With bots now making up 53% of internet traffic, what should e-commerce and retail businesses do next?
Summary
In 2025, bots accounted for 53% of total web traffic. Among them, 40% were identified as malicious bots.
AI-powered bot attacks increased by 12.5 times year over year, while the volume of simple bot attacks grew by more than 230%. AI is lowering the barrier to bot development, creating an environment where more bots can be created and spread at a faster pace.
Retail and e-commerce are the top target industries for AI bots. These sectors include many workflows with direct monetary value, such as product browsing, price checks, inventory checks, coupons, carts, and checkout, making them major targets for bots and macros.
E-commerce bot traffic is not just a traffic volume issue. Retail accounts for the highest share of bot-driven Business Logic Abuse at 24%, as high-value data and workflows such as pricing, inventory, coupons, and payment are concentrated in this sector.
Bot traffic can no longer be addressed through blocking alone. Bot mitigation and traffic control must be designed together. Malicious bots need to be detected and blocked, while genuine customer traffic must be managed stably according to service capacity.
How Much of Internet Traffic Is Bot Traffic?
According to Imperva’s Bad Bot Report 2026, bots currently account for 53% of total internet traffic. For the second consecutive year, bot traffic has surpassed human traffic across the web. Bot traffic is no longer a temporary phenomenon, but a constant factor that must be considered in digital service operations.
The key point is not simply that “bot traffic has increased.” What matters is that the nature of bots has changed. Modern bots are evolving with AI, learning application flows, adapting their behavior based on blocking mechanisms, and repeatedly exploring multiple access paths.
The Bad Bot Report also shows that AI-powered bot attacks increased by 12.5 times year over year, while the volume of simple bot attacks grew by more than 230%. This indicates that AI is lowering the technical barrier to entry and creating an environment where more bots can be created and spread at a much faster pace.
Can AI Bots Be Distinguished from Real Users?
AI is transforming bots from simple repetitive tools into adaptive automation systems that can learn and adjust their behavior. While traditional bots repeatedly sent requests based on predefined rules, AI-powered bots analyze application workflows, adjust request timing based on blocking mechanisms, and search for bypassable access paths.
This shift is highly significant from a security perspective. In the past, bots could often be identified through abnormally fast requests, specific IP ranges, or repetitive access patterns. However, today’s bots are designed to appear like real users. They follow user-like flows such as login, search, add-to-cart, and checkout.
According to the report, 41% of malicious bot traffic in 2025 disguised itself as Chrome browser traffic. This means bot traffic no longer necessarily looks abnormal on the surface. It may appear to come from legitimate users, while actually carrying out malicious activities such as high-volume requests, inventory hoarding, price scraping, or account takeover attempts.
Change | Traditional Bots | AI-Powered Bots |
|---|---|---|
Operating Method | Repeat predefined commands | Adjust behavior based on the situation |
Detection Evasion | Simple User-Agent manipulation | Mimic browser, device, and session patterns |
Attack Method | Repeatedly call specific URLs | Follow full workflows such as login, search, add-to-cart, and checkout |
Response Difficulty | Partially detectable with static rules | Requires behavior-based analysis and continuous policy tuning |
Key Risks | High-volume traffic and scraping | Business logic abuse, direct API calls, and automated fraud |
Therefore, future bot mitigation can no longer rely solely on determining whether traffic is “bot or not.” It must also assess whether the automation aligns with the intended business purpose or is abusing the service flow.
Why Are Retail and E-Commerce Major Targets for AI Bots?
According to the Imperva 2026 Bad Bot Report, retail is one of the top target industries for malicious bots and is the sector most heavily targeted by AI bots.
In particular, retail accounted for the highest share of bot-driven targeted Business Logic Abuse, at 24%.
The reason retail and e-commerce are major bot targets is clear. E-commerce sites contain high-value data and workflows, including product information, pricing, inventory, coupons, member accounts, carts, and checkout. In addition, events where speed directly determines purchase opportunities—such as limited-edition drops, first-come-first-served coupons, flash sales, and high-demand product launches—create favorable conditions for bots and macros.
Retail / E-Commerce Function | How Bots Abuse It |
|---|---|
Real-time inventory information | Repeatedly call inventory-check APIs or preoccupy inventory |
Pricing information | Conduct competitor analysis, set resale prices, or scrape pricing data |
First-come-first-served events | Use macros to generate high-volume access and capture purchase opportunities |
Cart functionality | Add products to cart without completing payment, making items appear sold out to real customers |
Login / Member accounts | Perform credential stuffing, account takeover, and abuse points or coupons |
In e-commerce, bot attacks are especially problematic because they often operate within normal service flows rather than appearing as direct technical intrusions. For example, viewing product detail pages, adding items to cart, applying coupons, and attempting checkout are all normal user behaviors. However, when these actions are repeated at abnormal speed and scale, they become Business Logic Abuse.
5 Ways AI Bots Damage the E-Commerce Industry
Bots do more than simply send high volumes of requests to servers. They take purchase opportunities away from real customers, distort operational metrics, and weaken brand trust.
