Picture this: It was 11:47 PM on Black Friday. Your analytics dashboard lit up like a Christmas tree. Traffic was surging. Checkout pages were loading. Your phone was buzzing with sale notifications.
Then you noticed something odd. Every single cart contained the same $9 item. Every checkout attempt originated from China. Every credit card got declined. You weren't making money-you were being farmed.
"260 visits from China today so far," one Shopify merchant posted a few days ago. "Every single abandoned cart has the same $9 product and a CC attempt that my store blocked."
Another merchant watched their conversion rate crater from 2% to 0.02% as traffic exploded from 20,000 to 400,000 impressions. The math was brutal: twenty times the visitors, one-hundredth the conversion rate. "Traffic from China is still incoming," they reported, exhausted. "Averaging about 15k visits daily. Got 3 fraud orders today."
Welcome to the arithmetic of online retail in 2025: Cyber Week generated $336.6 billion in global sales, a record-breaking achievement. But behind that headline, the infrastructure companies told a different story. Vercel, a leading cloud application company blocked 415,683,895 bot attempts across their platform during the five-day period. Akamai, a prominent cloud security giant, processed 11.8 billion bot-related requests on Black Friday alone -up 79% from last year.
And in a statistic that should concern anyone selling online: one major retailer reported that 72% of their Black Friday traffic came from malicious bots.
Not 7%. Not 17%. Seventy-two percent.
This isn't a technical edge case. It's the new baseline reality of ecommerce.
Here's what the infrastructure companies saw during Cyber Week 2025:
Akamai’s Account Protector service, which guards login systems, saw an 88% traffic increase on Black Friday and 104% surge on Cyber Monday.
Translation: the bots multiplied faster than real shoppers.
Imperva research found that retail sites collectively experienced 569,884 AI-driven attacks every single day between April and September 2024. Not during holidays-every day. By the time Black Friday arrived, phishing campaigns had risen nearly 700% and compromised credentials increased by more than 160%.
So, large was the problem that Amazon sent out email alerts to 300 Million+ customers about possible scam activities.
"You can't out-block a bot," one merchant explained after weeks of manual warfare. "Blocking IPs individually is a battle you can't fight alone. You need to block whole countries or subnets."
Though truth be told- even that doesn't work. Block one subnet, another wave arrives through fresh proxies and residential IPs. Cybersecurity experts report that modern bots "use residential IP addresses to look like real shoppers. They solve CAPTCHAs with AI-we've even seen ChatGPT getting better at solving these."
The sophistication has reached an inflection point. These aren't your grandfather's bots clicking links repetitively. According to Imperva's 2025 Bad Bot Report, advanced AI-driven bots now account for nearly 60% of bot traffic, and they've learned to mimic mouse movements, vary their browsing patterns, and even adjust timing to appear human.
One CEO described watching "entire checkout flows being completed in milliseconds" as bots attacked APIs directly. By the time you notice the pattern, the inventory is gone.
Here's where merchant confusion starts: most bots don't complete purchases. If you're only watching completed transactions, you're missing the real damage.
They were prepared the battlefield. In early November- weeks before Black Friday -carding attacks rose 350% as attackers tested stolen credit cards with small "dummy purchases." They were figuring out which cards work before the main event.
FortiGuard Labs identified over 18,000 newly-registered holiday-themed domains in the three months before Cyber Week, with at least 750 classified as malicious.
Think of it as reconnaissance. By the time Black Friday arrives, attackers know which cards are active, which sites have weak defenses, and which checkout flows can be automated.
And yes, they're poisoning your data. That merchant whose traffic exploded from 20,000 to 400,000 impressions? Their analytics are now worthless. As security analysts note, "the traffic spike plus a sales drop is a classic sign that bots are eating up your ad budget and blocking real customers from seeing your ads."
You're paying for clicks from robots. Your conversion rate calculations are meaningless. Your A/B tests are contaminated. And if you're making business decisions based on those numbers-choosing which products to promote, which ads to scale, which pages to optimize-you're essentially navigating by a broken compass.
Quite sadly, they're denying inventory to real customers. Bots add items to carts and hold them there, creating artificial scarcity. As Riskified's holiday fraud guide notes, this is intentional strategy. When real customers arrive and see "Out of Stock," they leave-often to competitors. The bots never complete the purchase; they just prevent yours.
Researchers found that "bots may look human-like on the surface. But behaviour rarely lies." They add items to cart in milliseconds, hold inventory for exactly the cache timeout period, then release and repeat. It's algorithmic, not accidental.
They're conducting industrial-scale credential harvesting. Account takeover attacks soared 250% in 2024, fueled by seasonal traffic that provides cover. Analysis showed that malicious login attempts accounted for >30% of all login attempts during Cyber Week, up from 15% in September.
What were they doing with stolen accounts? Dark web marketplaces showed that retail account sales surged ahead of major shopping events, with November-December comprising 36% of all account sales for the year. There are over 311 million stolen accounts listed across dark web marketplaces, with 63% belonging to retail brands.
