135% Surge: Inside the Holiday Bot Attacks of December 2025

The holiday shopping window has always attracted heightened cyber activity, but December 2025 set a new benchmark. DataDome recorded a 135 % increase in malicious bot requests compared with the previous year, a surge driven largely by generative‑AI tools that enable bots to blend seamlessly with legitimate traffic. By reproducing natural mouse movements, varied browsing patterns, and even human‑like timing, these AI agents slip past rule‑based defenses, turning routine holiday spikes into fertile ground for fraudsters.

Across the attack spectrum, the numbers are staggering. Vulnerability‑scanning bots generated over 22 million requests for a major marketplace, while a financial services firm endured 175 million credential‑stuffing attempts. Fake‑account creation peaked at 5.2 million for a sports‑industry platform, and scraping activity topped 29.7 million for a ticketing business. Scalping bots exhausted inventory on luxury goods, with 27 million requests recorded, and payment‑fraud bots processed 10.3 million illicit transactions for a gift‑card provider. These figures illustrate how AI‑augmented bots amplify every stage of the fraud lifecycle.

The implications are clear: traditional static defenses are insufficient. Enterprises must adopt adaptive, AI‑powered security stacks that can learn and respond in real time, mirroring the bots’ own agility. Continuous behavioral analytics, automated threat‑intelligence sharing, and proactive bot‑mitigation strategies are becoming essential to safeguard revenue and customer trust during peak periods. As AI continues to lower the barrier for sophisticated bot creation, the arms race will intensify, making investment in autonomous security solutions a strategic imperative for any organization reliant on holiday commerce.