What we noticed during Cyber 5

Every season, holiday bot attacks surge – no surprise there.

What stood out this year was the shift in bot activity throughout the shopping period. Adversaries are well-versed in the tools at their disposal and when to deploy them to gain an advantage.

Scraping helps identify promos and inventory, automated checkout swoops in to get sale items first, fake accounts assist in buying hype items, and account takeover (ATO) allows them to cash out on holiday shopping.

Across Kasada-protected retail traffic globally, here are a few stats that stood out to us:

• Automation attacks more than doubled from Black Friday to Travel Tuesday. Both scale and sophistication increased as the sales period progressed.

• Unauthorized scraping was the most prevalent attack type
  Scraping increased steadily across Cyber 5, surging around the most profitable promotions.

• API-based automation followed the same pattern
  API bot activity grew roughly 1.6× from Black Friday to Travel Tuesday, suggesting a deliberate approach.

• Automated checkout attempts peaked on Cyber Monday
  Requests spiked 2.8× compared to Black Friday, aligning closely with the highest-impact sales moments.

• Account takeover attempts rose after sales began to taper
  Rather than peaking during promotions, ATO activity continued to climb and nearly tripled by Travel Tuesday.

More than anything, this data shows how adaptable automated attacks have become. They don’t just show up for a single sale and disappear; they shift as the season progresses.

The shopping season isn’t over yet, though, and we continue to see bot activity grow as we get closer to the end of the year.

To understand how attackers were preparing and monetizing these campaigns beyond live retail traffic, we turn to insights from our Threat Intelligence team, KasadaIQ. 👇

What we saw beyond our own traffic (KasadaIQ)

KasadaIQ’s 2025 holiday fraud predictions were confirmed by the data from November 1st to Travel Tuesday 2025. Adversaries executed campaigns with unprecedented scale, timing, and strategic focus. From massive account takeover (ATO) stock increases to a calculated “just-in-time” deployment of malicious configurations, this period was defined by an escalated and automated threat landscape.

Malicious Configurations (Configs)

Config patterns from November 1st to Travel Tuesday confirm KasadaIQ’s holiday predictions for configs in  2025. 

• We predicted that surges in available configs during this period would be more significant than 2024. Between November 1st and Travel Tuesday, there was 11.8% year-on-year growth of available configs on online forums.
• Consistent with our prediction of adversaries getting ahead of the major sales events, available configs surged in the week prior to Thanksgiving and Black Friday (see below). This “just-in-time” deployment pattern indicates a more strategic approach in 2025, shortening the defensive window for security teams. This is consistent with the trend observed by KasadaIQ in 2025: configs spiking prior to, and in the first few days, of major sales events.
  • In 2025, we saw a clear pattern of config increases in the lead-up to peak sales periods. In 2024, configs continually surged throughout November, with the highest peak in the first week of the month.

ATO

The predicted significant, elevated surge in Account Takeover (ATO) was validated by the volume of compromised data on criminal marketplaces, particularly the monetization of high-value retail accounts. 

• KasadaIQ saw significant surges of ATO sales through November 2025, as shown below. The peak periods for both account stock and sales on criminal marketplaces were higher and earlier than predicted by KasadaIQ.

• As predicted, stock for stolen accounts on criminal marketplaces surged in the week prior to Black Friday. This indicates strategically-timed credential stuffing activity from adversaries.

• Across all criminal marketplaces, adversaries made at least USD $17,220,521.65 off stolen account sales from November to Travel Tuesday 2025. This is the floor, not the ceiling. 

• As shown below, retail accounts represented more than a quarter (30%) of all account sales from November 1st through to Travel Tuesday. Webmail accounts represented around 16% of all account sales from November 1st through to Travel Tuesday, followed by QSRs (10%), social media (10%), and airlines (5%).

• As shown below, homeware stores were the most frequently sold accounts within the retail industry (59% of sales), whereas department stores were the highest source of revenue for criminal marketplaces (28% of revenue). There were a handful of specific retailers that were aggressively targeted throughout this period, which influenced these rankings.
  • The other most frequently targeted sub-industries included department stores (11%), apparel (10%), footwear (6%), cosmetics (4%), gaming (3%), consumer electronics (3%), grocery (2%), pets & agriculture (1%), and appliances (0.5%).
    

• Points were the most common attachments to accounts sold on criminal marketplaces (~30%), followed by credit cards (~26%) and subscriptions (~16%).

