For the first time in history, malicious bot traffic has overtaken human-generated web activity, according to Imperva’s 2025 Bad Bot Report. The findings are striking: in 2024, bots were responsible for 51% of all internet traffic, with malicious bots alone making up 37%, up from 30% the previous year.
This shift reflects a disturbing new normal—where the internet is not only dominated by automation but increasingly exploited by advanced threat actors leveraging AI.
“These aren’t your average bots,” said David Holmes, Chief Technology Officer for Application Security at Imperva. “We’re seeing AI-powered bots that mimic human behavior, analyze their failures in real-time, and evolve faster than ever before.”
Generative AI Makes Bots Smarter—and More Dangerous
The explosion of large language models (LLMs) such as ChatGPT, Claude, and Gemini has dramatically altered the capabilities of cybercriminals. The report notes that bad actors are using AI to generate more convincing phishing attempts, bypass CAPTCHAs, and launch millions of attacks daily.
Imperva claims to be blocking over 2 million AI-driven bot attacks per day, including 700,000 SQL injections and remote code execution attempts.
While not all AI-related bots are harmful, tools like ByteDance’s web crawler “Bytespider” made up 54% of blocked AI-related traffic, raising concerns about how such platforms could be misused, intentionally or otherwise.
APIs Under Siege: Finance, Business Services Most Targeted
Application Programming Interfaces (APIs) have become the primary attack surface for bad bots. The report reveals:
44% of advanced bot traffic targeted APIs, a steep rise from 10% just a year ago.
Common attack vectors included data scraping (31%), payment fraud (26%), and account takeover (12%).
The financial sector (40%) and business services (24%) were the top targets.
Bad bots are now more adept at evading detection by emulating human behavior, such as using residential proxies, outdated browser versions, and AI-assisted CAPTCHA bypass methods. Google Chrome, widely whitelisted across platforms, was the most impersonated browser (46%).
Mitigating the Bot Crisis: Imperva’s Recommendations
To combat the bot epidemic, Imperva recommends a multi-layered defense strategy:
Identify high-risk endpoints such as API gateways and checkout pages.
Implement rate limiting, authentication hardening, and IP blocking.
Use real-time monitoring to detect traffic anomalies.
Deploy AI-powered security tools that adapt dynamically to bot behavior.
“Static defenses don’t work anymore,” Holmes cautioned. “We need intelligent systems that can evolve as fast as the bots do.”
As AI tools become more accessible and powerful, malicious bots are no longer fringe threats—they are a dominant force reshaping the web. Organizations must act decisively to protect their users, data, and infrastructure, before AI-fueled automation tips the balance of the internet beyond repair.