As bots outnumber real shoppers online, retailers face an invisible adversary—AI-driven automation disguised as everyday customers.
A new Radware report finds that 57% of ecomm traffic was bot-driven during the 2024 holidays—marking the first time machines outnumbered human buyers online.
The bots are winning 🤖
The internet’s no longer just crowded—it’s infested. According to Radware’s just-released 2025 E-commerce Bot Threat Report, 57% of online shopping traffic during the 2024 holiday season was from bots, not buyers.
That’s right. For the first time ever, actual humans were the minority on ecommerce sites during the busiest retail window of the year.
And these aren’t your grandpa’s bots. They’re AI-enhanced, mobile-optimized, and engineered to outmaneuver your legacy WAF like it’s a tin can in a hurricane 🌪️.
AI bots are outsmarting legacy security 🧠🔐
Per Radware, 31% of total internet traffic last season came from malicious bots, and nearly 60% of that used advanced behavioral mimicry to avoid detection. These aren’t basic scripts—they’re:
- Rotating IPs and device fingerprints
- Bouncing through residential proxy networks
- Using CAPTCHA farms and mobile emulators
- Blending into real user flows like ghost shoppers 👻
Ron Meyran, Radware’s VP of Cyber Threat Intelligence, didn’t mince words: “E-commerce providers relying on traditional security measures are increasingly exposed—not just during the holidays, but year-round.”
Translation: your outdated rules-based defenses are toast.
Mobile is the new front line 📱⚔️
The bot war has gone mobile. Malicious traffic targeting mobile devices spiked 160% year-over-year, with attackers deploying:
- 📲 Mobile emulators
- 🧑💻 Headless browsers with mobile user-agents
- 🔌 Mobile-specific proxy services
If your mobile security posture is an afterthought, you’re wide open. Consumers are mobile-first—and now, so are the bad actors.
Proxies, proxies everywhere 🌍🛡️
Attackers are using residential and ISP proxies to blend in and break through.
- Holiday bot traffic blending into ISP networks jumped 32% year-over-year
- These proxies make traditional geo-fencing and IP rate-limiting practically useless
It’s a distributed mess. One attacker can look like 10,000 users across 30,000 ZIP codes.
Multi-vector attacks are the new standard 🎯🕸️
Bots are no longer the whole problem—they’re the opening act.
Radware found growing use of coordinated campaigns, where bots are paired with:
- Web app exploits
- Business logic attacks
- API abuse
This isn’t spray-and-pray. It’s calculated, persistent, and resourceful. And it’s hitting your site 24/7 whether you see it or not.
Operator POV: You’re not just fighting bots, you’re fighting business models 💼📊
Here’s the real threat: these bot operators aren’t hobbyists—they’re running businesses. With P&Ls. With AI-enhanced tools. With more innovation than most mid-market IT departments.
And they’re winning.
Retailers relying on basic security measures—or worse, burying their heads in the sand—are leaving money, data, and customer trust on the table. Every click from a bot is a real buyer who didn’t get that item. Every faked checkout or scraped price is a margin leak.
So what now? 🚨
Here’s the playbook if you don’t want to get eaten alive in 2025:
- 🤖 Invest in AI-powered bot detection—your WAF is blind without it
- 📲 Harden your mobile experience—both UX and security
- 🧱 Layer your defenses—don’t rely on IP blocking alone
- 🔌 Monitor APIs—they’re the new jackpot for attackers
- 🧠 Get real about threat intel—not just logs, but actual behavior tracking
Because if more than half your “shoppers” are bots, your biggest threat isn’t competition—it’s invisible and tireless, and it already knows your next move.
