www.securitymagazine.com/articles/101712-over-half-of-online-shopping-traffic-is-made-up-of-bots
Shopping cart full of cardboard boxes

Shutter Speed via Unsplash

Over Half of Online Shopping Traffic is Made Up of Bots

June 23, 2025

Radware's recent ecommerce report found that automated bots accounted for 57% of e-commerce website traffic during the 2024 holiday season. It marks the first time that automated, non-DDoS generating bots drove more traffic than human shoppers, signaling a critical shift in the cybersecurity landscape for e-commerce providers and online retailers. 

The report highlights major bot attack trends and real-world attack data observed during the 2024 online holiday shopping season. In addition, it offers insights into the distributed, multivector attacks e-commerce providers and retailers can expect to battle this year.  

According to the report, bad bots made up 31% of total internet traffic during the last holiday season. Nearly 60% of the malicious traffic employed advanced behavioral techniques to evade traditional, signature-based detection. Combating these bots requires accurate AI-powered detection of attack patterns, including rotating IPs and identities, distributed attacks, 

Malicious bot traffic directed at mobile platforms rose 160% between the 2023 and 2024 holiday shopping seasons, representing a fundamental shift in attacker focus. Security strategies need to be shored up and tailored for vulnerable mobile platforms and attackers using more sophisticated techniques, including mobile emulators, mobile-specific proxies, and headless browsers with mobile user-agent strings. 

The proportion of holiday attack traffic originating from and blending in with ISP networks increased 32% between 2023 and 2024. Attackers are leveraging wider network and residential proxy services to evade rate-limiting, geo-based, and IP-based blocking mechanisms, creating even greater mitigation challenges for security teams working without advanced, multi-layered protections. 

To maximize their success, attackers are targeting applications by combining bot attacks with web application vulnerability exploits, business logic attacks, and API-focused attacks. Protecting already burdened security systems requires an integrated application security strategy that uses the latest threat intelligence and cross-correlates security threats across security modules. 

Download the report