is now often easier through structured APIs than through rendered pages. In practice, this turns “content abuse” into an AppSec, rate-limiting, authorization, and business-logic problem.
F5’s 2025 bot research shows the same pattern from another angle. It found hospitality web applications absorbed more than 44% bot traffic, driven largely by scraping of hotel room and rate flows. That is a better model for leadership teams than the old “scraping equals page copying” frame. In many sectors, scraping is really market intelligence extraction, pricing exploitation, and inventory discovery at machine speed.
APIs are no longer a side channel. Akamai’s 2026 preview says the average number of daily API attacks rose 113% year over year and that 61% of API attacks in 2025 involved unauthorized workflows and abnormal activity, up from 30% in 2024. That is a direct signal that the attack problem is moving toward behavior, misuse, and business-flow abuse rather than only textbook payloads.
Imperva’s API-focused analysis is even more useful for buyers mapping controls to endpoints. It found 44% of advanced bot traffic targeted APIs. Within API attacks, data scraping made up about 31%, payment fraud 26%, ATO 12%, and scalping 11%. Endpoint-wise, data-access endpoints saw about 37% of API attacks, checkout 32%, and authentication 16%.
OWASP’s API Security Top 10 explains why these numbers recur. Broken authentication, broken object-level authorization, unrestricted resource consumption, unrestricted access to sensitive business flows, and improper inventory management all map naturally to automated abuse. OWASP explicitly notes that APIs expose sensitive data and application logic and that unrestricted business flows can harm the business when used excessively in an automated manner, even without a conventional implementation bug.
In financial services, the concentration is sharper. Akamai says banking absorbed 60% of total web attacks and 83% of API-endpoint attacks in 2025 in its financial-services threat summary. That is sector-specific telemetry, not a universal count, but it is strong evidence that financial APIs remain one of the highest-value bot and abuse targets.
OWASP’s automated-threat model includes denial of inventory, scalping, cashing out, carding, and account creation because modern commerce abuse is often workflow abuse first and code exploitation second. That framing fits the ecommerce data much better than generic “fraud statistics.”
Imperva found the travel industry became the most attacked sector in 2024, accounting for 27% of all bot attacks, up from 21% in 2023, with a 280% rise in bot attacks targeting the travel industry from January 2022 to December 2024. Retail was the second most attacked industry in the same report. It also notes that travel and retail both face high bad-bot shares and that these attacks often connect directly to loyalty fraud, scraping, seat spinning, and ticket and fare manipulation.
Kasada’s campaign-level telemetry reinforces the commerce angle. In the credential-stuffing campaigns it tracked, 20% of the NRF Top 100 retailers were compromised, while 40% of the top 10 U.S. hotel brands suffered account takeover attacks. Its report ties the monetization directly to stored payment details, gift cards, loyalty points, promotions, and seasonal booking spikes.
Sift’s industry benchmarks show why travel and ticketing keep appearing in these reports. It reported an average 2025 ATO rate of 0.82% for travel and ticketing and the highest average payment-fraud attack rate of any listed sector at 4.85%, ahead of food and delivery, internet and software, finance and fintech, and digital commerce. Those are network-level platform rates, not bot-only numbers, but they explain why these journeys are repeatedly abused.
This is the section where scope discipline matters most. Public ad-fraud reporting often uses “invalid traffic” rather than “bots,” and invalid traffic can include non-human traffic plus other forms of non-legitimate advertising measurement. Pixalate’s Q2 2025 benchmarks found global IVT of 19% on desktop and mobile web, 29% on mobile app traffic, and 18% on CTV across more than 120 billion programmatic impressions. Pixalate also explicitly warns that IVT and “fraud” are measurement terms, not legal findings, and that IVT is not a synonym for pure malicious-bot traffic.
For registration abuse, the cleaner signal comes from account-creation research. Arkose Labs said fake account creation remained the number one attack type in its Q4 2025 threat-intelligence release, accounting for 46% of all fraudulent activity across the nine industries it analyzed. That is vendor telemetry and should be treated that way, but it lines up with the persistent weakness of sign-up flows in consumer-facing platforms.
