Connect with us

Hi, what are you looking for?



Bad Bots Account for 73% of Internet Traffic: Analysis

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Evaluating Bot Detection Solutions

Arkose Labs has analyzed and reported on tens of billions of bot attacks from January through September 2023, collected via the Arkose Labs Global Intelligence Network. 

Bots are automated processes acting out over the internet. Some perform useful purposes, such as indexing the internet; but the majority are Bad Bots designed for malicious ends. Bad Bots are increasing dramatically — Arkose estimates that 73% of all internet traffic currently (Q3, 2023) comprises Bad Bots and related fraud farm traffic.

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse. These haven’t changed from Q2, other than in-product abuse replacing card testing. The biggest increases in attacks from Q2 to Q3 are SMS toll fraud (up 2,141%), account management (up 160%), and fake account creation (up 23%).

The top five targeted industries are technology (Bad Bots comprise 76% of its internet traffic); gaming (29% of traffic); social media (46%), e-commerce (65%), and financial services (45%). If a bot fails in its purpose, there is a growing tendency for the criminals to switch to human operated fraud farms. Arkose estimates there were more than 3 billion fraud farm attacks in H1 2023. These fraud farms appear to be located primarily in Brazil, India, Russia, Vietnam, and the Philippines.

The growth in the prevalence of Bad Bots is likely to increase for two reasons: the arrival and general availability of artificial intelligence (primarily gen-AI), and the increasing business professionalism of the criminal underworld with new crime-as-a-service (CaaS) offerings.

From Q1 to Q2, intelligent bot traffic nearly quadrupled. “Intelligent [bots] employ sophisticated techniques like machine learning and AI to mimic human behavior and evade detection,” notes the report (PDF). “This makes them skilled at adaptation as they target vulnerabilities in IoT devices, cloud services, and other emerging technologies.” They are widely used, for example, to circumvent 2FA defense against phishing.

Separately, the rise of artificial intelligence may or may not relate to a dramatic rise in ‘scraping’ bots that gather data and images from websites. From Q1 to Q2, scraping increased by 432%. Scraping social media accounts can gather the type of personal data that can be used by gen-AI to mass produce compelling phishing attacks. Other bots could then be used to deliver account takeover emails, romance scams, and so on. Scraping also targets the travel and hospitality sectors.

Scraping, it must be said, is a legally murky area. It is not specifically illegal; but if it defies a website’s published terms of use, it is certainly immoral. There are services that openly offer web scraping facilities. In this case, it demonstrates the relationship between CaaS, AI, and bots (here primarily scraping).

Advertisement. Scroll to continue reading.

“This is a website you can use to make sure your bots aren’t getting prevented by a website,” Kevin Gosschalk, founder and CEO of Arkose Labs, told SecurityWeek, referring to a specific provider that will not mention. “You can purchase this software. It has enterprise support and so on. But it is purpose built to commit crime. That is what it does. And there are many other different websites like this, but they look like legitimate businesses. It is a good example of a product purpose built to commit fraud.”

It is also a good example of crime-as-a-service. Crime-as-a-service enables wannabe criminals who may have the intent but not the skills to engage in cybercrime. “The massive rise of CaaS has completely changed the economics for adversaries” continued Gosschalk. “It’s much cheaper to attack companies and the attacks are just better because it’s a dev shop that is doing the attacks instead of just individual cybercriminals.”

The continuing increase in the volume of Bad Bots suggests they remain profitable for the criminals. The arrival of gen-AI will improve the performance of Bad Bots, while the growth of CaaS will increase the number of Bad Bot operators; so, it will get worse. The only solution is Bad Bot detection and mitigation to limit the access of the bots to their human or system targets. If it is not profitable, they won’t do it.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.