NextFin News - Automated cyberattacks powered by artificial intelligence surged 12.5 times over the past year, driving "bad bot" traffic to a record 40% of all global internet activity. According to the 2026 Bad Bot Report released by Thales, the rapid proliferation of agentic AI has fundamentally altered the composition of the web, with automated agents now accounting for the majority of total traffic when legitimate bots are included. This shift marks a critical threshold where machine-to-machine interactions have effectively marginalized human-generated requests on public networks.
The data, compiled by Thales’s threat research and security analyst teams, indicates that malicious bot traffic rose from 32% in 2023 to 37% in 2024, before hitting the 40% mark in the most recent full-year analysis of 2025. Thales, a French multinational and a dominant player in the global aerospace and security markets, has historically maintained a cautious but technically rigorous stance on cybersecurity trends. The firm’s security division, which includes the acquired Imperva assets, specializes in application and API protection, positioning it as a primary observer of the "bot-to-human" ratio across enterprise networks.
Nanhi Singh, General Manager of Application Security at Thales, noted in the report that the barrier to entry for sophisticated cyberattacks has collapsed. The emergence of "agentic AI"—autonomous systems capable of executing multi-step tasks without human intervention—has allowed attackers to bypass traditional security measures like CAPTCHAs and behavioral analysis. These bots are no longer simple scripts; they are adaptive entities capable of mimicking human browsing patterns with high fidelity, leading to a surge in account takeover (ATO) attacks and API-based data scraping.
While the Thales report highlights a stark escalation, some industry analysts suggest the "40%" figure may reflect a specific subset of enterprise-facing traffic rather than the entirety of the global internet. Security researchers at smaller boutique firms have occasionally argued that such high-level reports from major vendors can be influenced by the specific profile of their client base—often high-value targets in finance and retail that naturally attract more bot attention. Consequently, while the trend of increasing automation is undisputed, the absolute dominance of malicious bots may not yet be a universal experience for smaller, less targeted web properties.
The economic impact of this surge is concentrated in the retail and financial sectors. During the 2025 holiday shopping season, API endpoints for checkouts and loyalty programs saw a disproportionate volume of attacks compared to standard web pages. Thales reported that account takeover attempts increased by roughly 40% year-over-year, as AI-driven tools automated the process of credential stuffing with unprecedented efficiency. This has forced a shift in defensive strategy from reactive detection to proactive prevention, as the speed of AI-driven attacks now outpaces human-led security response times.
The rise of these automated agents also complicates the "Death of the UI" narrative. As bots increasingly interact with APIs directly, the traditional user interface becomes secondary to the machine-readable backend. This transition suggests that the future of web security will depend less on identifying "human" behavior and more on verifying the intent and authorization of autonomous agents. The current trajectory indicates that by the end of 2026, the volume of malicious automated traffic could surpass the total volume of human users for the first time in the history of the commercial internet.
Explore more exclusive insights at nextfin.ai.