A. Infrastructure and Conversion Risks
1) Infrastructure
Server Overload and Service Disruption
Unlike normal users, AI bots repeatedly send high volumes of requests within a short period of time. Repeated API calls can rapidly increase server load, raising the risk of service delays and system failures.
2) Conversion Rate
Bot Traffic Blocking the Checkout Flow
When bot traffic is concentrated in checkout and cart workflows, it disrupts the purchase journey for real customers. Even a slight slowdown in page loading can have an immediate impact on conversion rates.
A 1-second delay in loading time can reduce conversion rates by 7%
A 3-second delay in loading time can reduce conversion rates by 20%
Source: WIRO Agency
3) Data
Contaminated Consumer Behavior Analytics
Repeated product page views, high-frequency checks on specific products, and add-to-cart abandonment can distort real customer behavior data. This can lead to a chain of errors across ad performance measurement, product popularity analysis, and inventory forecasting.
B. Fairness and Security Risks
1) Fairness
Loss of Limited-Edition Purchase Opportunities
In limited-edition drops or first-come-first-served events where speed determines purchase opportunities, macro-driven purchases and cart hoarding can leave real customers with nothing but “sold out” messages.
The fan experience designed by the brand can collapse, leading to customer complaints, social media backlash, and declining brand trust.
2) Security
Account Takeover and Credential Stuffing
Automated account takeover and credential stuffing attacks can abuse member account information, coupons, and loyalty points. Customers who reuse the same passwords across multiple services are especially exposed to higher risk.
Exposure to Ransomware Attacks
According to Verizon’s 2025 DBIR, ransomware appeared in 44% of all breaches, increasing by 37% year over year.
In the UK retail sector, Marks & Spencer and several other companies experienced weeks of operational disruption due to ransomware attacks that exploited sophisticated social engineering tactics and vulnerabilities in connected systems. The impact reportedly led to an estimated operating profit loss of approximately £300 million.
Read the full article here→
Why Bot Blocking Alone Is Not Enough
E-commerce bot mitigation starts with detecting and blocking malicious bots. However, that alone is not enough. During large-scale promotions, first-come-first-served coupon events, limited-edition drops, or ticketing-style product sales, even legitimate users can arrive at the same time and place a heavy burden on the system.
In other words, peak e-commerce events create two challenges at once.
Malicious bots and macros capture purchase opportunities faster than real customers.
Legitimate users also flood the service simultaneously, causing overload across servers, APIs, and payment systems.
Therefore, e-commerce needs a structure that blocks bots while allowing real users to enter in a stable and controlled way. Malicious automation must be detected and blocked, while genuine customer traffic must be processed sequentially according to service capacity.
Ultimately, e-commerce bot mitigation is not just a security solution issue. Bot blocking, API protection, traffic control, and customer experience management must be designed together.
Bot Blocking and Traffic Control Are One Design Problem
The fact that bots accounted for 53% of total web traffic in 2025 signals that digital service operations must prepare for a major shift. Bot traffic is becoming easier to generate through AI, more sophisticated in disguise, and more capable of abusing service workflows.
Retail and e-commerce are among the industries most directly affected by this shift. These sectors contain high-value data and workflows such as products, pricing, inventory, coupons, accounts, carts, and payments. They also rely heavily on speed-sensitive events such as first-come-first-served promotions and limited-edition sales.
Therefore, future e-commerce bot mitigation must go beyond simply distinguishing humans from bots. It must identify which automation supports business objectives and which automation abuses business logic. Malicious traffic must be blocked, while legitimate customer traffic must be controlled in a stable way.
Bot blocking and traffic control are not separate issues. They are part of a single design challenge to protect fair purchase opportunities, stable service operations, accurate marketing data, conversion rates, and brand trust.
FAQ
Q1. What percentage of internet traffic was bot traffic in 2025?
According to Thales’ 2026 Bad Bot Report, automated traffic accounted for 53% of total web traffic in 2025. Among this, 40% was malicious bot traffic and 13% was benign automation.
Q2. How are AI bots different from traditional bots?
Traditional bots are mainly designed to repeat predefined tasks. AI bots, however, can learn application workflows and adjust their behavior based on detection and blocking mechanisms. AI agents can also access websites and APIs on behalf of users to search for data or perform tasks.
Q3. Why are e-commerce sites frequently targeted by bots?
E-commerce sites contain high-value data such as product information, pricing, inventory, coupons, carts, and checkout flows. In speed-sensitive events such as first-come-first-served promotions or limited-edition drops, bots and macros can take purchase opportunities away from real customers.
Q4. What types of damage can e-commerce bot traffic cause?
E-commerce bot traffic can lead to inventory hoarding, price scraping, coupon abuse, account takeover, cart occupation, server overload, slower page loading, lower conversion rates, and distorted marketing metrics.
Q5. Is a bot mitigation solution alone enough?
Not always. Malicious bots must be blocked, but during large-scale promotions or limited-edition sales, legitimate users can also arrive at the same time. This requires a structure that combines bot detection and blocking with controlled traffic management based on service capacity.