Thales report says bots made up 58% of Singapore web traffic in 2025

Thales' 2026 Bad Bot Report found bots made up 58% of Singapore web traffic in 2025, with financial services hit hardest.

Thales has released the Singapore findings from its 2026 Bad Bot Report: Bad Bots in the Agentic Age, outlining how automated traffic affected web applications, APIs, and identity systems in 2025.

The report found that bots made up 58% of web traffic in Singapore, compared with 42% from human users. Globally, bots accounted for 53% of web traffic, up from 51% a year earlier, while human traffic fell to 47%.

Thales said AI-driven bot attacks increased 12.5 times year on year in 2025. The company also identified AI agents as a separate traffic category, alongside traditional good bots and bad bots.

AI agents interact with applications and APIs to retrieve data, complete tasks, and automate workflows. According to Thales, that creates a classification challenge because automated activity can be legitimate, harmful, or difficult to verify based only on traffic patterns.

"AI is transforming automation from something organizations try to block into something they must also manage," said Tim Chang, global vice president and general manager for application security at Thales. "The challenge is no longer identifying bots. It's understanding what the bot, agent, or automation is doing, whether it aligns with business intent, and how it interacts with critical systems."

The report said some AI-driven activity remains unverified or difficult to distinguish from legitimate traffic. That limits visibility for organizations assessing how automated systems interact with customer-facing applications and backend services.

In Singapore, sports, travel, and healthcare were the three industries most targeted by advanced bots. Sports accounted for 55%, followed by travel at 40%, and healthcare at 29%.

Thales also reported that 27% of bot attacks targeted APIs. APIs allow software systems to exchange data and trigger functions without going through a user interface, which makes them a direct route into backend services.

The company said API-targeted bot activity can use valid authentication and correctly formatted requests. These attacks can exploit business logic, extract sensitive data, or manipulate workflows without appearing as malformed or obviously suspicious traffic.

Financial services accounted for 79% of bot attacks in Singapore, according to the report. The computing and IT sector recorded the highest share of account takeover attacks, at 45% of logged incidents.

The gambling industry recorded the highest percentage of bad bot traffic in Singapore, at 100%. Thales said the figures show how automated activity is being used across sectors where account access, transactions, or monetizable data are central to business operations.

"The Singapore findings are a wake-up call for how AI-driven automation is reshaping our digital landscape," said Andy Zollo, APJ senior vice president for application and data security at Thales.

Zollo said AI agents have become "a distinct category of traffic in their own right," adding that they are now embedded in how applications and APIs function. He also noted that financial services accounted for nearly 80% of local bot attacks.

The report said the rise of machine-driven interaction is changing how organizations monitor application activity. Bots and AI agents now affect traffic composition, account activity, API usage, and security controls.

Thales said conventional bot defenses based mainly on detection and blocking are less suited to environments where automation can also be legitimate. The company pointed to a governance-based approach that includes visibility, policy enforcement, and behavioral analysis.

The report said organizations need to define which AI agents are permitted to interact with systems, apply controls across APIs and identity layers, and assess automated behavior based on context rather than classification alone.