Key takeaways
- AI-driven botnets increase the scale of risk. Threat actors are running highly sophisticated, AI-assisted, multi-vector campaigns that combine Mirai-derived IoT botnets, browser impersonation, and API targeting to bypass perimeter rules.
- Hidden APIs create unmonitored entry points. Rapid customer experience development has generated massive shadow API risks. While almost 78% of commerce firms claim a complete inventory, only 22.3% know which APIs actually expose sensitive personally identifiable information (PII) and account data.
- Geopolitical hacktivism threatens service availability. A prominent pro-Iraqi and Iran-aligned hacktivist group has been actively orchestrating complex, multi-vector DDoS and browser impersonation attacks that explicitly target ecommerce APIs.
- Regional attack variations require localized security. Bot counts are expanding globally across every geographic theater, led by a 63% increase in APAC, followed by 48% in LATAM, 16% in EMEA, and 7% in North America.
- Volumetric attack scaling hits record highs. Commerce recorded the single highest volume of global AI bot traffic between July and December 2025, capturing a dominant 47.9% of all monitored AI bot activities across all industries.
- Retail remains the primary target for web and API breaches. Commerce represents the single largest target for web attacks against API endpoints, capturing 49% of all commerce web attacks as threat actors hunt for exposed consumer financial accounts.
- AI integration expands the exploitable attack surface. North American retail led all global verticals with 33 billion AI bot counts (nearly 16% of the global total), followed by EMEA retail at 26 billion (12.4%), as attackers exploit vulnerabilities in conversational AI agents.
- Persistent DDoS threats demand adaptive defense. Retail platforms bear the brunt of application-layer disruption, absorbing 84% of all Layer 7 DDoS activity on commerce as threat actors weaponize high-traffic seasonal shopping windows.
Frequently Asked Questions (FAQ)
Frequently Asked Questions (FAQ)
API web attacks grew 9% between Q4 2024 and Q4 2025, surpassing application attacks. Threat actors favor APIs as primary initial entry points because they expose direct pathways to high-value data, including sensitive customer PII and financial account information. Commerce recorded the highest number of web attacks against API endpoints of any industry, accounting for 49% of all commerce web attacks between January 2024 and December 2025.
While training crawlers account for more than 70% of AI bot traffic in the commerce sector, blanket blocking is not a viable strategy because it risks blocking legitimate customers or losing critical brand visibility in AI-generated search results.
Commerce organizations are shifting toward a conservative approach. Our study revealed that more than 90% of Akamai-categorized AI bots are placed in the “monitor” category to undergo behavior-based assessments.
According to the 2026 Akamai API Security Impact Study, 85% of commerce organizations experienced at least one API-related security incident over a 12-month period. These incidents are primarily driven by API misconfigurations, a lack of dedicated API security tools beyond traditional WAFs, emerging attacks against AI-related APIs, and shadow APIs caused by poor inventory management.
No. Commerce suffers from a severe visibility gap: Although nearly 78% of organizations claim to have a complete API inventory, only 22.3% actually know which of those APIs expose sensitive data, creating massive opportunities for threat actors.