OWASP’s automated-threat taxonomy supports the same interpretation. Account creation and spamming both sit inside the automated-threat model because bots are often used to farm accounts, distort referral programs, abuse promos, spam forms, and create downstream fraud inventory for later use.
DDoS botnets are related to bot attacks, but they are measured differently and should stay analytically separate from web bot-traffic share. Cloudflare says it mitigated 47.1 million DDoS attacks in 2025, a 121% increase year over year, averaging 5,376 attacks per hour. It also disclosed a 31.4 Tbps attack and described the Aisuru-Kimwolf botnet as an estimated 1–4 million infected hosts, primarily Android TVs.
NETSCOUT’s 2H 2025 report independently recorded more than 8 million DDoS attacks across 203 countries and territories. It reported attacks up to 30 Tbps and 4 Gpps, more than 45,000 NTP-related attack alerts, and regional concentration led by EMEA at 3.3 million attacks, followed by APAC at 1.9 million, North America at 1.27 million, and Latin America at 1.01 million. Those are infrastructure telemetry figures, not user-session or page-request shares.
Akamai’s 2026 preview adds application-layer context. It says Layer 7 DDoS attacks surged 104% between 2023 and 2025. In financial services specifically, Akamai reports a 738% increase in Layer 3 and Layer 4 DDoS attack duration since 2024 and a 236% increase in maximum volumetric DDoS threat scale between 2024 and 2025.
Proxy infrastructure remains relevant outside pure DDoS. Imperva found 21% of bot attacks using ISP networks were conducted through residential proxies. That matters because these same proxy networks help attackers rotate IPs, mimic consumer origin patterns, and support credential abuse, scraping, and checkout manipulation.
The AI traffic story is real, but it does not justify panic or lazy classification. HUMAN says AI-driven traffic grew 187% between January and December 2025, agentic AI traffic grew 7,851% year over year, and more than 95% of this traffic centered on retail and ecommerce, streaming and media, and travel and hospitality. It also found that OpenAI-operated bots represented about 69% of observed AI-driven traffic in its dataset.
DataDome’s 2025 testing study found LLM crawlers made up 10.1% of verified bot traffic in August 2025, up 3.9x from January. It also found that only 2.8% of nearly 17,000 tested sites were fully protected against the bot vectors it examined, suggesting that many organizations have policy opinions about AI crawlers without corresponding enforcement depth.
Cloudflare’s 2025 Year in Review adds nuance. It reported that AI bots were 4.2% of all requests for HTML pages on average in 2025, compared with Googlebot at 4.5%, and that AI user-action crawling increased by more than 21x over the course of the year. That means AI crawlers are meaningful but still coexist with established search crawlers and a much larger body of ordinary web and non-AI automated traffic.
The right interpretation is operational. Organizations need to distinguish between AI crawlers they want to allow, AI crawler traffic they want to meter or govern, and AI-driven abuse that overlaps with scraping, agentic checkout, account actions, or unauthorized automation. Treating every AI bot as malicious is as inaccurate as treating every AI bot as benign.
Industry-specific patterns are clearer than regional bot-share patterns in public reporting. Thales and Imperva repeatedly show travel, retail, financial services, education, and API-heavy digital businesses as high-risk sectors, while F5 highlights hospitality on the web and entertainment on mobile APIs. Sift’s consumer-platform and industry benchmarks separately show elevated ATO and payment-fraud exposure in internet software, digital commerce, and travel and ticketing.
Regional data is stronger for DDoS than for bad-bot traffic share. NETSCOUT recorded the highest second-half 2025 DDoS counts in EMEA, then APAC, North America, and Latin America. Cloudflare’s Q4 2025 report showed significant movement in the most-attacked locations, including Hong Kong and the United Kingdom, but that remains DDoS telemetry rather than a general bot-traffic census.
