The internet has entered a new era where automated traffic now accounts for more web activity than human users, new research says.
Radware’s 2025 ecommerce Bot Threat Report claims the majority of traffic to online stores during the 2024 holiday season didn’t come from people. It came from bots.
For the first time, automated programs – ranging from simple scripts to AI-enhanced digital agents – accounted for 57% of all traffic, surpassing human visitors on e-commerce websites.
A smarter generation of bad bots
The report highlights the ongoing evolution of malicious bots, as nearly 60% now use behavioral strategies designed to evade detection, such as rotating IP addresses and identities, using CAPTCHA farms, and mimicking human browsing patterns, making them difficult to identify without advanced tools.
The only effective counter is equally intelligent detection – AI-powered defenses that can learn and adapt. Businesses must reassess their security stack and look beyond basic filters to solutions offering advanced DDoS protection and intelligent traffic monitoring.
“Bad bots are no longer just based on simple scripts – they’re sophisticated, AI-enhanced agents capable of outsmarting traditional defenses,” said Ron Meyran, Vice President of Cyber Threat Intelligence at Radware.
“E-commerce providers and online retailers that rely on conventional security measures will find themselves increasingly exposed, not just during the holidays but year-round.”
Mobile platforms have become a critical battleground, with a staggering 160% rise in mobile-targeted bot activity between the 2023 and 2024 holiday seasons. Attackers are deploying mobile emulators and headless browsers that imitate legitimate app behavior.
The report also warns of bots blending into everyday internet traffic. A 32% increase in attack traffic from residential proxy networks is making it much harder for ecommerce sites to apply traditional rate-limiting or geo-fencing techniques.
Perhaps the most alarming development is the rise of multi-vector campaigns combining bots with traditional exploits and API-targeted attacks. These campaigns go beyond scraping prices or testing stolen credentials – they aim to take sites offline entirely.
For businesses relying on the best ecommerce website builders or user-friendly platforms, the threat is clear. Security must evolve in step with the attackers. Platforms must also adopt dedicated mobile protections to defend against these increasingly sophisticated threats.
You might also like
- Take a look at the best VPN with antivirus available right now
- PC makers are planning plants in Saudi Arabia to try and avoid US tariffs
- These are the best password managers you can use