One merchant put it plainly: "It's just wasted money, chargeback risks, and hours spent reviewing false orders that were never meant to go through."
The economics are brutal. Research shows online merchants lose an average of 3.6% of revenue to bot-related fraud and operational costs. For a store doing $1 million annually, that's $36,000 gone-not from theft, but from the overhead of dealing with fake traffic, false orders, and contaminated data.
The most uncomfortable truth about bot traffic: it's not a level playing field.
GameStop reports 60% bot traffic. So does a three-person Shopify store selling handmade ceramics. Same problem, wildly different resources to fight it.
GameStop has: dedicated security teams, enterprise-grade detection systems, relationships with CDN providers, the technical expertise to analyze traffic patterns, and budgets that can absorb $50,000/month in protection costs.
The ceramic store has: Shopify's basic bot filtering and a founder Googling "how to block China IP addresses" at 2 AM between customer service emails.
The protection gap is widening. Data shows bot traffic grew 5.5 times faster for small-medium businesses than human traffic. While large retailers lose 2-3% of revenue to bot-related issues, smaller merchants lose 3-8%. And protection costs don't scale linearly-enterprise solutions cost more in dollars but represent a smaller percentage of revenue.
One frustrated merchant summarized the platform response: "Shopify told me protecting my store is my responsibility. Nice."
This is creating a competitive moat. Not based on product quality or customer service, but on who can afford better bot defense. Large retailers get larger. Small merchants get squeezed between rising ad costs (from bot clicks) and declining conversion (from contaminated traffic).
Before you block everything that moves, understand this: not all automated traffic is your enemy.
About 26% of bot traffic is what security researchers call "good bots"-and blocking them would be harmful for your business.
Google's crawler needs to index your products. Bing's bot helps people find you. Price comparison services drive traffic from deal sites. Social media scrapers display your product images when people share links. Uptime monitors ensure your site is actually working.
The challenge isn't eliminating all bots. It's distinguishing between Google's crawler and the scraper bot stealing your catalog to train a competitor's AI model. Between the price comparison bot from a legitimate deal site and the one testing stolen credit cards.
Here's what makes 2025 different: AI traffic to retail sites grew 770% year-over-year (even though it’s less than 2% of a website’s traffic, there’s a sign there). People used ChatGPT and Perplexity to research products, then clicked through to buy. That traffic looked automated-because it was-but it was humans using AI tools, not bots acting autonomously.
Adobe found that AI-referred traffic had 23% lower bounce rates, 12% more page views, and 41% longer sessions than other traffic. These were high-intent shoppers who'd already done their research.
Block them indiscriminately, and you've just told Google (and increasingly ChatGPT) that your site is hostile to crawlers. Good luck ranking in search results or AIO.
This is why blanket solutions- like blocking entire countries or all automated requests-often backfire spectacularly. You stop attacks, but you also disappear from search engines and deal sites. The cure becomes worse than the disease.
Let's be honest about your options. There's no magic bullet, and what works depends on your budget, technical expertise, and pain tolerance.
Start with the free stuff. Cloudflare's free tier includes basic bot filtering. Turn it on. Configure geographic blocking if certain regions never produce legitimate orders. Add JavaScript challenges to slow down headless browsers.
But here's the uncomfortable truth: at this budget, you're not stopping sophisticated bots (remember- 60% bots are sophisticated now). You're stopping the dumb ones and learning to spot warning signs. Watch for traffic spikes with conversion drops. Monitor orders from unusual locations. Set up alerts for multiple failed payment attempts.
On reddit, the advice seems temptational (yes, it gets a lot of upvotes as well): "You need to block whole countries or subnets, check on WHOIS a few IPs and see the networks or ASN they have in common and block that."
That's manual labor. You're spending time instead of money. Just know that as security researchers warn, "you can't out-block a bot" manually. The sophisticated attacks will route around your blocks within hours.
At this level, you're accepting bot traffic as a cost of doing business. Your goal: minimize damage, not eliminate the problem.
Now you can deploy actual tools. Cloud-based bot protection services filter obvious attacks before they reach your store. Web Application Firewalls (WAFs) analyze patterns and request rates to separate humans from machines.
Add fraud detection for payments. Services like Signifyd, Riskified, or Sift use machine learning to flag suspicious transactions. They cost money (usually a percentage of reviewed transactions), but chargebacks cost more.
The strategy here: stack multiple layers. Any single defense can be defeated, but making attackers defeat three different systems raises their cost enough that many move to easier targets. As cybersecurity analysts note, "think of defense like an onion-not a wall. Each layer removes opportunities for exploitation."
You're still not bulletproof. But you've made yourself expensive enough to attack that you're no longer the low-hanging fruit.
Enterprise territory. Solutions like F5's bot management, Akamai Bot Manager, or Imperva Advanced Bot Protection provide behavioral analysis, device fingerprinting, and continuous adaptation.
