AI bots drive 57% of holiday shopping traffic, study finds

Today

Radware has released its 2025 E-commerce Bot Threat Report, finding that 57% of online shopping website traffic during the 2024 holiday season was generated by automated bots rather than human buyers.

This marks the first recorded instance where non-DDoS generating bots have overtaken human shoppers in driving traffic to e-commerce websites, according to Radware's data. The company asserts this signals significant changes in the cybersecurity landscape affecting e-commerce providers and online retailers.

Ron Meyran, Vice President of Cyber Threat Intelligence at Radware, said: "Bad bots are no longer just based on simple scripts—they're sophisticated, AI-enhanced agents capable of outsmarting traditional defences. E-commerce providers and online retailers that rely on conventional security measures will find themselves increasingly exposed, not just during the holidays but year-round."

The report outlines several key bot attack trends and real-world data observed during the online holiday shopping period in 2024. Additionally, it examines the distributed and multi-vector attacks that e-commerce businesses should be prepared to address in the coming year.

According to the findings, AI-generated bots employing human-like behaviours are becoming increasingly prevalent. Bad bots represented 31% of total internet traffic during the 2024 holiday season. Nearly 60% of this malicious traffic used advanced techniques designed to circumvent traditional, signature-based detection systems. Tactics identified include rotating IP addresses and identities, distributed attack patterns, the use of CAPTCHA farm services, and other sophisticated anomalies. Addressing these threats, the report states, requires accurate, AI-powered detection systems that limit false positives while identifying attack patterns.

The research also highlights a spike in attacks directed at mobile platforms. Malicious bot traffic targeting mobile devices increased by 160% between the 2023 and 2024 holiday seasons. This shift in attacker focus, the report notes, calls for security strategies specifically tailored to mobile platforms. Techniques now employed by attackers include the use of mobile emulators, mobile-centric proxy services, and headless browsers with mobile user-agent strings.

Attacks exploiting distributed network infrastructures and residential proxy networks have also seen a rise. The proportion of holiday attack traffic originating from and blending with ISP networks increased by 32% from 2023 to 2024. This trend reflects a growing use of residential proxy services by attackers, who use them to evade rate-limiting, geo-based, and IP-based blocking mechanisms. According to Radware, this development presents additional mitigation challenges for security teams lacking advanced and multi-layered defences.

The report details a growth in coordinated multi-vector attack campaigns. Attackers are increasingly combining bot activity with the exploitation of web application vulnerabilities, business logic attacks, and API-focused intrusions. Radware suggests that protecting security systems under such strain requires an integrated application security strategy. This would involve leveraging updated threat intelligence and cross-correlation of security threats across different security modules.

In summary, the new Radware report provides a review of emerging bot threats and recommends that e-commerce providers reassess their defensive strategies in response to the increasing sophistication of malicious bots, especially those utilising AI-driven capabilities and targeting mobile platforms and distributed networks.

Share on: