The website that users see every day is no longer primarily made up of people browsing, reading news, shopping, or consulting online services. According to the Thales Bad Bot Report 2026, bots accounted for 53% of all observed web traffic globally in 2025, compared to 47% generated by humans. This figure confirms a fundamental shift: the internet has become a space where automation now outweighs human activity.
The most concerning data is not just that there are more bots, but what types of bots they are. Of the total web traffic, 40% was attributed to malicious bots and 13% to benign automation, such as search engine crawlers, monitoring tools, or certain legitimate crawlers. In other words: within automated traffic, most already comes from bots capable of scraping content, testing credentials, abusing APIs, saturating services, or manipulating business processes.
AI Accelerates the Bot Problem
Artificial intelligence hasn’t invented bots, but it is changing their scale and behavior. Thales reports that AI-driven bot attacks grew 12.5 times in 2025, with a daily average of blocked requests soaring from 2 million to 25 million. Over the course of the year, the company claims to have blocked 17.2 trillion automated requests.
The new development is that current bots are more adaptive. They can modify fingerprints, adjust interaction timings, change navigation patterns, and retry a service hours after mitigation measures are applied. This makes traditional defenses like IP blocking, user-agent filtering, or simple rate limits increasingly ineffective.
The report also introduces a third category of automated traffic: AI agents. Until now, many organizations differentiated between “good” bots, like search crawlers, and “bad” bots, such as scrapers, scalpers, or credential stuffing tools. AI agents complicate this classification because they can access websites or APIs on behalf of a user, retrieve information, perform tasks, and complete workflows. They’re not always malicious, but they cannot be treated as normal human traffic either.
This blurred boundary requires a shift in focus. The key question is no longer solely whether a request comes from a person or a machine. The relevant concern is what the automation is doing, how often, which endpoint it targets, and its impact on business.
| Thales 2026 Report Indicator | Main Data |
|---|---|
| Web traffic generated by bots | 53% |
| Web traffic generated by humans | 47% |
| Total traffic attributed to malicious bots | 40% |
| Total traffic attributed to benign bots | 13% |
| Bot requests blocked by Thales in 2025 | 17.2 trillion |
| Growth of AI-driven bot attacks | 12.5 times |
| Bot attacks targeting APIs | 27% |
| Bot attacks on financial services | 24% |
| Account Takeover in financial services | 46% |
APIs and Identity Become the New Front
One of the most significant shifts is in APIs. Thales estimates that 27% of bot attacks now directly target these entry points. This evolution makes sense: modern applications rely on APIs to authenticate users, display prices, manage shopping carts, process payments, check availability, or deliver data to mobile apps.
For automated attackers, APIs are often more attractive than visual interfaces. They don’t need to “browse” like a human. Instead, they can send well-formed requests, use valid credentials, and exploit the service’s logic at machine speed. From a technical perspective, not all traffic appears malicious since many requests are legitimate. Malicious activity emerges through volume, repetition, intent, or context.
The report highlights three common threats to APIs: data leaks, abuse of business logic, and technical attacks such as remote code execution or file inclusion. In practice, this may translate to massive scraping, automated price queries, manipulation of promotions, login form attacks, credential stuffing, or exploitation of purchase and reservation flows.
Account Takeover remains one of the most damaging uses. Bots test combinations of usernames and passwords obtained from other services, exploit credential reuse, and target authentication endpoints. Even with MFA, many companies remain vulnerable if they don’t monitor behavior patterns, suspicious sessions, sudden geographic shifts, or abnormal API identity usage.
The financial sector is most affected. According to Thales, it accounted for 24% of all bot attacks and 46% of Account Takeover incidents. The reason is clear: financial accounts have direct value for fraud, identity theft, and rapid monetization. In Europe, such incidents can also trigger obligations under regulations like GDPR, DORA, NIS2, or PSD2, especially if they involve personal data, operational continuity, or critical services.
Digital Media is Under Pressure Too
The bot problem isn’t limited to banks, e-commerce sites, or airlines. Media outlets and content websites face increasing pressure from AI crawlers and real-time data retrieval systems.
Akamai published a report in April 2026 focusing on the publishing sector, stating that AI bot activity increased 300% in 2025. Within AI bot traffic, the media sector represented 13%, and publishers accounted for 40% of that activity. The impact isn’t purely technical—according to Akamai, AI chatbots generated around 96% less referral traffic than traditional Google searches in Q4 2024.
This shifts the economic balance of the internet. For years, search engines crawled content, indexed it, and drove traffic to websites. With generative AI systems, some of that content now feeds direct responses without the user visiting the source. For digital media outlets, this means increased technical load, higher machine consumption of content, and fewer opportunities for revenue through advertising, subscriptions, or branding.
Cloudflare describes this trend as a gap between crawling and return traffic. Data suggests that by mid-2025, crawling for training purposes already made up nearly 80% of AI bot activity. The company also proposes solutions like Pay Per Crawl—a private beta system allowing content owners to permit, block, or charge certain crawlers for access to their pages.
However, this is far from solving the core issue. Charging crawlers requires reliable identification, commercial agreements, and technical frameworks accepted by major AI platforms. In the meantime, many small and medium-sized sites face only two unsatisfactory options: allow crawling with no clear return or aggressively block, risking reduced visibility.
What Companies Should Do
Defending against bots can no longer be limited to installing a WAF and reviewing logs during traffic spikes. Thales emphasizes a shift in approach: moving from reactive defense to automation governance.
This involves defining which AI agents can access the site, which crawlers to block, which endpoints should be off-limits to automation, and what limits apply to APIs, login pages, checkout processes, internal search, or forms. Not all bots are harmful, but all automated traffic should be identified, measured, and controlled.
Organizations also need to protect business logic. In retail, for example, a bot might add products to a cart without purchasing to create artificial scarcity. In travel, bots can query prices and availability thousands of times to distort search and booking ratios. In financial services, they might test credentials, exploit account recovery processes, or attack authentication APIs.
Superficial signals are no longer enough. Many bots mimic legitimate browsers, use residential or mobile proxies, execute JavaScript, or simulate human browsing patterns. Thales notes that Chrome was the most impersonated browser by malicious bots in 2025, accounting for 41% of traffic claiming to be Chrome. Behavioral analysis, session consistency, reputation scoring, and continuous pattern review are essential.
The clear conclusion is: automated traffic is now a structural part of the internet. It will not disappear. Organizations must learn to differentiate useful automation from abusive, protect APIs as critical infrastructure, and decide what role they want AI agents to play in their services.
For users, this change will be almost invisible—until something fails: a website loads incorrectly, a store shows no stock, an account gets locked, CAPTCHAs become constant, or a media outlet ceases publishing because its content is being fed into external systems without adequate return. For companies, the message is urgent: the web has become predominantly machine-to-machine, and security must adapt to this reality.
Frequently Asked Questions
What percentage of web traffic is made up of bots?
According to Thales’ Bad Bot Report 2026, bots represented 53% of observed web traffic globally in 2025, compared to 47% from humans.
Are all bots malicious?
No. The report distinguishes between malicious bots—which account for 40% of total traffic—and benign bots, which make up 13%. Still, malicious bots dominate automated traffic.
Why does AI make the problem worse?
AI enables the creation of more adaptive bots capable of modifying their behavior, imitating human patterns, bypassing controls, and adjusting attacks when blocked.
Which sectors are most affected by bots?
Financial services experience the highest volume of bot attacks and nearly half of all account takeover incidents. Retail, travel, media, technology, and telecom sectors are also highly exposed.