These systems don't just block known threats-they build profiles of normal behavior and flag anomalies in real-time. They notice when "users" navigate in patterns real humans never use. They catch bots completing forms in 0.3 seconds when humans take 30 seconds.
You might also add behavioral biometrics-analyzing typing rhythms, mouse movements, touch patterns. Bots can fake many things, but replicating the subtle inconsistencies of human input remains hard.
Research shows that teams spend up to 10,000 hours annually on manual bot protection. That's five full-time employees. At this scale, automation isn't optional-it's cheaper than hiring.
Here's an approach few vendors will recommend: accept some bot traffic and focus your defenses where money actually changes hands.
Not all bot activity is equally expensive. A scraper downloading your product catalog is annoying but not directly costly. A bot testing credit cards at checkout is immediately expensive. A bot generating fake traffic that inflates your ad costs is somewhere between.
You might decide to:
This isn't surrender-it's triage. As security experts note, "the most forward-thinking ecommerce platforms are adopting a multilayered approach that combines traditional rule-based systems with real-time AI, behavioral analytics and supply chain traceability."
The reality: you have finite resources. Spending them all trying to block scrapers means you can't afford to stop checkout fraud. Choose your battles based on where bots actually cost you money, not where they hurt your pride.
One more wrinkle: some "bot" traffic might actually drive sales.
AI traffic grew 770% year-over-year during Cyber Week. While still less than 2% of total traffic, these visitors behave differently. Adobe found they have 23% lower bounce rates, 12% more page views, and last 41% longer-high-intent shoppers who've done their research.
There are less pleasing statistics around AI traffic as well (poorer likelihood to buy), though it’s an evolving technology, and all signs say that it will get better, but only over time.
The catch? AI agents need structured data. They're not "seeing" your site like humans-they're parsing product descriptions, specifications, and metadata. If that information isn't clear, you become invisible to AI shoppers.
This means:
Think of it as SEO for the AI era. You're not fighting these bots-you're making it easy for them to recommend you. As retail analysts project, RH-ISAC forecasts a 520% spike in AI-driven traffic during peak shopping periods. That trend isn't reversing.
If you're hoping bot traffic is temporary-maybe just holiday chaos that'll calm down- I have bad news.
LexisNexis data shows that while global ecommerce transactions increased 17% year-over-year, bot attacks jumped 195%. Account modification events (password changes, address updates) saw bot attacks surge 441% year-over-year.
The acceleration is real. Security researchers note that attackers are now "using bots to scrape public and personal content from websites to then fine-tune their GenAI models." Generative AI makes it easier to create convincing bot scripts, generate synthetic identities, and craft realistic checkout attempts.
SEON's analysis found that "fraud activity outpaced shopping growth by a wide margin. Fraudulent transactions rose approximately five times higher on Black Friday and four times higher on Cyber Monday compared to October baselines." This wasn't a spike-fraud pressure stayed elevated for weeks before and after the main events.
December has become "the most dangerous time of the year" for digital attacks. With increased traffic, distracted staff, and AI-enabled attackers, the holiday season is now peak hunting season.
The bots have supply chains now. Infrastructure-as-a-service for fraud. Rental botnets. Automated phishing panel subscriptions. The barrier to entry keeps dropping while sophistication keeps rising.
This is the new normal, not a temporary problem.
Given all this, what does success mean for a merchant?
It's not eliminating all bot traffic-that's impossible. It's operating profitably despite it.
Success means:
Research on bot management ROI shows that successful strategies lead to "improved cost management, enhanced operational efficiency, reduced business and financial risks, and controlled IT spending."
The merchants who thrive won't be the ones who eliminate all bots. They'll be the ones who learn to operate profitably in a world where automated traffic is permanent, protection is imperfect, and perfect security means zero sales.
That merchant dealing with 260 visits from China, all abandoning carts with the same $9 product? Their frustration was valid. The problem was real. And it's not going away.
As one merchant reflected after the brutal 2025 holiday season: "Tariffs, bots, fake traffic, rising costs, 2025 pushed merchants to their limit. The holiday season was meant to be the recovery arc, not another hit."
But here's the thing about building a business: you don't get to choose your era. You get to choose how you respond to it.
In the 1990s, merchants dealt with shoplifting and employee theft. In the 2000s, they learned about chargeback fraud and phishing. In the 2010s, it was credential stuffing and scraping. Now it's AI-powered bots that mimic human behavior so well that even major retailers saw 72% of their traffic coming from automation during 2025's Cyber Week.
The honest reality? There's no perfect solution. Anyone who promises one is selling something.
What you can do: understand the problem, invest proportionally to your risk, accept that you're sharing your site with automated traffic, and make peace with imperfect defenses. Yes, over time, cybersecurity agents and governments may find better solutions, but don’t your breath for that.
The merchants who succeed won't be the ones who eliminate bots. They'll be the ones who build businesses resilient enough to stay profitable when half their visitors aren't human.
And maybe-just maybe-that's the more valuable skill anyway.
