What we noticed during Cyber 5
Every season, holiday bot attacks surge - no surprise there.
What stood out this year was the shift in bot activity throughout the shopping period. Adversaries are well-versed in the tools at their disposal and when to deploy them to gain an advantage.
Scraping helps identify promos and inventory, automated checkout swoops in to get sale items first, fake accounts assist in buying hype items, and account takeover (ATO) allows them to cash out on holiday shopping.
Across Kasada-protected retail traffic globally, here are a few stats that stood out to us:
- Automation attacks more than doubled from Black Friday to Travel Tuesday. Both scale and sophistication increased as the sales period progressed.
- Unauthorized scraping was the most prevalent attack type
Scraping increased steadily across Cyber 5, surging around the most profitable promotions. - API-based automation followed the same pattern
API bot activity grew roughly 1.6× from Black Friday to Travel Tuesday, suggesting a deliberate approach. - Automated checkout attempts peaked on Cyber Monday
Requests spiked 2.8× compared to Black Friday, aligning closely with the highest-impact sales moments. - Account takeover attempts rose after sales began to taper
Rather than peaking during promotions, ATO activity continued to climb and nearly tripled by Travel Tuesday.
More than anything, this data shows how adaptable automated attacks have become. They don’t just show up for a single sale and disappear; they shift as the season progresses.
The shopping season isn't over yet, though, and we continue to see bot activity grow as we get closer to the end of the year.
To understand how attackers were preparing and monetizing these campaigns beyond live retail traffic, we turn to insights from our Threat Intelligence team, . 👇










