The Rise of Bad Bots

December 8, 2023

A recent study by Arkose Labs estimates that 73% of internet traffic comes from bad bots, meaning the traffic wasn’t from a human and intends to conduct some type of malicious action. The bot management firm analyzed tens of billions of bot attacks from January to September 2023, identifying the volume, types, and industries most targeted by attacks.  

A bot, short for robot, is a software application that runs automated tasks over the internet, typically imitating human activity. They are growing in popularity because they can complete repetitive tasks on a massive scale and are becoming increasingly harder to detect as they become more sophisticated. All of this presents significant challenges for individuals, businesses, and cybersecurity organizations as they work to protect sensitive information and systems. 


bot hand computer


Good Bots vs. Bad Bots 

Bots can be used for both good and bad purposes. Good bots are critical to digital customer service efforts, as they answer questions, resolve problems, and even make sales. Good bots can be used to create content, such as writing articles, generating social media posts, and composing music. They can be used to collect and analyze large amounts of data, automate research tasks, and provide education and training to people all over the world. 

Conversely, bad bots can be used to steal identities and information, spread malware, damage brands, and inflict significant financial losses. They can be used to create fake accounts and websites to scam people out of their money. They can scrape data from websites and social media sites—actions that are not necessarily illegal but often unethical—to produce more compelling and intrusive phishing attacks that manipulate users into sharing sensitive personal information. Bad bots can be used to launch DDoS attacks aimed at taking down websites and online services. They can be used to send spam communications and spread misinformation and propaganda that can disrupt organizational operations, aggravate social unrest, and even interfere with elections.  


The Emerging Sophistication of Bad Bots 

Bad bot attacks take a variety of forms, with the most common according to Arkose Lab’s report being fake account creation, account takeovers, data scraping, account management, and in-product abuse. Though it isn’t among the most common attack, they found that SMS toll fraud, a type of phishing attack that uses SMS messages to trick users into revealing personal information, rose more than 2,000% in the last year. The report also noted that bad bots heavily target certain industries, including technology, social media, gaming, and finance, and generate primarily from Brazil, India, Russia, Vietnam, and the Philippines. 

Enhancements in generative AI, as well as the increasing business-like sophistication of fraud farm operations, are likely to increase the prevalence of bad bots. AI can be used to learn and mimic human-behavior, making it a powerful tool that can adapt to various defenses to keep the bad bot viable.  

The continual rise of bad bots indicates that they are profitable, so much so that crime-as-a-service—where cybercriminals who lack the technological proficiency to pull off attacks can outsource their work—has risen in prominence. Crime-as-a-service will increase the number of bad bot operators, and generative AI will make bad bots more successful. Coupled with their increasing sophistication, bad bots will likely become harder to detect and prevent. 


skull made from computer code


Battling the Bad Bot Invasion at Capitol Tech

While good bots will announce themselves to a website and operate harmlessly, bad bots seek to move through the site without detection by cycling through random IPs, entering through anonymous proxies, and changing identities. They can often be identified in part by looking for high amounts of traffic from a single IP address, uncommonly used browsers and operating systems, and suspicious activities like rapid clicking and repetitive form submissions. 

To protect against bad bots, websites should deploy CAPTCHAs, which can block most bad bots. Honeytraps, which use fake inputs to trick bots into completing a task designed only to identify them, can be a useful detection tool. Other best practices for bad bot detection and mitigation are blocking suspicious traffic, using bot detection software, limiting the number of times an IP address can request a website, and keeping software up to date. 

Capitol Technology University’s programs Cyber and Information Security can prepare you to protect individuals, organizations, and critical systems from malicious cyber attacks. For more information, contact our Admissions team at