The financial services, telecoms and travel sectors were in the crosshairs of threat actors in the first half of the year, after Thales observed 40,000 incidents in the period alone.
The firm’s Imperva business analyzed data from over 4000 environments worldwide to produce its API Threat Report (H1 2025).
The report claimed that APIs now attract 44% of advanced bot traffic, which is generated by sophisticated software designed to mimic human behavior.
Among the report’s key findings are:
- A 40% increase in credential-stuffing and account takeover attempts targeting APIs without adaptive multi-factor authentication (MFA)
- Data scraping accounted for nearly a third (31%) of API bot activity
- Coupon and payment fraud accounted for 26% of API attacks
- Remote code execution (RCE) attempts accounted for 13%
- Log4j, Oracle WebLogic and Joomla were the most targeted products
“APIs are the digital economy’s connective tissue – but that also makes them its most attractive attack surface,” said Tim Chang, VP of application security products at Thales.
“What we’re witnessing is not just the scale of attacks increasing, but a fundamental shift in how criminals operate: they don’t need to inject malware, they can simply bend your business logic against you. The requests look legitimate, but the impact can be devastating.”
Read more on API threats: 99% of Organizations Report API-Related Security Issues
Financial services accounted for 27% of API incidents in the period, followed by telecoms and ISPs (10%), travel (14%) and entertainment & arts (13%), the report noted.
Shadow APIs are still a major security blind spot, with organizations typically having 10-20% more active APIs than they think.
Thales also reported a major application-layer DDoS attack in the first half of the year, at a record-breaking 15 million requests-per-second (RPS).
The report claimed that 27% of API-focused DDoS traffic in the period was aimed at financial services targets, given that they’re heavily reliant on APIs for real-time transactions like balance checks, transfers and payment authorizations.
Chang warned that the volume and sophistication of API attacks would continue to surge in the next six months, with 2025 on track for 80,000+ incidents.
“The best time to act was yesterday – the next best time is now,” he concluded.
“Organizations must discover every live endpoint, understand its business value and protect it with context-aware, adaptive defenses if they are to safeguard revenue, trust and compliance.”
