Disclosure: TheBestVPN is reader-supported. When you buy a VPN through links on our site, we may earn commissions. Learn more.

What Percent of Internet Traffic Is Bots?

Last updated:
What Percent of Internet Traffic Is Bots?

 

Key Takeaways

  • 53% of all global web traffic was bots in 2025 – the second consecutive year automated traffic has outpaced human activity.
  • 40% of traffic came from bad bots, up from 37% in 2024 – the seventh consecutive year of growth.
  • 27% of bot attacks targeted APIs directly, with attackers bypassing standard web interfaces to operate at machine speed.

The Story Behind the Numbers

Most people picture the internet as a place where humans browse, stream, and connect. The data tells a different story. According to the 2026 Thales Bad Bot Report, bots accounted for 53% of all global web traffic in 2025 – the second straight year automated activity has outnumbered humans, climbing from 51% the year before.

That 53% splits into two types. Good bots (13%) are legitimate: search engine crawlers, AI crawlers, and monitoring tools that check page availability. Bad bots (40%) are the problem – programs built to scrape data, steal passwords, commit fraud, or overwhelm servers. That 40% marks a 3-percentage-point jump from 37% in 2024, the seventh consecutive year of growth. The primary driver is AI: AI-enabled bot attacks surged 12.5x year-over-year, with the daily average of blocked attacks rising from 2 million to 25 million.

Why This Data is Important

These numbers have real consequences for anyone online. Account Takeover (ATO) attacks – where bots use stolen credentials to hijack accounts – grew sharply, with a 70% increase comparing July 2024 to July 2025. Financial services absorbed the heaviest blow, accounting for 46% of all ATO incidents and 24% of all bot attacks. Every failed login attempt on your bank, streaming service, or email could be a bot, not a human. Using a VPN for everyday browsing and services that mask your IP address makes it meaningfully harder for bots to profile and target your accounts.

APIs are now the prime target. An API is the hidden layer that connects apps, processes payments, and handles logins. In 2025, 27% of bot attacks hit APIs directly, with the most common threats including data leakage (26%), business logic abuse (13%), and remote code execution (13%). Evasion is advancing too: 41% of bad bot traffic now disguises itself as Chrome (up from 39%), and bots increasingly route through residential proxy networks to blend in with normal users. Understanding how VPN encryption protocols work helps explain why encrypted traffic is far harder for attackers to intercept and exploit.

Looking Ahead: Future Outlook

Bad bot traffic has risen for seven consecutive years with no slowdown in sight. AI tools continue to lower the barrier to entry, and 58% of all bot attacks in 2025 were already classified as advanced or moderate – a 2-point increase year-over-year. Thales blocked 17.2 trillion bot requests in 2025 alone, with AI agents now emerging as a third category of traffic alongside good and bad bots. Automated threats are a permanent reality – for businesses and everyday users alike.

Source & Methodology

Data in this article is sourced from the 2026 Thales Bad Bot Report, the 13th annual study of automated internet traffic from Thales and Imperva. Findings are based on full-year 2025 data collected from the Imperva global network, covering the detection and blocking of 17.2 trillion bot requests across thousands of domains worldwide.