| Industry | Main Bot Risk | Relevant Statistics | Security Implication |
|---|---|---|---|
| Travel | Fare scraping, loyalty abuse, ticket and seat manipulation, ATO | Travel was 27% of bot attacks in Imperva’s 2024 data; Sift gave Travel & Ticketing a 0.82% ATO rate and 4.85% payment-fraud attack rate. | Protect search, loyalty, authentication, booking, and checkout together |
| Retail and ecommerce | Scraping, inventory abuse, promo abuse, checkout fraud, ATO | Kasada says 20% of the NRF Top 100 retailers were hit in the campaign it tracked; Sift and F5 both show continued pressure on ecommerce credentials and payments. | Rate limits alone are insufficient for commerce workflows |
| Financial services | ATO, API abuse, payment abuse, bot-driven reconnaissance | Thales says 24% of bot attacks targeted financial-services sites and 46% of ATO attacks targeted financial services; Akamai says banking absorbed 83% of API endpoint attacks in its 2025 sector dataset. | Prioritize auth, API behavior monitoring, and transaction anomaly controls |
| Hospitality | Rooms and rate scraping, ATO, rewards abuse | F5 found more than 44% of hospitality web transactions were bot traffic in the protected environments it studied. | Search, pricing, loyalty, and login need integrated controls |
| Media and publishing | Content scraping, AI crawler pressure, ad abuse | HUMAN says AI-driven traffic clustered heavily in media; DataDome found LLM crawlers rising rapidly in verified bot traffic. | Bot governance needs both abuse prevention and access-policy decisions |
| Telecom and API-heavy SaaS | Mobile API abuse, auth abuse, DDoS | F5 found telecom mobile APIs had the highest share of advanced credential-stuffing bots; Akamai says APIs are the dominant attack surface. | Protect mobile APIs and partner APIs as first-class attack surfaces |
These statistics support five priorities.
First, treat authentication as a workflow, not a page. Login, registration, password reset, account recovery, MFA enrollment, session refresh, and loyalty redemption belong in the same abuse model. F5, LexisNexis, Imperva, and the FBI all show that attackers monetize the full account lifecycle, not only a visible login form.
Second, move API security closer to fraud and abuse operations. Akamai, OWASP, and Imperva all show that unauthorized workflows, sensitive business flows, checkout endpoints, authentication endpoints, and data-access endpoints are where abuse concentrates. That makes rate limits, auth, authorization, and business-logic testing central to both AppSec and fraud reduction.
Third, separate alerting by intent. DDoS, AI crawlers, scraping, ATO, carding, fake accounts, and inventory abuse are not interchangeable. Controls, owners, and escalation paths differ. Board reporting should reflect that reality.
Fourth, validate rather than assume. DataDome’s exposure study and Kasada’s ATO findings both suggest many organizations deploy controls that attackers still route around. For high-risk organizations, that justifies safely scoped validation through penetration testing, API penetration testing, web application penetration testing, abuse-case review, and red-team-style assessment on critical flows.
Fifth, keep testing safe and authorized. Bot, API, and DDoS-related validation must be rate-limited, approved, scoped to avoid production disruption, and designed to test exposure rather than recreate uncontrolled abuse. DeepStrike is relevant here as a validation partner for penetration testing, API penetration testing, web application penetration testing, cloud penetration testing, and red team assessments, but those services complement rather than replace dedicated bot-management or fraud-prevention platforms.
