New 2025 E-commerce Bot Threat Report details rise in bot attacks, emerging threat vectors, and shifting defence strategies.
Radware® (NASDAQ: RDWR), a global leader in application security and delivery solutions for multi-cloud environments, today released its“2025 E-commerce Bot Threat Report.” The report found that automated bots—good and bad bots— accounted for 57% of e-commerce website traffic during the 2024 holiday season. It marks the first time that automated, non-DDoS generating bots drove more traffic than human shoppers, signalling a critical shift in the cybersecurity landscape for e-commerce providers and online retailers.
“Bad bots are no longer just based on simple scripts—they’re sophisticated, AI-enhanced agents capable of outsmarting traditional defences,” said Ron Meyran, vice president of cyber threat intelligence at Radware. “E-commerce providers and online retailers that rely on conventional security measures will find themselves increasingly exposed, not just during the holidays but year-round.”
The report highlights major bot attack trends and real-world attack data observed during the 2024 online holiday shopping season. In addition, it offers insights into the distributed, multi- vector attacks e-commerce providers and retailers can expect to battle this year.
Key findings and insights
AI-generated bots with human-like behaviour gain dominance: According to the report, bad bots made up 31% of total internet traffic during the last holiday season. Nearly 60% of the malicious traffic employed advanced behavioural techniques to evade traditional, signature-based detection. Combating these bots requires accurate AI-powered detection of attack patterns, including rotating IPs and identities, distributed attacks, CAPTCHA farm services, and other advanced anomalies,without causing false positives.
Mobile-focused attacks surge: Malicious bot traffic directed at mobile platforms rose 160% between the 2023 and 2024 holiday shopping seasons, representing a fundamental shift in attacker focus. Security strategies need to be shored up and tailored for vulnerable mobile platforms and attackers using more sophisticated techniques, including mobile emulators, mobile-specific proxies, and headless browsers with mobile user-agent strings.
Attacks leveraging distributed infrastructures and residential proxy networks increase:
The proportion of holiday attack traffic originating from and blending in with ISP networks increased 32% between 2023 and 2024. Attackers are leveraging wider network and residential proxy services to evade rate-limiting, geo-based, and IP-based blocking mechanisms, creating even greater mitigation challenges for security teams working without advanced, multi-layered protections.
Coordinated multi-vector attack campaigns escalate: To maximise their success, attackers are targeting applications by combining bot attacks with web application vulnerability exploits, business logic attacks, and API-focused attacks. Protecting already burdened security systems requires an integrated application security strategy that uses the latest threat intelligence and cross-correlates security threats across security modules.
Radware’s complete bot report can be downloaded here.