Gift cards

Gift card sales on criminal marketplaces from November 1st to Travel Tuesday 2025 validate KasadaIQ’s holiday fraud predictions for gift card fraud.

• As shown below, the QSR industry was a major target for gift card sales on criminal marketplaces. QSR gift card sales peaked throughout November, most significantly in the first week of November and the 10 days preceding Black Friday.
• For the QSR industry, gift cards represented a higher portion of sales on criminal marketplaces from November 1st to Travel Tuesday 2025 when compared with the same period in 2024. Gift cards accounted for 11% of all criminal marketplace sales, compared to 7% the prior year.
  • Despite accounting for more sales, criminal marketplace revenue attributed to revenue from QSR gift card sales decreased by ~21% year-on-year. The data indicates that QSR gift cards have become a more frequent but less valuable commodity on criminal marketplaces.
• For the retail industry, gift cards represented a lower portion of sales on criminal marketplaces from November 1st to Travel Tuesday 2025, when compared with the same period in 2024. Gift cards accounted for 0.25% of all criminal marketplace sales, compared to 2.4% the prior year.
  • Contrary to QSRs, criminal marketplace revenue attributed to retail gift cards increased by 10% year-on-year. The data could indicate that a range of factors, including successful defense against low-level fraud, is reducing the availability of gift cards to adversaries targeting the retail sector. It could indicate that adversaries are focusing on more high-value accounts to maximise revenue returns, instead of investing in high volume but low return accounts.
• For the accommodation industry, gift cards represented a marginally higher portion of sales on criminal marketplaces from November 1st to Travel Tuesday 2025, when compared with the same period in 2024. Gift cards accounted for 0.03% of criminal marketplace sales, compared to 0% the prior year. Criminal marketplace revenue attributed to accommodation gift cards was 2.15%.

Retail bots

Retail bot activity from November 1st to Travel Tuesday 2025 confirms KasadaIQ’s predictions for retail bots. 

• We predicted that agentic AI would drive an unprecedented scale of traffic. Adobe Analytics reported that AI traffic to retailers grew around 758% year-on-year from November 1st to December 1st, 2025.
• We predicted that peak bot activity would occur during the week prior to Thanksgiving and Black Friday, and will continue at scale during major sales events. As shown below, retail bot activity peaked the week prior to Black Friday and continued to surge to a smaller extent over major sales days.

• Cyber Monday was responsible for around 4% of all bot checkouts, with Black Friday responsible for around 3.5%. The most significant day for bot checkouts was November 18th (~11%), followed by November 20th (~7.5%).
• KasadaIQ observed over a million bot checkouts from 1 November to Travel Tuesday 2025.
• Products targeted by bots align with Kasada’s Black Friday Bot Warning. The products identified in this blog are likely to remain high-value targets into 2026.
• Footwear was the major focus of bot checkouts, constituting ~95% of Black Friday checkouts, ~61% of Cyber Monday checkouts, and ~93% of checkouts from November 1st to Travel Tuesday (see below).

• As shown below, collectibles were the second top focus for bot checkouts, with the biggest day being Cyber Monday, where they constituted ~39% of all checkouts.
  

• Almost a quarter (23.5%) of bot checkouts on Black Friday targeted Shopify stores. This was only 9.8% in 2024.

Intelligence-informed recommendations:

• Start Early – Initiate high-alert monitoring and preparatory activities weeks ahead of major sales events.
• Pre-peak Defense – Prioritize real-time monitoring and rapid countermeasures for new config surges in the week leading up to major sales.
• Prioritize Value – Focus ATO defense on accounts holding significant, easily exploitable value.
• Industry Hardening – Implement enhanced authentication and fraud checks for Homeware (sales volume) and Department Stores (revenue impact).
• Secure Attachments – Deploy stronger security measures and user alerts for accounts containing these high-value components (e.g. points and credit cards).
• QSR Alert – Immediately increase fraud controls for QSR gift card systems due to material growth in fraud.
• High-Denomination Defense – Assume a shift to targeted, high-value attacks. Implement stronger checks on higher-denomination gift card purchases/redemptions.

Prepare for your next seasonal promotion – get bot visibility without impacting conversion.

The post 2025 Holiday Bot Attack Trends appeared first on Kasada.

*** This is a Security Bloggers Network syndicated blog from Kasada authored by KasadaIQ. Read the original post at: https://www.kasada.io/2025-holiday-bot-attack-trends/