For the first time ever, automated bot traffic has overtaken human activity online — now making up 51% of all internet traffic, according to the 2025 Imperva Bad Bot Report. This historic shift marks a pivotal turning point for the digital landscape, as organizations worldwide grapple with the implications of an AI-driven surge in automation.

Generative AI has made it significantly easier to build automated bots — some are used for legitimate tasks, but many are designed for malicious purposes. According to the Imperva report, harmful bots used for credential stuffing, scraping, and payment fraud now account for 37% of total web traffic — up from 32% in 2023. By contrast, good bots make up just 14%.

“Bad bots comprised 37% of internet traffic in 2024,” confirms the Financial Post, underscoring the alarming growth in cyber threats enabled by increasingly accessible AI tools. These bots are not only more prevalent but also more advanced — capable of bypassing CAPTCHAs, mimicking human behavior, and hiding behind residential IPs and VPNs to avoid detection.

This surge isn’t limited to websites. Bot activity targeting APIs is rising rapidly, making up 44% of all advanced bot traffic. “The most common API bot attacks focused on data scraping (31%), payment fraud (26%), account takeover (12%), and scalping (11%),” details SecurityWeek, reflecting a deliberate strategy to exploit business-critical API vulnerabilities. Many of these bots use residential IPs, making them difficult for website administrators to spot.

The financial, healthcare, and e-commerce sectors are among the hardest hit. As the Financial Post explains, “The surge in AI-driven bot creation has serious implications for businesses worldwide.” Account takeover attacks alone surged by 40% in a single year, with 330,000 incidents reported in December 2024.

“The business logic inherent to APIs is powerful, but it also creates unique vulnerabilities,” said Chang, noting the risks as companies deepen their reliance on microservices and cloud infrastructure. With Imperva blocking 13 trillion bot requests in 2024 alone, the fight against bots is no longer a one-off challenge — it’s a continuously escalating battle.