| Security Area | What the Statistics Suggest | What Security, Fraud, and Product Teams Should Check |
|---|---|---|
| Login security | Credential abuse remains material even after mitigation | Login telemetry, password-reset abuse, MFA step-up rules, breach-password checks |
| Credential stuffing controls | Web and mobile APIs both matter | Separate controls for browser logins and mobile auth APIs |
| Account takeover detection | Auth abuse is monetized after login | Impossible travel, device shifts, reward redemption anomalies, session takeover signals |
| Registration abuse | Fake account creation remains a durable fraud entry point | Sign-up monitoring, phone/email validation abuse, promo farming patterns |
| Fake account creation | Registration is often weaker than login | Account-age signals, device reuse, referral abuse, downstream trust scoring |
| API security | APIs are a primary bot-abuse surface | Inventory, auth, authorization, rate limits, schema and business-flow coverage |
| Rate limiting | Static limits miss workflow abuse | Endpoint-level, identity-level, and business-action limits |
| Authentication and authorization | Broken auth and sensitive business flows drive abuse | Token handling, BOLA/IDOR, privilege drift, session management |
| Web application security | Bots exploit business logic more than scan signatures alone | Abuse cases for search, cart, checkout, rewards, and booking flows |
| Mobile app API security | Mobile endpoints often attract separate toolchainsMobile endpoints often attract separate toolchains | SDK integrity, device signals, app attestation, auth API parity |
| Scraping controls | Scraping often targets APIs and high-value content | Data-access endpoints, pricing APIs, robots policy, content hot paths |
| Ecommerce checkout abuse | Checkout is a top API target | Promo validation, card testing detection, inventory holds, checkout bot signals |
| Inventory abuse | Scalping and denial of inventory stay high-value | Cart holds, queue fairness, reservation TTLs, anti-hoarding controls |
| Payment fraud | Attackers monetize compromised accounts through stored value | Stored payment methods, chargeback patterns, carding telemetry |
| Loyalty and gift card abuse | Loyalty remains an ATO monetization path | Balance checks, redemption rules, velocity limits, account recovery |
| Ad fraud and click fraud | Measurement terminology can distort bot assumptions | IVT definitions, campaign verification, invalid-click monitoring |
| Spam and form abuse | Spamming belongs in the bot-abuse model | Contact forms, lead forms, review flows, support and abuse workloads |
| DDoS resilience | Application and network pressure both remain elevated | CDN posture, L7 protections, upstream coordination, failover testing |
| Bot detection tuning | Attackers retool around controls | False-positive review, browser impersonation, residential proxy handling |
| Proxy and hosting abuse detection | IP-based trust is weak on its own | Residential proxy detection, ASN monitoring, cloud host intelligence |
| Logging and alerting | Cross-team visibility is often fragmented | Unified auth, API, fraud, and checkout telemetry |
| Incident response | Bot incidents often become fraud incidents | Playbooks for ATO, scraping, promo abuse, and DDoS escalation |
| Fraud investigation workflows | Account and payment abuse are linked | Shared case management between AppSec, fraud, and support |
| Penetration testing cadence | Static annual tests miss quickly changing abuse paths | Periodic web, API, and cloud testing with retesting support |
| Continuous validation | Attack surfaces evolve faster than annual reviews | Safe drift testing for auth, APIs, integrations, and business logic |
| Executive reporting | High-level bot percentages alone are insufficient | Board metrics by flow, intent, and business impact |
The most common analytical mistake is mixing total bot traffic with malicious bot traffic. Thales and Imperva publish separate good-bot and bad-bot shares for a reason.
The second mistake is treating vendor telemetry as universal internet truth. F5’s protected-environment view, DataDome’s website testing, Cloudflare’s network telemetry, and Pixalate’s advertising IVT all measure different things. Those differences are useful, but only when clearly stated.
The third is collapsing fraud-wide statistics into bot-specific claims. FBI ATO losses, Sift payment-fraud rates, and LexisNexis digital-attack rates describe adjacent business risk, but not every underlying event is bot-driven. Use them to frame impact and workflow exposure, not to claim a universal “bot loss” number.
The fourth is ignoring APIs, mobile app flows, registration, checkout, and recovery paths while focusing only on login pages. Current reports consistently show that bots exploit the full customer journey.
What are the most important bot attack statistics?
The most decision-useful numbers are the ones that connect traffic share to attack surface. Today that means bad-bot share, API-directed bot activity, ATO and credential-stuffing pressure, scraping rates, DDoS volume, and AI-crawler growth. The strongest current public signals come from Thales, Imperva, Akamai, Cloudflare, HUMAN, F5, and NETSCOUT.
What percentage of web traffic is bots?
That depends on source and year. Thales says bots made up 53% of internet traffic in 2025, while its prior report put 2024 automated traffic at 51%. Those figures are useful, but they are vendor telemetry, not a universal census of every website. The more important split is between good bots and bad bots.
What is the difference between good bots and bad bots?
