For the first time on record, automated bots generated more internet traffic than human beings in 2025, and the hostile share of that machine activity surged at a pace that caught even seasoned security professionals off guard. AI-driven bot attacks leaped from roughly 2 million to 25 million per day over the course of a single year, according to findings attributed to the 2026 Thales Bad Bot Report, released in late April 2026.
The numbers reframe a problem that many companies still treat as background noise. Bots now account for 53% of all web traffic, the report found, and roughly 40% of total traffic consists of “bad bots” designed to steal credentials, scrape pricing data, hoard limited-inventory products, or overwhelm login systems. The remaining bot traffic comes from benign automation such as search-engine crawlers and uptime monitors.
A 12.5x surge in a single year
The sharpest finding in the Thales data is the scale of acceleration. The company’s press release confirms that AI-driven bot attacks surged 12.5 times compared with the prior year. Multiple outlets, including NDTV Profit, independently corroborate that multiplier, lending it high confidence.
The specific jump from 2 million to 25 million daily attacks comes from secondary analysis of the report rather than the Thales press release itself, which emphasizes the 12.5x ratio without publishing exact daily totals in its public summary. Some outlets have rounded the increase to “10-fold,” likely reflecting editorial simplification. Until Thales releases its full methodology, the 12.5x figure from the primary source is the most reliable anchor.
What makes the multiplier genuinely alarming, rather than a statistical curiosity, is the size of the base. A 12.5x increase from a few thousand daily incidents would barely register on a corporate security dashboard. A 12.5x increase from a baseline already measured in the millions produces a volume that can strain commercial web-application firewalls and fraud-detection pipelines to their limits.
Why the surge is happening now
The Thales report lands at a moment when generative AI tools have become widely accessible and cheap to operate. While the company has not yet detailed the specific techniques attackers are using, the broader security community has documented a clear pattern: large language models and AI-powered browser automation make it far easier to solve CAPTCHAs, rotate through realistic-looking user profiles, and mimic human browsing behavior at scale.
That shift matters because it erodes the effectiveness of traditional bot defenses. Rules-based filters that flag traffic based on known bot signatures or simple rate limits struggle against adversaries whose scripts can convincingly replicate the mouse movements, scroll patterns, and session timing of a real person. The result is an arms race in which defenders must move from static rules to adaptive, behavior-based detection.
The geographic distribution of attacks adds another layer. According to one secondary source, the United Kingdom ranks as the third-most targeted country globally, though the full ranking, including which nations hold the top two positions, has not appeared in available reporting. Without that context, it is difficult to say whether the UK faces outsized risk relative to its digital economy or whether the ranking simply mirrors its large internet footprint.
What this costs businesses
The Thales report does not include public cost estimates tied to the bot surge, a gap that limits the ability to quantify the economic damage. But the operational toll is already visible across several sectors.
E-commerce platforms absorb the cost of credential-stuffing attacks that lead to account takeovers, fraudulent purchases, and a flood of customer-support tickets from locked-out users. Financial services firms face similar pressure on login portals, where bots cycle through stolen username-and-password combinations harvested from previous data breaches. Airlines and ticketing platforms contend with inventory-hoarding bots that snap up seats or event tickets before human buyers can reach the checkout page, distorting demand signals and frustrating customers.
Even companies that are not direct targets pay a hidden tax. If 40% of inbound traffic is hostile, every dollar spent on bandwidth, server capacity, and content-delivery networks is partially subsidizing the attacker. Scaling infrastructure in response to rising request volumes, without filtering out bot traffic first, effectively rewards the machines with more resources to exploit.
How security teams are responding
The first practical shift is a change in assumptions. Organizations that still design their web infrastructure around the premise that most visitors are human are working from an outdated model. The Thales data suggests the opposite is now true, and controls should reflect that reality.
“We are seeing bot operators adopt generative AI at a speed that outpaces most defenders’ ability to update their rule sets,” said Nanhi Singh, general manager of application security at Imperva, a Thales subsidiary, in the report’s accompanying press materials. Singh’s comment underscores a concern shared across the industry: the tools that make AI useful for legitimate developers are equally useful for attackers, and the cost of launching sophisticated bot campaigns is falling fast.
That starts with visibility. Security teams need to baseline normal user behavior for their key applications and flag traffic that diverges sharply from those norms: high-frequency login attempts, scripted navigation paths, unusual request headers, or sessions that skip directly to high-value endpoints without the browsing patterns a real customer would produce.
Modern bot-management platforms from vendors such as Cloudflare, Akamai, and Imperva can help separate benign automation from hostile activity. But as attackers adopt AI to blend in more convincingly, static detection rules lose their edge. Anomaly-detection systems that learn and adapt to shifting patterns, combined with stepped-up authentication for high-risk actions like password resets or large purchases, are becoming table stakes.
Cross-functional coordination matters just as much as technology. Fraud analysts, application developers, and infrastructure engineers each see different symptoms of the same bot campaign. A spike in declined transactions, a surge in account-lockout complaints, and an unexpected jump in bandwidth usage may all trace back to a single coordinated attack. Shared dashboards and rehearsed incident playbooks can compress the gap between detection and response from hours to minutes.
A web where humans are the minority
The broader takeaway from the 2026 Thales report is structural, not just statistical. The internet has quietly crossed a threshold: for the first time, the majority of its traffic is generated by machines, and the fastest-growing segment of that machine traffic is adversarial. The exact ratios and industry breakdowns will sharpen as the full report and independent research follow in the coming weeks.
For now, the combination of a documented 12.5x surge in AI-driven attacks and confirmation that bots have overtaken humans in total traffic volume is enough to force a practical reckoning. Companies that still calibrate their security, their capacity planning, and their fraud budgets around the assumption of a human-majority web are defending a version of the internet that no longer exists.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
