In a groundbreaking development, automated bots have overtaken human activity on the internet, accounting for 51% of all web traffic in 2024. This marks the first time in history that non-human traffic has surpassed human interactions online. The surge is primarily driven by the rapid adoption of artificial intelligence (AI) and large language models (LLMs), which have significantly lowered the barriers to creating and deploying bots.
Malicious bots now constitute 37% of all internet traffic, up from 32% in 2023. This marks the sixth consecutive year of increasing bad bot activity, a trend that accelerated notably during the COVID-19 pandemic when online usage skyrocketed. The remaining 14% of automated traffic comes from beneficial bots, such as search engine crawlers that perform legitimate indexing and monitoring functions.
Imperva researchers have identified that bad bots are increasingly targeting business-critical functions, with 25% of mitigated attacks specifically aimed at exploiting application business logic. These sophisticated attacks leverage AI technology to mimic human behavior with unprecedented accuracy, making traditional detection methods increasingly obsolete.
The rise in accessible AI tools has significantly lowered the barrier for entry for cyber attackers, enabling them to create and deploy malicious bots at scale. Attackers now use AI not only to generate bots but also to analyze failed attempts and refine their techniques to bypass detection with greater efficiency.
AI-Powered Attack Evolution
Perhaps most alarming is the evolution of AI-enabled attacks, with Imperva blocking an average of 2 million such attacks daily throughout 2024. The report reveals that ByteSpider Bot dominated the landscape, responsible for 54% of all AI-enabled attacks, followed by AppleBot at 26% and ClaudeBot at 13%.
These sophisticated bots employ advanced evasion tactics, including browser identity spoofing. A typical browser impersonation attempt might use code similar to:
“`javascript
// Code to make a bot appear as Chrome browser
const request = require(‘request’);
const options = {
url: ‘https://target-website.com’,
headers: {
‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36’,
‘Accept’: ‘text/html,application/xhtml+xml,application/xml’,
‘Accept-Language’: ‘en-US,en;q=0.9’
}
};
request(options, function(error, response, body) {
// Process scraped data or perform malicious actions
});
“`
This simple code demonstrates how bots can mask their identity to appear as legitimate Chrome browsers—a tactic used in 46% of all bad bot attacks in 2024. More sophisticated bots employ residential proxies to route traffic through real IP addresses, making them nearly indistinguishable from genuine users.
Financial services, telecom, healthcare, and retail industries bear the brunt of these attacks, with APIs becoming particularly vulnerable targets—44% of advanced bot traffic now specifically targets API endpoints rather than traditional web applications. The impact extends beyond technical concerns, affecting everything from marketing campaign effectiveness to inventory management and pricing strategies.
As AI capabilities continue to advance, the line between human and automated traffic will blur further, posing significant challenges for cybersecurity professionals and organizations worldwide.
