Akamai warns of surging bot attacks on APAC commerce
Thu, 16th Jul 2026 (Today)
Akamai has reported a sharp rise in bot and API attacks against commerce companies in Asia Pacific, identifying the region as the fastest-growing global target for this activity.
Its latest research found bot activity targeting commerce businesses in Asia Pacific rose 63% in 2025. Commerce also accounted for 38% of all AI bot traffic observed across industries in the region during the second half of the year.
The figures come as retailers, travel platforms and hospitality groups expand their use of AI-driven shopping tools, booking systems and customer service functions. That shift is widening the number of digital entry points connected to payments, loyalty schemes, inventory systems and partner integrations.
Retail remained the main target for attacks, but travel and hospitality faced heavier exposure in Asia Pacific than in other regions. Akamai linked that pattern to fragmented travel platforms, strong mobile adoption, popular loyalty programmes and seasonal booking surges around major holiday periods.
Travel accounted for 22% of commerce web attacks in the region, the report found. One in four attacks targeting travel businesses hit application programming interfaces, or APIs, which are widely used to connect booking engines, payment systems and customer data tools.
Application-layer distributed denial-of-service attacks also increased. Layer 7 DDoS attacks against commerce businesses in Asia Pacific rose 39%, from 260 billion to 361 billion events in 2025.
Among API-targeted Layer 7 DDoS attacks, retail accounted for 51% of incidents. Hospitality represented 28%, while travel made up 21%.
Expanding surface
The report argues that the growth of automated shopping assistants, chatbots and other AI tools is making it harder for businesses to distinguish normal automated activity from malicious traffic. Security teams now have to separate customer-facing bots and backend automation from scraping, credential stuffing and other forms of abuse.
That challenge is especially acute in commerce, where companies often depend on a web of connected services. Payment gateways, rewards platforms, logistics systems and booking software can each create additional points of exposure if they are not closely monitored.
Akamai said the issue is becoming more visible as companies adopt what it describes as agentic commerce, using automated systems to personalise offers and reduce abandoned purchases. In practice, that means more machine-to-machine interactions and more API calls, both of which attackers can exploit if controls are weak.
Reuben Koh, Director of Security Technology and Strategy, APJ, at Akamai, said the operational benefits of automation are being matched by a broader attack surface.
"APAC's commerce sector is pivoting quickly toward a more automated and AI-enabled future, as businesses use GenAI chatbots and other AI-powered services to personalise experiences and reduce friction," said Reuben Koh, Director of Security Technology and Strategy, APJ, at Akamai.
"But every chatbot interaction, booking flow and loyalty programme integration creates another digital surface that must be discovered, understood and protected. This is especially important in APAC, where travel and hospitality face heightened exposure from fragmented platforms, popular loyalty programmes and seasonal traffic surges. Businesses must now implement risk-based defences capable of identifying malicious intent hidden within high-volume, legitimate automation, without adding friction for customers."
Security response
Businesses need to treat resilience as a broader operational issue rather than a narrow security function, the report said. It recommended mapping systems tied to revenue generation, especially APIs supporting checkout, payments, inventory and loyalty services, to identify where sensitive data may be exposed.
It also called for a more selective approach to automation governance. Rather than making broad decisions to allow or block traffic, businesses should assess the level of risk attached to different types of automated activity.
Another area of concern is peak-demand planning. Companies should test DDoS response plans, monitor for fake storefronts and credential exposure, and improve coordination between cybersecurity and fraud teams before major shopping or travel peaks.
Akamai said its findings were based on attack data observed across its cybersecurity network. The company has published its State of the Internet security reports for 12 years.
The data suggests the security pressures facing Asia Pacific commerce groups are no longer limited to traditional web attacks, but are increasingly tied to the same AI and automation systems being adopted to serve customers.
Layer 7 DDoS attacks against commerce businesses in the region reached 361 billion events in 2025.