The machines now outnumber us on the internet.
For the first time in the internet's history, automated machines now generate more web traffic than human beings — a quiet threshold crossed in 2025 that most people never saw coming. Driven by a 12.5-fold surge in AI-powered bot attacks, this shift is not merely a technical footnote but a civilizational one: the digital commons, built for human exchange, is being reshaped by entities that mimic legitimacy while pursuing exploitation. The security frameworks humanity built to guard this space were designed for a different era, and the gap between the threat and the defense has never been wider.
- Automated traffic now accounts for 53% of all web activity, meaning the internet has quietly crossed a point of no return — humans are no longer the majority presence in their own digital world.
- AI-driven bot attacks exploded 12.5 times in a single year, and a new category of threat has emerged that sits in the grey zone between helpful automation and outright attack, making intent nearly impossible to read.
- Attackers have abandoned the front door entirely — 27% of bot attacks now strike APIs directly, slipping past user interfaces to manipulate backend systems using credentials and requests that look perfectly legitimate.
- Financial services are absorbing the heaviest blows, accounting for nearly a quarter of all bot attacks and almost half of all account takeover attempts, as bots evolve from episodic tools into permanent, ambient presences.
- The security industry's core assumption — that malicious and legitimate traffic can be told apart — is collapsing, leaving organizations without reliable tools to answer the question that now defines internet safety.
Something fundamental has shifted on the internet, and most of us haven't noticed. According to Thales' 2026 Bad Bot Report, automated traffic now accounts for 53 percent of all web activity — up from 51 percent the year before. Human traffic has fallen to 47 percent. The internet is no longer a space built primarily for people.
The numbers alone don't capture what's actually happening. AI-driven bot attacks surged 12.5 times in 2025 compared to 2024. More unsettling, artificial intelligence has created an entirely new threat category that sits between clearly legitimate bots and clearly malicious ones — AI agents that interact with applications and APIs to fetch data and execute tasks, blurring the line between automation and attack until it nearly disappears.
Attackers have learned where the real value lies. Rather than targeting user-facing surfaces, they've shifted to the infrastructure underneath. Twenty-seven percent of all bot attacks now strike APIs directly, bypassing interfaces to reach backend systems at machine speed. These attacks often look legitimate — valid credentials, properly formatted requests — yet they exploit business logic, steal data, and manipulate processes in ways that are hard to detect. Financial services have been hit hardest, absorbing nearly a quarter of all bot attacks and almost half of all account takeover attempts.
What separates this moment from previous waves of bot activity is persistence. Bots are no longer tools that attackers deploy and abandon — they function as active, continuous participants within digital systems, shaping traffic patterns and interacting with platforms in real time.
The security industry is confronting a fundamental inadequacy. Traditional defenses were built for an internet where threats were episodic and intent was relatively clear. That framework is breaking down. When AI agents can mimic legitimate behavior, use real credentials, and operate at scale, the old methods become insufficient — and organizations are left without good answers to the question that now defines the problem: how do you tell a legitimate automated process from a malicious one when both look identical from the outside?
Something fundamental has shifted on the internet, and most of us haven't noticed yet. The machines now outnumber us. According to Thales' 2026 Bad Bot Report, released this spring, automated traffic has crossed a threshold: it now accounts for more than half of all web activity, reaching 53 percent in 2025, up from 51 percent the year before. Human traffic has dropped to 47 percent. The internet, in other words, is no longer a space built primarily for people.
But the numbers alone don't capture what's actually happening. The real story is about what these machines are becoming. AI-driven bot attacks surged 12.5 times in 2025 compared to 2024—a staggering acceleration. More unsettling still, artificial intelligence has created an entirely new category of threat that sits between the traditional good bots (like search engine crawlers) and the obviously malicious ones. These AI agents interact with applications and APIs to fetch data and execute tasks, and the line between legitimate automation and attack has become nearly invisible. Much of this activity remains unverified, leaving organizations struggling to understand what's actually happening inside their own systems.
The attackers have learned where the real value lies. Rather than targeting the user-facing parts of websites and applications, they've shifted focus to the infrastructure underneath. Twenty-seven percent of all bot attacks now target APIs directly, allowing bots to bypass the user interface entirely and interact with backend systems at machine speed. These attacks often look legitimate on the surface—they use valid credentials and properly formatted requests—yet they exploit the underlying business logic, steal sensitive data, or manipulate processes in ways that are difficult to detect. The financial services sector has been hit hardest, accounting for nearly a quarter of all bot attacks and almost half of all account takeover attempts.
What makes this moment different from previous waves of bot activity is the persistence and sophistication. What was once tied to specific campaigns—a burst of credential stuffing here, a data scraping operation there—has become a constant, ambient presence across the internet. Bots are no longer merely tools that attackers deploy and then abandon. They function now as active participants within digital systems, shaping traffic patterns, influencing business metrics, and interacting with platforms in real time. They are, in effect, citizens of the internet.
The security industry is grappling with a fundamental inadequacy. Traditional defenses, which focus on detecting and blocking malicious bots, were built for a different internet—one where the threat was episodic and the attacker's intent was relatively clear. That framework is breaking down. When AI agents can mimic legitimate behavior, when they can use real credentials, when they can operate at scale and at speed, the old methods of defense become insufficient. Organizations are facing a problem they don't yet have good tools to solve: how do you distinguish between a legitimate automated process and a malicious one when both look identical from the outside?
Citações Notáveis
AI agents are now emerging as a distinct third type of traffic, sitting alongside traditional good and bad bots— Thales' 2026 Bad Bot Report
Traditional security methods, which primarily focus on detecting and blocking malicious bots, are no longer adequate— Thales' 2026 Bad Bot Report
A Conversa do Hearth Outra perspectiva sobre a história
So when you say bots now outnumber humans online, what does that actually mean for someone using the internet?
It means that when you load a webpage, more than half the activity happening on that page—the requests, the data transfers, the interactions—isn't coming from a person. It's coming from machines. Some of that is benign, like search engines indexing content. But increasingly, it's not.
And these AI agents you mention—they're different from regular bots how?
Regular bots follow predictable patterns. They're designed to do one thing: scrape data, test passwords, whatever. AI agents are adaptive. They learn. They can adjust their behavior in real time based on what the system does in response. They're harder to catch because they don't repeat the same mistake twice.
Why are APIs such a big target now?
Because that's where the real data lives. A user interface is just a layer on top. The API is the actual mechanism that moves money, changes account settings, retrieves sensitive information. If you can talk directly to the API, you don't need to pretend to be a human anymore. You can just ask for what you want.
The report says much of this activity remains unverified. What does that mean?
It means organizations can't tell what's happening inside their own systems. A request comes in that looks legitimate, uses real credentials, follows the rules—but they don't know if it's actually supposed to be there. It's like having someone in your house who has a key and knows where everything is, but you're not sure if you gave them that key.
Is this a problem that can be solved?
Not with the tools we have now. That's what the report is really saying. We built our defenses for a different threat. We need to rethink the whole approach.