Good bots are approved or expected automation such as search crawlers and monitoring tools. Bad bots are automated agents used for abuse such as credential stuffing, scraping, fake account creation, or checkout manipulation. Current leading reports separate these categories explicitly because combining them hides the true risk picture.
Why are bad bots a security risk?
Because they target valid workflows at machine speed. Modern bad bots hit logins, account recovery, pricing APIs, checkout flows, rewards balances, and content endpoints. OWASP frames many of these as abuse of application functionality, not only exploitation of conventional software flaws.
How do bots support credential stuffing and account takeover?
Credential stuffing is inherently automated. Attackers test stolen username-password pairs at scale, then monetize successful logins through stored payment methods, loyalty balances, or data theft. Public ATO loss figures also include phishing and impersonation, so the cleanest bot-specific view usually comes from login and auth telemetry, not law-enforcement complaint totals alone.
Why are APIs exposed to bot attacks?
APIs expose data and workflows directly. OWASP notes that APIs expose sensitive data and application logic, while Akamai and Imperva show abuse concentrating around unauthorized workflows, data-access endpoints, checkout, and authentication. APIs also tend to be easier to automate consistently than custom front-end flows.
Which industries are most affected by bot attacks?
Travel, retail, hospitality, digital commerce, financial services, and API-heavy sectors appear repeatedly in current vendor telemetry. The exact ranking changes by source because the datasets differ, but commerce, loyalty-heavy, and transaction-heavy environments remain overrepresented.
How do bots affect ecommerce fraud and inventory abuse?
They distort availability, checkout fairness, promo economics, and fraud operations. Inventory hoarding, scalping, carding, fake accounts, and post-login payment abuse all show up in OWASP’s taxonomy and in current vendor reports. The result is both direct fraud loss and degraded customer experience for legitimate users.
Are AI crawlers and LLM scrapers the same as malicious bots?
No. Some are legitimate or at least expected forms of automated access, while others behave more like abusive scraping or agentic transaction traffic. The useful question is not “AI or not AI.” It is whether the automation is authorized, identifiable, rate-appropriate, and aligned with the site owner’s policy and business model.
What is the difference between bot attacks and DDoS attacks?
Bot attacks usually refer to automated misuse of an application or workflow, such as credential stuffing or scraping. DDoS attacks focus on exhausting availability or capacity. Some DDoS attacks are botnet-driven, but DDoS counts and bot-traffic-share metrics are different measurement categories and should not be merged.
How should security teams reduce bot attack risk?
Focus on high-value flows: authentication, registration, password reset, account management, data-access APIs, checkout, and loyalty or gift-card actions. Then validate auth, authorization, rate limits, workflow assumptions, monitoring, and incident response. The statistics support layered controls, but they do not replace direct exposure testing.
How often should bot controls and abuse paths be tested?
There is no universal cadence, but annual testing alone is weak for high-risk consumer platforms, ecommerce, and API-heavy services. Critical flows should be reassessed after major releases, auth changes, loyalty or checkout changes, third-party integration changes, and meaningful attack-pattern shifts. Safe, authorized testing matters more than arbitrary frequency.
The most useful bot attack statistics in 2026 show three things. First, bad bot traffic is large enough to affect normal planning assumptions. Second, the highest-risk abuse is concentrated around credential stuffing, account takeover, scraping, API abuse, fake accounts, ecommerce and inventory manipulation, and DDoS botnets rather than around one generic “bot problem.” Third, AI crawlers and agentic automation have added policy and monitoring complexity without removing the need for security fundamentals. Statistics can guide prioritization across login flows, APIs, customer portals, ecommerce checkout, cloud infrastructure, and internet-facing applications, but bot attack statistics do not replace validation. Security, fraud, and product teams still need to test real workflows, assumptions, and controls. DeepStrike helps teams validate real-world exposure through penetration testing, API penetration testing, web application penetration testing, cloud penetration testing, red team assessments, remediation tracking, and retesting support.
Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led red team and application security engagements across technology, finance, healthcare, cloud, and regulated environments. His work focuses on real-world attack path validation, application vulnerabilities, API security, cloud security, identity exposure, and adversary emulation.

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us