AI Supercharges Cyberattacks as DDoS, Bad Bots, and Hacktivist Campaigns Surge in 2025

The first half of 2025 has redrawn the map of global cyber risk. Distributed denial-of-service campaigns, weaponized bots, and hyper-targeted application exploits are converging into a threat environment unlike anything enterprises have faced before. A new report from Radware details just how fast the escalation is happening — and why even the “low-volume” attacks are proving harder to stop.

A DDoS Landscape Transformed Web-based DDoS assaults jumped 39 percent over the previous six months, but the story is less about raw scale and more about the shift in tactics. Attackers are increasingly favoring streams under 100,000 requests per second, designed to fly under the radar and persist for longer. Many of these operations are powered by open-source tools and generative AI, which has effectively put advanced attack capabilities into the hands of loosely organized threat collectives and new entrants alike.

Peak attacks are still headline-worthy — one Q1 incident hit 10 million RPS — but the daily grind of smaller, smarter floods is wearing down defenses. EMEA remains the top target, though APAC exposure is on the rise.

Network-Layer Strikes Make a Comeback While application-layer threats have dominated headlines, network-layer DDoS (L3/L4) attacks have roared back with an 85.5 percent jump from late 2024. Nearly half of these floods hit North America, often leveraging UDP-based volumetric vectors and amplification techniques like DNS and NTP reflection. SIP protocol abuse has emerged as a critical vulnerability, threatening the voice and video infrastructure that underpins modern business.

By Q2 2025, Radware customers were facing over 7,200 mitigation events per quarter — a 485 percent increase from just three years ago.

Hacktivists Go Pro Ideology-driven actors continue to punch above their weight. Nearly 9,200 DDoS incidents were claimed on Telegram in the first six months of the year, up 62 percent year-over-year. Groups like NoName057(16) dominate the leaderboard, responsible for nearly 40 percent of claims, with Keymous+ and Mr. Hamza also maintaining aggressive output.

Government services remain the number-one target, but manufacturing, finance, and education are increasingly in the crosshairs. The global distribution of claims — from Israel and the U.S. to Ukraine, India, and Vietnam — reflects the geopolitical sprawl of modern hacktivism.

Application-Layer Exploits Take Center Stage Malicious transactions at the application layer climbed 33 percent in the first half of 2025, reaching 87 percent of last year’s total in just six months. Vulnerability exploitation drove over a third of the volume, while access violations and resource discovery brute-forcing surged. SQL injection attempts actually fell, signaling a pivot toward stealthier exploitation methods.

Bots: From Menace to Epidemic Malicious automation is scaling at a pace that mirrors app-layer growth. Bad bot activity spiked 57 percent from late 2024, nearly matching the entire prior year’s total before mid-year. These bots fuel credential stuffing, data scraping, scalping, and disinformation campaigns — often with AI assistance that makes them harder to detect. North America saw the most activity, followed closely by APAC and EMEA.

Defenders Face a New Reality Across all fronts, the common thread is sophistication paired with accessibility. Threat actors are collaborating more, sharing tools, and deploying AI to enhance both speed and evasion. The result is a steady erosion of the gap between opportunistic cybercrime, coordinated hacktivism, and state-aligned campaigns.

The report’s conclusion is blunt: without AI-assisted defenses, layered mitigation, and continuous intelligence sharing, defenders will struggle to keep pace. In this arms race, automation is no longer optional — it’s survival.