May 5, 2025
SINGAPORE – Malicious bots aided by artificial intelligence (AI) tools now generate 45 per cent of all internet traffic in Singapore, a sharp rise from 35 per cent a year ago, according to a new study.
The 2025 Imperva Bad Bot Report, which compared bot traffic between 2023 and 2024, found bad bots to be most prevalent in the gambling, gaming, automotive and travel sectors here.
The 12th edition of the report drew from data collected from across the Imperva global network in 2024, including the blocking of 13 trillion bad bot requests across thousands of domains and industries.
Singapore ranked fourth among places in the Asia-Pacific that were most targeted by bad bots in 2024, after Hong Kong, Indonesia and Australia, according to the 12th annual study released in late April by United States-based cyber-security firm Imperva.
Globally, automated bot traffic surpassed the human-generated type for the first time in a decade, constituting 51 per cent of all web traffic in 2024, according to the study.
Of the total bot traffic, 37 per cent were found to be malicious activities, including data scraping, payment fraud, account takeovers, credentials theft and distributed denial of service (DDoS). DDoS attackers make websites unavailable to legitimate users by flooding the sites with queries.
With the help of AI, bad bots can mimic human behaviour – including mouse movements and clicks – making them difficult to detect and block, said the report.
“The surge in AI-driven bot creation has serious implications for businesses worldwide,” said Mr Tim Chang, general manager of application security at Thales, which owns Imperva.
The emergence of advanced AI tools – including ChatGPT, ByteSpider Bot, ClaudeBot, Google Gemini, Perplexity AI and Cohere AI – has transformed the methods by which attackers execute cyber threats.
For instance, bad bots automatically crack outdated mobile applications that do not enforce mandatory updates, write codes to increase attack volumes and collect large quantities of sensitive data.
In 2024, Imperva blocked an average of two million AI-powered cyber attacks daily.
ByteSpider Bot alone accounted for more than half of all AI-enabled attacks globally. Other significant contributors include AppleBot, ClaudeBot and ChatGPT User Bot.
Over the last few months, politically-motivated activities have risen, with these bots setting up social media accounts to proliferate politically-charged messages in the midst of the hustings as Singaporeans prepare to go to the polls on May 3, Appdome, another cyber-security firm, found.
Such traffic typically comes in the form of social media post hijacking, where bots produce inflammatory or empathetic messages to rouse viewers to engage with the content, said Mr Jan Sysmans, Appdome’s mobile app defence evangelist based in Singapore.
“The people behind these bots are trying to propagate their own agenda and create tension to spark a flame,” he added.
“There isn’t a standard way these bots approach (hijacking). It just encourages users to engage in the content, which influences their algorithm. Subsequently, users will get fed more of such inflammatory or empathetic content, creating an echo chamber effect.”
Globally, the travel sector is the most targeted, accounting for over a quarter of all bot attacks. It is trailed by the retail, education and financial services sector, according to the Imperva study.
Notably, travel websites face an increase in simple bot attacks, possibly launched by less sophisticated criminals using AI tools.
These attacks include “seat spinning”, where bots simulate the booking process of flight tickets up to the payment step, without completing the purchase. This hogs tickets and denies potential customers access to them, disrupting airline businesses and jeopardising their reputation.
AI tools flooding travel websites with traffic may also inflate the demand and costs of tickets.
Online retailers faced threats including scalping, credential stuffing, gift card fraud and DDoS – all year round in 2024 as opposed to just during festive seasons in 2023.
Scalping involves buying many of the same items such as limited edition goods or concert tickets at the usual price and reselling them at higher prices. Credential stuffing involves taking over someone’s online account using stolen usernames and passwords.
Financial services, telecom, healthcare and retail are the most targeted industries for bot attacks on application programming interfaces (APIs). These sectors depend on APIs for critical operations and sensitive transactions, making them prime targets for such sophisticated bot attacks.
APIs act like a bridge between applications, allowing them to share data. For instance, an e-commerce platform that accepts credit card payments or bank transfers is linked via APIs to the payment-service firm or the bank.
Bots typically steal customer information or competitive intelligence, abuse promotional mechanisms and exploit vulnerabilities in check-out systems for fraud, according to the study.
“Businesses need to take steps to protect themselves from bots and online fraud,” Imperva said, urging businesses to implement multifactor authentication measures and real-time bot detection to protect customers.
On how internet users should protect themselves from falling prey to the effects of bad bots, Mr Sysmans said: “It is going to be very hard, with how advanced AI and technology is now. But one must always be vigilant and ask, ‘Is this too good to be true?’”