Top 12 Malicious Botnet Activities (2026)
In 2026, botnet activity is focused on identity and API abuse. Here’s a link to my recent March 2026 report on botnet and DDoS activity in New Zealand. This is a technical foray into one aspect of site security. For strategy on mitigation with real-world NZ case studies, see the DDoS Attacks: Real-World New Zealand Case Studies guide. Go here for DDoS protection and mitigation services.
The share of malicious automated traffic across global networks like Cloudflare is as follows: (Source: Deep Research: Gemini AI 9 March 2026)
| Rank | Bot Activity Type | % of Malicious Traffic | Primary Attack Scenario |
| 1 | Layer 7: Exploiting broken object-level authorisation. | 35% | Layer 7: Rapid logins via /wp-login.php or API endpoints. |
| 2 | DDoS (Volumetric) | 18% | Layer 3/4: UDP/ICMP floods to knock the server offline. |
| 3 | Web Scraping (Aggressive) | 12% | Layer 7: High-frequency GET requests to steal pricing/content. |
| 4 | Vulnerability Scanning | 10% | Layer 7: Probing for known CVEs (e.g., Log4j, MoveIt). |
| 5 | Inventory Hoarding | 6% | Layer 7: Holding items in carts (Denial of Inventory). |
| 6 | Ad Fraud / Click Fraud | 5% | Layer 7: Mimicking humans to drain PPC budgets. |
| 7 | Spam/Form Submission | 4% | Layer 7: POST requests to contact/comment forms. |
| 8 | API Abuse | 3% | Layer 7: Exploiting broken object-level authorization. |
| 9 | Account Takeover (ATO) | 2.5% | Layer 7: Targeted brute force on high-value accounts. |
| 10 | Carding/Card Stuffing | 2% | Layer 7: Testing stolen CC info on checkout pages. |
| 11 | SEO Spam | 1.5% | Layer 7: Injecting malicious backlinks into CMS databases. |
| 12 | Cryptojacking | 1% | Layer 7/Infection: Remote code execution to run miners. |
