The Web Quietly Flipped, and Most of Us Didn't Notice
Here's a stat that'll make you pause: more than half of all internet traffic in 2025 wasn't human. According to a report from Thales, bots accounted for 53% of all web traffic last year, up from 51% the year before. Human activity, meanwhile, dropped to just 47%.
Think about that for a second. The internet — the thing we built to connect people — is now majority machine.
And honestly? That's not even the alarming part.
AI Is Supercharging the Bot Problem
The reason bot traffic keeps climbing comes down to one word: AI. The 2026 Thales Bad Bot Report found that 40% of all web traffic is outright malicious bot activity. And AI-driven bot attacks didn't just grow — they surged 12.5 times compared to the previous year. That's not a trend. That's an explosion.
What's changed is that AI agents are now carving out their own lane on the web, sitting alongside the traditional "good bots" (think search crawlers, accessibility tools) and "bad bots" (think fraud, spam). These agents can interact with apps and APIs, pull data, and perform tasks — all in ways that can look completely legitimate from the outside.
So the problem isn't just volume anymore. It's that you can't tell what something is trying to do just by spotting that it's automated.
APIs Are the New Battleground
Security teams used to focus on the front door — blocking suspicious traffic at the interface level. But bots have moved around back. Thales reports that 27% of bot attacks now target APIs directly, skipping the front-end entirely and hitting backend systems at machine speed.
Financial services took the hardest hit, making up 24% of all bot attacks and a staggering 46% of account takeover incidents. That's not a rounding error. That's a sector under siege.
The old playbook — rate limiting, CAPTCHAs, basic anomaly detection — was designed for a different era. When bots can mimic legitimate behavior at this level of sophistication, the rules need to change.
Not All Bots Are the Enemy
Here's where it gets nuanced. Plenty of bots are genuinely useful. Search engine crawlers, uptime monitors, accessibility services, legitimate AI agents — these are all automated, and we actually need them. The web runs partly because of them.
But when automation becomes this widespread, even the good stuff starts creating pressure. Security models built around human traffic patterns struggle to keep up. The signal-to-noise ratio gets worse. And the sheer scale of machine-driven activity starts reshaping how the web works — whether we like it or not.
The Dead Internet Theory Doesn't Sound So Crazy Anymore
If you've never heard of the "dead internet theory," here's the short version: it basically argues that most of what happens online isn't driven by real humans anymore, but by bots, algorithms, synthetic content, and automated engagement loops. For years it lived in the corner of the internet reserved for conspiracy theories and late-night rabbit holes.
But then Thales drops a report saying bots make up 53% of web traffic — with 40% of all traffic being malicious — and suddenly the theory feels a little less unhinged.
To be clear, this doesn't mean the internet is fake or that humans have vanished from it. Real people are still here, still clicking, still posting, still arguing in comment sections. But when machines are generating the majority of the traffic, and a huge chunk of that is actively trying to do harm? It's hard to ignore how much of the modern web is now shaped by things that aren't human.