There are now more bots than humans on the web – and that’s a danger for all of us

They're on Facebook, posting bizarre AI images seemingly created to play on the emotions of people without the media literacy to spot that they're entirely made up. They're sending you messages, trying to steal money or push cryptocurrency. They're even – apparently – going to watch Oasis and do driving tests, snapping up tickets before actual humans can get their hands on them.

So it won't be much of a surprise, even if it is something of an outrage: last year year, for the first time in a decade, more internet traffic is being generated by automated bot systems than by actual humans. That's according to Thales Bad Bot Report, an annual survey of the state of the internet, which reported that bot activity accounted for 51 per cent of internet traffic in 2024. (It has been creeping up: last year it was exactly half, the year before that it was about to tip over.)

Perhaps more alarming than the sheer number is that the cyber security firm noted that the likely drivers of the rise is the increase in AI and large language model tools, which make it easier to automate the creation of bots for malicious purposes. Cyber criminals can use automated systems to make automated systems.

That has meant that while the number of attacks and bots conducting them might have increased, the sophistication of those attacks has actually reduced. The travel industry for instance was found to be experiencing amongst the most attacks, but many are fairly simple compared with before. Thales said that this “shift indicates that AI-powered automation tools have lowered the barriers to entry for attackers, allowing less sophisticated actors to initiate more basic bot attacks”.

Cyber criminals are giving up on sophisticated attacks, and just attacking, with the ease of automation meaning that they can do so much more frequently and in widespread ways.

In short, the barrier to entry to automating the internet has become much lower: it is possible now to do so simply by chatting with an AI system and asking it to do the work. This is a problem right across the web, where sophisticated automated attacks at least once came with the restriction that they required skill and resource to conduct. Now, people can overrun the web with bots that were summoned into existence with just a few words into ChatGPT or similar systems; eventually, those bots can create their own bots, easily regenerating and spreading like a virus.

It's all a reminder of the theory of the "dead internet", the idea that the web is not really populated primarily by humans but by an array of computers, all chatting to each other. It is often described as a conspiracy theory but it is at least a half-truth: there is a whole web of automated chatter. You can see it more than anywhere now on X, where automated systems built to reply to posts will then reply to other automated systems, often generating long conversations with nothing produced but a host of meaningless words and some activity on a distant computer running an AI system.

Part of the horror of the dead internet theory is that we might not know. The old joke goes that on the internet nobody knows you’re a dog, but nobody knows you’re a bot either; the same anonymity and ease of use that made it such a powerful platform means that you can never be sure if there is another human on the other side of the connection. But the implication of the dead internet theory is that the horror might simply be that we are alone and confused, not under attack, as the Thales report implies.

Perhaps the more worrying thing about this picture of the internet is that it is not actually dead – in fact, those bots are rapaciously alive, at least in some form. Those automated systems are careening round the internet looking to exploit its weak spots: exploiting vulnerabilities, stealing money through payment fraud, and trying to take over accounts.

It might be better if it were dead after all.