E-retail businesses usually operate under the assumption that their platforms primarily serve human customers, with bot traffic representing a minority. In preparations for the holiday shopping season and other key sales events throughout the year, fundamental operational aspects such as infrastructure planning, security architecture, and target business metrics are generally derived from this assumption.
The reality, however, has shifted dramatically. Our analysis of internet traffic to e-commerce customers during the holiday shopping season at the end of 2024, including some of the biggest e-commerce platforms in the world, reveals an alarming reality: overall bot traffic (including both good and bad bots) now decisively outnumbers human shoppers on e-commerce platforms. Bad bots comprise a rapidly growing share of this overall bot traffic, with increasing sophistication in their attack techniques.
Bot Traffic: The New Majority on E-Commerce Platforms
Overall bot traffic, including both good and bad bots, accounted for 57% of the overall traffic to e-commerce platforms during the holiday shopping season compared to 49% last year. This represents a 16% increase year-on-year, continuing the upward trend of bot traffic over the years.
Malicious bots accounted for 31% of the overall bot traffic - the highest percentage we’ve recorded during holiday season sales. The share of these bad bots almost doubled 2 years, from the 16% recorded in 2022 – a startling trend with far-reaching implications on e-retail business operations.
The Growing Sophistication of Bot Threats
One of the more concerning insights from our analysis of bot traffic during the holiday shopping season was the significant share of sophisticated bot attacks employing human-like behavioral techniques in their attacks, making them considerably harder to detect and mitigate.
Our data indicates that 57% of malicious bot traffic detected during the 2024 holiday shopping season employed advanced behavioral techniques, including natural mouse movement patterns, click data behavior, and contextual website navigation similar to typical human shopping patterns.
Scale of Bot Attacks During Holiday Shopping Season
These sophisticated bot attacks directly impacted e-commerce operations during the 2024 holiday shopping season through:
- Price Scraping: Competitors and aggregators deployed price scraping operations at a massive scale during the holiday shopping season, looking to gain competitive intelligence or inform their own pricing strategies. The Radware Bot Manager mitigated billions of price scraping attempts that targeted a large multinational e-commerce client during this critical season.
- Content Scraping: Malicious bots attempted to systematically extract proprietary information, including product descriptions, images, customer reviews, etc. to pass off as their own. A dramatic spike in content scraping activity was detected and blocked at a client on the day before Black Friday.
- Account Takeover Attempts: Malicious actors attempted to gain unauthorized access to customer accounts through bad bots deploying credential stuffing, credential cracking, or brute force methods. 3x more account takeover attempts, compared to regular days, were mitigated at a client on the day before their Black Friday sales event.
- Fake Account Registrations: Automated attempts to create fake user accounts spiked two days before Black Friday at a client, with attackers looking to exploit promotional offers, first-purchase discounts, and coupons offered to new users.
- Cart Abandonment: Also referred to as Denial of Inventory, malicious bots were deployed to automatically add items to shopping carts, but without checking out and completing the purchase. Intending to prevent genuine buyers from purchasing desired products, sharp spikes in cart abandonment activity around Black Friday was detected and blocked by the Radware Bot Manager.
- Carding: Malicious actors attempted to systematically test stolen credit/debit card information on e-commerce payment workflows to verify its validity, which would then be used for larger fraudulent transactions. Over 750,000 carding attempts were mitigated at a client during the 30-day period of the holiday shopping season.
Conclusion
The alarming rise of bad bot traffic during the 2024 holiday shopping season signals the need for e-retailers to operate under the assumption that their platforms will face a growing majority of automated traffic, capable of sophisticated attacks to compromise account security, competitive advantages, and inventory management.
The most successful retailers in future sales events will be those that implement advanced bot management solutions capable of accurately identifying legitimate human traffic and mitigating malicious bot traffic, even as attack techniques continue to evolve in sophistication. Bot management is now a critical business requirement for e-retailers – one that directly impacts revenue, customer experience, and operational efficiency during the most critical events of the year.
Our 2025 E-Commerce Bot Threat Report dives deeper into the bot traffic trends identified during the holiday shopping season, the rising sophistication of attacks, emerging bot threats, and Radware’s recommendations for e-commerce organizations to enhance their security posture for upcoming shopping events.
Download the full report here