In 2024, for the first time in a decade, bots overtook humans online.
51% of all web traffic is now automated. Not people browsing, shopping, or scrolling. Machines talking to machines. The other 49% is you.
Of that bot traffic, 37% is specifically malicious — scrapers, credential stuffers, fraud bots, and account hijackers. That's up from 32% the year before. The sixth consecutive year of growth.
In 2024, security firm Imperva (owned by Thales) blocked 13 trillion malicious bot requests across thousands of websites and industries. Thirteen trillion.
Why now?
AI lowered the barrier. Tools like ChatGPT, LLMs, and automated coding assistants have made it trivially easy to build bots. You don't need to be a hacker anymore. You barely need to be technical. The Imperva report found that simple bot attacks surged from 40% to 45% of all bot traffic — amateurs flooding the web with basic automated scripts, built with AI help.
There's now a growing market called Bots-as-a-Service (BaaS) — pay-to-use commercial bot platforms anyone can rent.
What are they doing?
- Scraping — copying entire websites, product catalogues, and pricing data
- Credential stuffing — trying stolen username/password combinations at scale
- Account takeover — up 40% year-on-year in 2024
- Ticket scalping — buying concert and event tickets before humans can
- Price manipulation — artificially inflating or deflating prices on e-commerce sites
- Ad fraud — faking clicks and impressions to steal advertising budgets
The most targeted industries: financial services (22% of account takeover attacks), telecoms (18%), and computing/IT (17%).
Travel gets hit hardest overall — 48% of all traffic to travel websites in 2024 was bad bots. Almost half. When you're searching for flights, you're competing with machines.
The internet was built for people. For the first time, it's no longer mostly used by them.