Thales latest API Threat Report reveals a troubling reality: while APIs represent just 14% of the overall digital attack surface, they are attracting 44% of advanced bot traffic, indicating a strategic pivot toward highly automated and sophisticated targeting methods.
Unprecedented Scale of Digital Assault
Thales analysed over 4,000 monitored environments to compile its findings, documenting what security experts are calling a fundamental shift in cybercriminal tactics.
If current attack rates persist, the total could surpass 80,000 API-related incidents by year-end, representing an escalation in both volume and complexity.
The most dramatic incident recorded was a massive 15 million requests-per-second distributed denial-of-service (DDoS) attack targeting a financial services API.
Unlike conventional bandwidth-flooding techniques, this assault specifically targeted the application layer, overwhelming the API infrastructure to disrupt critical financial transactions. Financial services organisations have borne the heaviest impact, absorbing 27% of all API-focused DDoS traffic.
The concentration reflects the sector’s heavy dependence on APIs for real-time operations including payments processing, balance inquiries, and fund transfers—making them particularly vulnerable to service disruption.
Evolution of Attack Sophistication
Cybercriminals have refined their methods to evade detection more effectively.
Attackers now routinely deploy headless browsers and sophisticated botnets designed to mimic legitimate user behaviour, significantly complicating efforts by security teams to distinguish malicious requests from normal traffic patterns.
The research identifies clear targeting preferences among attackers. Data-access APIs represent the most attractive targets, accounting for 37% of all incidents, while checkout and payment APIs follow at 32%.
Authentication systems comprise 16% of attacks, with gift card and promotional validation APIs making up 5%. Shadow or misconfigured APIs, though representing just 3% of incidents, remain a critical security blind spot for organisations.
Attack Methods Intensify
Several attack vectors have shown particularly concerning growth patterns. Credential stuffing and account takeover attempts surged 40% against APIs lacking adaptive multi-factor authentication (MFA).
Data scraping operations now represent 31% of all API bot activity, as attackers seek valuable personal and financial information.
Coupon and payment fraud comprised 26% of documented incidents, exploiting weaknesses in promotional and checkout validation systems.
Remote code execution probes accounted for 13% of attacks, frequently targeting known vulnerabilities in systems including Log4j, Oracle WebLogic, and Joomla platforms.
Industry distribution shows financial services leading incident reports at 27%, followed by travel companies at 14%, entertainment and arts organisations at 13%, and telecommunications and internet service providers at 10%.
Tim Chang, Vice President of Application Security Products at Thales, said, “APIs are the digital economy’s connective tissue – but that also makes them its most attractive attack surface.
“What we’re witnessing is not just the scale of attacks increasing, but a fundamental shift in how criminals operate: they don’t need to inject malware, they can simply bend your business logic against you. The requests look legitimate, but the impact can be devastating.” said Chang
Daniel Toh, Chief Solution Architect for Asia-Pacific and Japan at Thales, warned that attacks are likely to grow in both volume and sophistication over the coming months.
“The next six months will only see the volume and sophistication of API attacks grow across the region. The best time to act was yesterday – the next best time is now,”
“Organisations in Singapore must discover every live endpoint, understand its business value, and protect it with context-aware, adaptive defences if they are to safeguard revenue, trust and compliance.”
Urgent Security Imperative
The findings underscore an immediate need for organisations to comprehensively audit their API landscapes, implement adaptive multi-factor authentication systems, and strengthen monitoring capabilities for shadow APIs.
Security experts warn that failure to address these vulnerabilities could expose businesses to increasingly sophisticated bot traffic and targeted exploitation attempts.
