Bots didn't take the summer off.
Q2 2025 bot attack trends reveal three dominant tactics: AI scraping, scalper bots, and stolen travel accounts.
Here’s how attackers made money and what defenders can do about it.
1) AI Scraping: From Background Noise to Business Risk
AI scrapers aren’t just crawling, they’re hammering. In Kasada's Q2 Threat Report, over 120 million requests were tracked from AI scraper user agents, with OpenAI responsible for the majority. In June alone, OpenAI sent more than 56 million requests, vastly outpacing every other self-identified AI bot. Retail and real estate were hit the hardest, underscoring how quickly “background noise” has become a strategic risk.
The stakes are clear. Scrapers trigger cloud auto-scaling, inflating bandwidth and infrastructure bills while draining performance. For industries with dynamic pricing, scraping distorts demand signals and erodes margins. And because these bots ignore robots.txt, they expose businesses to regulatory and ESG scrutiny.
The legal battles show how messy enforcement can be. Ryanair has spent more than a decade fighting online travel agencies over unauthorized scraping of its flight data. Even with courts in multiple jurisdictions siding with Ryanair, the costs of litigation have been significant, and operational disruption continues. At the same time, new AI entrants like Meta AI have been observed scraping real estate listings in the U.S., raising fresh questions about compliance and attribution.
What to do:
- Define your policy on acceptable vs. unwanted scraping.
- Enforce with client-side telemetry, invisible proof-of-execution, and anomaly detection — no CAPTCHAs required.

