A new report reveals that AI-powered bots now account for over half of all global web traffic, with malicious “bad bots” comprising a third, leading to increased online fraud and security challenges

[dropcap]T[/dropcap]he internet officially saw a significant shift in 2024, with AI-powered bots now accounting for over half of all web traffic globally, effectively surpassing human users.

Also read: Global recognition: Lagos leads as fastest-growing tech ecosystem in 2025

According to the 2024 Imperva Bad Bot Report, traffic from automated bots increased by 2% from the previous year, while human user traffic fell to just 50.4%.

A concerning aspect of this rise is the prevalence of “bad bots,” which are now responsible for a full one-third of all internet traffic.

These malicious bots engage in various nefarious activities, including stealing passwords, crashing websites, faking clicks, and hijacking social media posts to fuel drama.

They are particularly active on travel sites, stealing concert tickets, and orchestrating account takeover attacks.

“Automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way that organizations approach building and protecting their websites and applications,” stated Nanhi Singh, general manager for application security at Imperva. Singh emphasized the urgent need for organizations to invest in bot management and API security tools to counter the growing threat, warning that “as more AI-enabled tools are introduced, bots will become omnipresent.”

Automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way that organizations approach building and protecting their websites and applications.

The report highlights specific regions where bad bot traffic is alarmingly high, including Ireland (71%) and Germany (68%).

In the Americas, Mexico sees 43% of traffic generated by malicious bots, while the U.S. figure stands at 34%.

The rise of generative AI is exacerbating the problem, with the volume of simple bots increasing to 40% in 2023, up from 33% in 2022.

Account takeover attacks, in particular, rose by 10% in 2023, with 44% targeting API endpoints. Overall, 11% of all internet login attempts were associated with account takeover.

The financial services (37%), travel (12%), and business services (8%) industries were the hardest hit by these attacks.

APIs have become a popular target, with automated threats behind three in ten API attacks in 2023.

A significant 17% of these were bad bots exploiting business logic vulnerabilities—flaws in API design that allow attackers to manipulate legitimate functionality to access sensitive data or user accounts.

For the second consecutive year, the gaming industry faces the largest bot problem, with 57% of its traffic attributed to bots. Retail, travel, and financial services also experienced the highest volumes of overall bot attacks.

Advanced bad bots, which mimic human behavior to evade defenses, were most prevalent in law and government (78%), followed by entertainment (71%) and financial services (67%).

A quarter of all bad bot traffic originated from residential ISPs, with bot operators using residential proxies to appear as legitimate users and evade detection.

A report from Lunio late last year further revealed that advertisers are projected to waste over $71 billion on traffic generated by invalid activity in 2024, a one-third increase from 2022.

Also read: Time to level up your corporate gifts, says Nigeria’s Meta4

“Bots are one of the most pervasive and growing threats facing every industry,” Singh concluded. “Organizations must proactively address the threat of bad bots as attackers sharpen their focus on API-related abuses that can lead to account compromise or data exfiltration.”