New 2025 E-commerce Bot Threat Report details rise in bot attacks, emerging threat vectors, and shifting defense strategies
Radware® (NASDAQ: RDWR), a global leader in application security and delivery solutions for multi-cloud environments, today released its “2025 E-commerce Bot Threat Report.” The report found that automated bots—good and bad bots—accounted for 57% of e-commerce website traffic during the 2024 holiday season. It marks the first time that automated, non-DDoS generating bots drove more traffic than human shoppers, signaling a critical shift in the cybersecurity landscape for e-commerce providers and online retailers.
“Bad bots are no longer just based on simple scripts—they’re sophisticated, AI-enhanced agents capable of outsmarting traditional defenses,” said Ron Meyran, vice president of cyber threat intelligence at Radware. “E-commerce providers and online retailers that rely on conventional security measures will find themselves increasingly exposed, not just during the holidays but year-round.”
The report highlights major bot attack trends and real-world attack data observed during the 2024 online holiday shopping season. In addition, it offers insights into the distributed, multi-vector attacks e-commerce providers and retailers can expect to battle this year.
Key findings and insights
- AI-generated bots with human-like behavior gain dominance: According to the report, bad bots made up 31% of total internet traffic during the last holiday season. Nearly 60% of the malicious traffic employed advanced behavioral techniques to evade traditional, signature-based detection. Combating these bots requires accurate AI-powered detection of attack patterns, including rotating IPs and identities, distributed attacks, CAPTCHA farm services, and other advanced anomalies, without causing false positives.
- Mobile-focused attacks surge: Malicious bot traffic directed at mobile platforms rose 160% between the 2023 and 2024 holiday shopping seasons, representing a fundamental shift in attacker focus. Security strategies need to be shored up and tailored for vulnerable mobile platforms and attackers using more sophisticated techniques, including mobile emulators, mobile-specific proxies, and headless browsers with mobile user-agent strings.
- Attacks leveraging distributed infrastructures and residential proxy networks increase: The proportion of holiday attack traffic originating from and blending in with ISP networks increased 32% between 2023 and 2024. Attackers are leveraging wider network and residential proxy services to evade rate-limiting, geo-based, and IP-based blocking mechanisms, creating even greater mitigation challenges for security teams working without advanced, multi-layered protections.
- Coordinated multi-vector attack campaigns escalate: To maximize their success, attackers are targeting applications by combining bot attacks with web application vulnerability exploits, business logic attacks, and API-focused attacks. Protecting already burdened security systems requires an integrated application security strategy that uses the latest threat intelligence and cross-correlates security threats across security modules.
Radware will be addressing the new report and advanced protection strategies during the RSA 2025 Conference at the Moscone Center in San Francisco (booth #S-1227). The event takes place April 28–May 1, 2025.
Radware’s complete bot report can be downloaded here.
Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!