Artificial intelligence is rapidly reshaping internet traffic and online security, with automated systems now accounting for a majority of web activity and AI driven bot attacks rising sharply over the past year, according to the 2026 Bad Bot Report released by Thales.
AI Agents Blur the Line Between Legitimate and Malicious Traffic
The report says AI is no longer only increasing the scale of bot activity but also changing its character. In 2025, AI driven bot attacks rose 12.5 times from the previous year. Thales says AI agents are emerging as a third category of internet traffic alongside conventional good and bad bots, interacting directly with applications and APIs to retrieve data and perform tasks.
According to the report, this development is making it harder for organizations to distinguish legitimate automation from malicious activity. It says much of today’s AI driven traffic remains unverified or indistinguishable from normal activity, leaving businesses with an incomplete view of the risks they face.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Bots Now Outpace Human Activity Online
The findings say bots made up more than 53 per cent of all web traffic in 2025, up from 51 per cent the previous year, while human activity fell to 47 per cent. Around 40 per cent of overall web traffic now consists of bad bots, which include automated systems used to steal data and botnets designed to overwhelm websites with traffic.
The report describes this as a structural change rather than a temporary spike tied to isolated events. It says bots are now a persistent presence across digital environments. The United States was identified as the most targeted country for bot attacks in 2025, followed by Australia, the United Kingdom and France.
APIs and Identity Systems Become Key Targets
As businesses rely more heavily on APIs to run core digital services, attackers are increasingly targeting those systems. Thales says 27 per cent of bot attacks now focus on APIs, where automated tools can bypass user interfaces and interact directly with backend systems at machine speed.
These attacks often use valid authentication and well formed requests, making them appear legitimate while exploiting business logic, extracting sensitive data or manipulating workflows. The report says financial services accounted for 24 per cent of all bot attacks and 46 per cent of account takeover incidents, highlighting the extent to which automation is being used to monetize cyberattacks. It adds that traditional approaches focused only on detecting and blocking bots are no longer sufficient, and calls for governance based models that combine visibility, policy enforcement and behavioural analysis to manage acceptable and harmful automation.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
