I’ve literally had 1.5 million bot visits from China to a single page over the past week.
- one merchant mentions on Reddit
1.5 million huh! Yeah, you read that right.
And honestly, isn’t that crazy? These random, no-one-asked-for visits from China (and lately Brazil, Vietnam, and Nigeria) have become one of the biggest headaches for merchants this holiday season.
Because your website analytics all get messed up, and you can’t figure out what’s working and what’s not. Imagine paying thousands of dollars in ad campaigns and constantly filtering what’s real and what’s not.
As a merchant who exactly has the time for this when you already burning through holiday season operations and the constant worries of tariffs to deal with?
Merchants across Reddit, Shopify forums, and hosting communities are saying the same thing- Chinese bot traffic is everywhere. It’s messing with analytics, tanking conversion rates, and making reporting almost pointless.
One merchant vented-
“My conversion rate has dropped to 0.02% since this started. Basically rendering any reporting on it useless. We went from 20k impressions a month to 400k”
It has become a cat and mouse game between merchants, their firewall, and the scrapers.
But this isn’t new. Last year’s holiday season was bad enough to prove that it’s not a glitch.
Radware’s 2025 Ecommerce Bot Threat Report revealed that the majority of online store traffic during the 2024 holiday season didn’t even come from people.
For the first time, bots made up 57% of total ecommerce traffic, surpassing human visitors altogether.
Out of that, 31% was classified as “bad bots”, the ones scraping content, testing stolen credit cards, or clogging carts.
Bot activity targeting mobile apps jumped 160% year-over-year, with attackers now using emulators and headless browsers that behave like real shoppers inside legitimate app environments.
Cloudflare’s network data backed it up: 29% of all Black Friday 2024 traffic came from bots. Akamai tracked an 18% rise during Cyber Week, peaking around 30% above the usual baseline.
And as if that wasn’t enough, they’ve become insanely smart.
One merchant who analyzed data across 200+ ecommerce stores said that 73% of their overall traffic was fake.
He explained how disturbingly good these bots have become:
“They’re too consistent. Like, a human might spend 15 seconds reading a product description, or 45 seconds, or 2 minutes if they’re really interested. These things spent 11–13 seconds on every product description. Every single time.
Across hundreds of sessions. They scroll at exactly 3.2 pages per second. Humans don’t do that. We scroll fast, slow down, scroll back up because we missed something, whatever.”
That’s how far it’s gone.
When the difference between a real customer and an automated browser becomes almost negligible- every store, big or small, ends up fighting the same battle: trying to figure out how much of their “growth” is even real.
And yeah- many have started questioning why Shopify or anyone else hasn’t done much about it yet.
When thousands of fake sessions come from non-target regions, metrics like engagement rate, time on site, and bounce rate all become unreliable.
One merchant expressed the frustration,
“Loads of traffic from China but multiple abandoned carts from Seychelles. All for the same products using different email addresses. Usually random letters and numbers. I have added an app to stop countries but they still get to the page before it shows they are restricted”.
He continued,
“My concern is if they are wasting my ad spend. But I’m not sure if that’s the case. But very annoying”.
Also, such spikes in visits can make websites slow down by frustrating actual buyers and causing them to abandon their shopping carts.
That’s the scale of distortion merchants are dealing with heading into peak season. Hours are being lost every week, filtering fake traffic, rebuilding dashboards, and trying to make sense of reports.
The holidays are supposed to be the most measurable quarter of the year. Instead, merchants are walking into it blind, staring at dashboards that look busier than ever, but tell them less than ever.
The traffic spike plus a sales drop is a classic sign that bots are eating up your ad budget and blocking real customers from seeing your ads.
Merchants are saying the same thing: paid traffic keeps climbing, but sales don’t.
“Mine is all China 260 visits today so far, every single abandoned cart has the same $9 product and a CC attempt that my store blocked because it was not a US IP address”.
“Traffic from China is still incoming. Averaging about 15k visits from China IP. They stay on my site for a few minutes, but the live count for China visits always maintains around 50-90 live visits. Got 3 fraud orders today”.
It’s just wasted money, chargeback risks, and hours spent reviewing false orders that were never meant to go through. Eventually this will end up putting a lot of pressure on support teams and operations.
For smaller stores running ads on tight budgets, even a few of these incidents can throw off daily reports or trigger unnecessary fraud alerts.
And for some reason it all decided to happen at the most crucial time of year.
A growing number of merchants have realized those “visitors” from China, Vietnam, or Eastern Europe aren’t just testing checkout forms, they’re scraping stores at scale.
Entire product catalogs, descriptions, images, and even customer reviews are being lifted and republished on fake storefronts within days.
One merchant on r/Shopify mentioned,
“What if they are working to create a copy of your website to steal from people in your name? That is happening every day, I had it happen twice to me and on a site that only had like $1000 a month in sales....they still copied it to make a scam in my name”.
That’s not just frustrating, it’s dangerous. It means even the smallest stores can be cloned, their content recycled into scams that trick real shoppers and damage the original brand’s reputation.
And the consequences are brutal: SEO dilution, price manipulation, brand impersonation, reputation damage, and you imagine the worst.
So, can we do anything about it?
Most merchants have learned one thing this year, you can’t out-block a bot. The first instinct is always the same: block IPs manually. Then block countries.
As one owner said,
“Blocking IPs individually is a battle you can't fight alone. You need to block whole countries or subnets, check on WHOIS a few IPs and see the networks or ASN they have in common and block that”.
That’s what people are seeing in practice: you block one set, another wave arrives via fresh proxies, VPNs, or even “legit-looking” cloud ranges.
So, merchants started upgrading their defenses.
But even with all this, the problem hasn’t gone away completely.
As another user pointed out:
“Yes, with the advent of AI and LLMs, bot traffic has increased about tenfold. There are statistics out there that say there are more bots on the internet than people”.
Shopify merchants have been asking for platform-level protection, since most can’t install deep firewall rules or edit DNS records on Shopify’s servers.
Yet another frustrated store owner shared:
“Shopify told me protecting my store from bot attacks is my responsibility. Nice.”
An innovative Shopify merchant even redirected suspicious visitors to the Chinese fraud prevention authority website just to make a point.
Finally,
Tariffs, bots, fake traffic, rising costs, 2025 pushed merchants to their limit. The holiday season was meant to be the recovery arc, not another hit, but this is how it’s been all year.
And at this point, that’s all anyone’s really doing trying their best, fixing what breaks, and surviving the cycle one day at a time.
