Thales has warned that application programming interfaces (APIs) are now the primary focus for cybercriminals, following record-breaking attacks in the first half of 2025. Findings from its latest API Threat Report show that although APIs make up only 14 per cent of the overall digital attack surface, they attract 44 per cent of advanced bot traffic, signalling a shift towards highly automated and targeted attacks.
Surge in complex attacks
Thales analysed more than 4,000 monitored environments and found over 40,000 API-related security incidents between January and June 2025, averaging more than 220 incidents each day. If the current pace continues, the total number could exceed 80,000 by the end of the year.
One of the most severe events documented was a record 15 million requests-per-second (RPS) distributed denial-of-service (DDoS) attack against a financial services API. Unlike traditional bandwidth-flooding attacks, this incident targeted the application layer, overwhelming the API itself to disrupt transactions. Financial services bore the brunt of such activity, with 27 per cent of all API-focused DDoS traffic directed at the sector, reflecting its heavy reliance on APIs for real-time processes such as payments, balance checks and fund transfers.
Attackers have also become more effective at disguising malicious activity. They increasingly use headless browsers and botnets to mimic legitimate traffic, making it harder for defenders to separate harmful requests from normal user behaviour.
Shifts in attack patterns
The report shows that data-access APIs are the most targeted endpoints, accounting for 37 per cent of attacks, followed by checkout and payment APIs at 32 per cent and authentication systems at 16 per cent. Gift card and promotional validation APIs make up five per cent, while shadow or misconfigured APIs represent three per cent but remain a significant blind spot.
Credential stuffing and account takeover attempts rose 40 per cent on APIs lacking adaptive multi-factor authentication (MFA). Data scraping has become common, representing 31 per cent of API bot activity, with attackers seeking valuable personal and financial details. Coupon and payment fraud made up 26 per cent of incidents, exploiting weak validation in promotions and checkouts. Remote code execution (RCE) probes accounted for 13 per cent of attacks, with known vulnerabilities such as Log4j, Oracle WebLogic and Joomla frequently targeted.
By sector, financial services led with 27 per cent of recorded incidents, followed by travel at 14 per cent, entertainment and arts at 13 per cent, and telecoms and internet service providers at 10 per cent.
Industry response needed
Tim Chang, Vice President of Application Security Products at Thales, said, “APIs are the digital economy’s connective tissue – but that also makes them its most attractive attack surface. What we’re witnessing is not just the scale of attacks increasing, but a fundamental shift in how criminals operate: they don’t need to inject malware, they can simply bend your business logic against you. The requests look legitimate, but the impact can be devastating.”
Daniel Toh, Chief Solution Architect for Asia-Pacific and Japan at Thales, warned that attacks are likely to grow in both volume and sophistication over the coming months. “The next six months will only see the volume and sophistication of API attacks grow across the region. The best time to act was yesterday – the next best time is now. Organisations in Singapore must discover every live endpoint, understand its business value, and protect it with context-aware, adaptive defences if they are to safeguard revenue, trust and compliance.”
The report highlights the urgent need for businesses to audit their API landscape, deploy adaptive MFA, and strengthen monitoring of shadow APIs to reduce exposure to advanced bot traffic and targeted exploits.
