Are Bots Bypassing Your Defenses? 3 Trends to Protect Against
In today's digital landscape, where applications and APIs are the lifeblood of businesses, a silent threat lurks: sophisticated bot adversaries. While traditional security measures focus on preventing malicious attacks, automated threats are slipping through undetected by mimicking human behavior and exploiting gaps in application logic in unexpected ways.
F5 Labs' recently released 2025 Advanced Persistent Bots Report sheds light on the evolving tactics of advanced persistent bots and the challenges they pose. While you’ll want to read the entire report, here are three trends that stood out to me from this year’s research, and what companies can do to protect themselves.
1. Credential stuffing: When stolen passwords expose valuable data
Imagine a scenario where cybercriminals use readily available stolen credentials to access sensitive user accounts. This is the reality of credential stuffing, a prevalent bot-driven attack that exploits the widespread practice of password reuse. According to F5 Labs, some organizations experience upwards of 80% of login traffic coming from credential stuffing attacks launched by bots. The report highlights that, even with a low success rate of 1% to 3% per attack campaign, the sheer volume of automated logins translates into a substantial number of compromised accounts.
Incidents such as the PayPal breach in 2022, where almost 35,000 user accounts were accessed to expose highly monetizable personal information, provide massive databases of usernames and passwords for malicious use across other online services. Because many people reuse passwords, even a small success rate can yield significant success. These details can then be used for fraudulent transactions or data theft, or sold on the dark web for targeted attacks.
In recent years, several well-known brands have reported credential stuffing attacks. The decline of genetic testing firm 23andMe was, in part, attributed to a credential stuffing campaign that exposed customer health and ancestry information. Data was found for sale on the dark web at a price of $1,000 for 100 profiles, up to $100,000 for 100,000 profiles.
The company cited customers’ lack of adoption of the site’s multi-factor authentication (MFA) option as the primary failure but, in fact, the insidious nature of credential stuffing lies in its ability to bypass traditional security measures. Since the bots are using legitimate credentials and are not trying to exploit any vulnerabilities, they don't trigger typical alarms. MFA can help but, due to the rise in real-time phishing proxies (RTPP), it's not foolproof. Organizations must implement smart bot detection solutions that analyze login patterns, device fingerprints, and behavioral anomalies to see what’s really going on.
2. Hospitality under siege: Gift card bots and the rise of "carding"
While finance and retail sectors are often considered prime targets for cyberattacks, F5 Labs research showed that hospitality is heavily targeted by malicious bot activity. In particular, "carding" and gift card bots are found to target hospitality websites and APIs, with some organizations experiencing a 300% surge in malicious bot activity compared to last year. The report also notes that the average value of gift cards targeted by bots is increasing.
Carding uses bots to validate stolen credit card numbers by rapidly testing them on checkout pages and APIs. Gift card bots exploit loyalty programs and gift card systems. Attackers use them to check balances, transfer points, or redeem rewards illegally. These bots often target vulnerabilities like simple patterns and sequential gift card IDs.
The hospitality industry's vulnerability stems from the fact that loyalty points and gift cards are essentially digital currency. Cybercriminals can easily convert these assets into cash or use them to purchase goods and services.
To protect themselves, hospitality businesses must implement robust bot detection and mitigation strategies specifically tailored to address these kinds of threats. This includes monitoring gift card activity, analyzing transaction patterns, and implementing solutions that can differentiate between humans and bots. CATPCHAs, once the go-to solution for blocking bots, have been easily bypassed by bot operators for years—as we’ll see next.
3. Bypassing the gatekeepers: Residential proxies and the futility of CAPTCHAs
Traditional bot defenses like CAPTCHAs and IP blocking are failing against increasingly sophisticated evasion tactics. Bot operators can easily outsource CAPTCHA solving to human click farms, where individuals are paid small amounts to solve challenges on demand.
Furthermore, the rise of residential proxy networks is a significant factor. These networks route bot traffic through residential IPs via compromised devices, masking the true IP addresses of the bots. The F5 Labs report suggests that residential proxies are now widely used by bot operators, and the majority of bot traffic now appears to originate from these networks.
Identity management vendor, Okta, flagged the role of broad availability of residential proxy services in a surge of credential stuffing attacks on its users last year. The company said that millions of fake requests had routed through residential proxies to make them appear to originate from mobile devices and browsers of everyday users, rather than from the IP space of virtual private server (VPS) providers.
To effectively combat these advanced evasion techniques, organizations need to move beyond traditional defenses and embrace smart bot solutions. These solutions leverage machine learning and behavioral analysis to identify bots based on their unique characteristics. By focusing on human-like behavior, rather than relying on IP addresses or CAPTCHAs, organizations can more accurately detect and block sophisticated bot attacks.
Navigating the risk landscape: Finding your bot defense sweet spot
Ultimately, the level of bot defense an organization implements depends on its risk appetite. Every business must weigh the potential costs and benefits of different mitigation strategies and determine the level of risk it is willing to accept.
Completely eliminating all bot traffic may not be feasible—or even desirable, as some automated activity is legitimate and beneficial. However, failing to address malicious bot activity can lead to significant financial losses, reputational damage, and customer frustration.
The key is to find the right balance. By understanding the different types of bots targeting your organization, assessing the potential impact of their activities, and implementing appropriate detection and mitigation measures, you can effectively manage your bot risk and protect your business—and your customers—from advanced persistent bot threats.
To learn more, read the full report here. Also, visit our F5 Distributed Cloud Bot Defense webpage.