Radware's 2025 E-commerce Bot Threat Report reveals that automated bots generated 57% of online shopping website traffic during the 2024 holiday season, rather than human buyers. According to Radware's analytics, this is the first time non-DDoS generating bots have outperformed human shoppers in driving traffic to e-commerce websites. The company claims that this represents substantial shifts in the cybersecurity landscape for e-commerce providers and online retailers.
"Bad bots are no longer just based on simple scripts—they're sophisticated, AI-enhanced agents capable of outsmarting traditional defences. E-commerce providers and online retailers that rely on conventional security measures will find themselves increasingly exposed, not just during the holidays but year-round," stated Ron Meyran, Vice President of Cyber Threat Intelligence at Radware.
The report describes numerous important bot attack trends and real-world data collected during the 2024 online holiday shopping season. It also looks at the dispersed and multi-vector threats that e-commerce enterprises should be prepared to face in the coming year. According to the findings, AI-generated bots with human-like characteristics are becoming more common. Bad bots accounted for 31% of all internet traffic during the 2024 holiday season.
Nearly 60% of this malicious traffic employed novel strategies to avoid traditional, signature-based detection systems. Tactics discovered include IP address and identity rotation, distributed attack patterns, the exploitation of CAPTCHA farm services, and other sophisticated anomalies. According to the study, addressing these risks requires reliable, AI-powered detection systems that prevent false positives while recognising attack trends.
The report also highlights that attacks against mobile platforms have increased. The holiday seasons of 2023 and 2024 saw a 160% spike in malicious bot traffic directed at mobile devices. According to the study, this change in attacker focus necessitates security measures that are especially suited for mobile systems. These days, attackers use headless browsers with mobile user-agent strings, mobile emulators, and mobile-centric proxy services.
Attacks against distributed network infrastructures and residential proxy networks have also increased. Between 2023 and 2024, the share of holiday assault traffic originating and blending with ISP networks climbed by 32%. This rise reflects attackers' increased use of residential proxy services to circumvent rate-limiting, geo-based, and IP-based blocking methods. According to Radware, this trend creates new mitigation challenges for security teams who lack comprehensive and multilayered defences.