Automated bot traffic now accounts for 37% of global internet activity, with 89% deemed unwanted, according to Fastly’s Q1 2025 Threat Insights Report. The report highlights the growing challenge posed by malicious bots, which are responsible for activities such as account takeovers, data theft, and ad fraud. Meanwhile, desired bot traffic, primarily from search engine crawlers, constitutes 66% and plays a crucial role in enhancing website visibility.
“As bots make up a growing portion of internet traffic, the ability to tell the difference between useful and unwanted automation is becoming more important,” said Fastly’s staff security researcher Simran Khalsa. “If you’re not actively managing bot traffic you could be spending on infrastructure, bandwidth, or performance that is effectively being wasted on serving malicious or non-productive traffic.”
Within this context, the commerce sector experienced a significant uptick in cyberattacks, with its share rising from 15% in Q1 2024 to 31% in Q1 2025. This increase indicates a shift in attacker focus towards financially lucrative targets, such as credit card data and personally identifiable information. High technology organisations, however, continue to be the most targeted, representing 35% of all observed attacks, which is a decline from 54% in the previous year.
Cross-site scripting attacks on the rise
The report also notes an alarming trend in cross-site scripting (XSS) attacks. In Q1 2025, XSS accounted for 40% of all attacks on Fastly’s clients, up from 35% in Q1 2024 and significantly higher than in previous years. This upward trajectory highlights the continued vulnerability of web applications that integrate third-party libraries and marketing trackers, which can introduce security blind spots. By contrast, SQL injection attacks have decreased from being the leading attack type at 30% in Q1 2023 to just 18% in Q1 2025. This decline is attributed to improved security practices such as prepared statements and object-relational mapping (ORM) libraries.
Fastly’s data collection draws from 6.5 trillion monthly requests across its Next-Gen WAF, Bot Management, and DDoS Protection solutions, which are said to cater to over 130,000 apps and APIs across various sectors. Fastly’s NLX threat feed provides real-time intelligence on malicious IPs, which accounted for 28% of attack origins during Q1 2025. Notably, many of these IPs targeted multiple customers simultaneously, reflecting an opportunistic approach by attackers aiming to exploit broad vulnerabilities rather than focusing on singular targets.
Education organisations saw the highest proportion of attacks linked to NLX-listed IPs at 61%, suggesting that adversaries often reuse identified infrastructure.
In March 2025 alone, attempted logins using compromised passwords averaged over 1.3 million per day. Such statistics underscore the importance of proactive measures like two-factor authentication and regular password audits to safeguard user accounts.
Read more: Google Cloud sets 2025 deadline for mandatory multi-factor authentication
