Bot activity targeting APAC commerce firms rose 63% in 2025, Akamai finds
Akamai reports a 63% surge in bot activity targeting Asia-Pacific commerce firms in 2025, driven by rising AI adoption and vulnerable API connections.
Bot activity targeting commerce companies across the Asia-Pacific region surged by 63% in 2025, marking the fastest growth rate among all regions covered in Akamai’s latest State of the Internet security report.
The commerce sector also accounted for 38% of all AI bot traffic observed across regional industries between July and December 2025. Akamai linked this sharp increase to the growing adoption of AI-powered shopping tools, chatbots, and automated booking services across the retail, travel, and hospitality sectors.
While these legitimate services rely on automated traffic to search inventories, recommend products, process bookings, and complete payments, attackers can exploit similar behaviours to scrape data, test stolen login credentials, or target the connections between customer-facing services. This overlap makes it increasingly difficult for security systems to isolate malicious activity without interrupting genuine transactions or blocking useful automated tools.
Connected services expand the areas that need protection
Much of this automated activity targets application programming interfaces, or APIs, which enable different software systems to exchange information. For instance, a single purchase or booking often relies on multiple APIs to link the customer interface with payment providers, inventory systems, loyalty programmes, logistics services, and external partners.
Consequently, each connection introduces another system that requires identification, monitoring, and protection. Limited visibility across these nodes can leave security teams unaware of where customer information is being transferred or which external services hold access to core account functions.
Travel platforms clearly illustrate the exposure created by these interconnected systems. The sector accounted for 22% of commerce web attacks in the Asia-Pacific region, with APIs targeted in 25% of those incidents.
Akamai attributed this pattern to a combination of fragmented travel platforms, high digital and mobile adoption, widely used loyalty programmes, and sharp surges in demand during regional holidays. Festive periods, such as Lunar New Year, Golden Week, Diwali, and year-end travel, generate sudden traffic peaks that make it significantly harder to distinguish malicious requests from legitimate customer activity.
Although retail remained the primary target overall, the findings indicate that travel and hospitality firms face identical risks. Their booking systems, loyalty accounts, and payment pages all depend on connected services that can be disrupted or exploited without the main website ever being directly attacked.
High traffic can conceal attempts to disrupt services
Commerce companies across the region also faced a rise in application-layer distributed denial-of-service attacks, which deliberately overwhelm the specific parts of a website or application that process customer requests.
Akamai recorded 361 billion such events in 2025, representing a 39% increase from the 260 billion documented a year earlier. Because these attacks closely resemble sudden spikes in genuine browsing, booking, or checkout activity, they are particularly difficult to detect during major shopping and travel periods.
Within the commerce sector, retail bore the brunt of these disruptions, accounting for 51% of API-targeted application-layer attacks. Hospitality represented 28% of the incidents, followed closely by travel at 21%.
This heavy concentration of attacks around APIs means that disruption can easily ripple across multiple stages of a transaction. For example, a technical issue affecting a payment service, inventory database, or loyalty system can prevent a customer from completing a purchase, even if the primary platform remains fully operational.
Security teams need a clearer view of automated activity
To mitigate these risks, Akamai recommended that commerce companies maintain a precise, up-to-date inventory of all APIs supporting checkouts, payments, inventories, loyalty programmes, and partner services. This inventory must also clearly identify exactly where sensitive customer and account data is stored or transferred.
Furthermore, the report advised firms to evaluate bots based on their specific behavioural traits and risk profiles. Implementing blunt rules that allow or block broad categories of automated traffic risks interrupting legitimate services, while simultaneously failing to catch sophisticated attackers that mimic normal customer behaviour.
Preparations for seasonal traffic surges should encompass testing incident response plans, scaling infrastructure capacity, and actively monitoring for fake storefronts or exposed account credentials. Akamai also urged closer coordination between cybersecurity and fraud teams, noting that suspicious activity frequently spans both technical exploits and attempts to misuse customer accounts.
The broader adoption of AI agents introduces a complex access-control challenge. Commerce platforms must carefully determine which automated services are permitted to interact with their systems, what information they can retrieve, and which actions they are authorised to execute. Without this visibility, legitimate automation and malicious activity will continue to flow through the same customer-facing systems with few distinguishable differences.





