Bot attacks surged 59 percent in 2025, synthetic identity fraud went global, and agentic AI began reshaping the threat landscape. New data from 116 billion analyzed transactions maps how fraud is evolving — and where defenses are starting to hold.
The figures that emerged from analysis of more than 116 billion digital transactions in 2025 tell a story of accelerating adaptation. Fraud networks are not expanding in a straight line — they are pivoting, probing for weak points left exposed by shifting security investments, and increasingly deploying automation to test defenses at a scale no human operation could sustain alone.
The global attack rate rose 8 percent year on year, reaching 1.6 percent of all transactions analyzed through the LexisNexis Digital Identity Network. That number may appear modest, but the composition underneath it has shifted materially. Human-initiated attacks grew 19 percent in absolute volume, while automated bot attacks climbed 59 percent. The Identity Abuse Index, which tracks the daily percentage of attacks across the network, showed an unusually volatile pattern in the first half of the year — a sign that large, coordinated automated campaigns were moving through the system in waves rather than at a steady rate.
The Return to the Browser
One of the most consequential shifts in 2025 was a near-complete reversal in channel preference among attackers. Mobile app attack rates fell 56 percent year on year, while the desktop browser attack rate doubled, rising to 4.3 percent. The interpretation offered by analysts is straightforward: organizations that spent recent years reinforcing mobile app defenses appear to have displaced attackers rather than defeated them. Fraudsters have responded by returning to the desktop browser — a channel that has historically been easier to attack and that may also be more amenable to the AI-driven agents now entering criminal toolkits.
The decline in mobile attacks was visible across all four geographic regions. In North America alone, the mobile app attack rate fell 77 percent, even as the desktop browser attack rate surged 165 percent, pushing it above the global average at 4.6 percent. The pattern is consistent with the behavior of criminal networks responding rationally to the cost of attacking hardened targets — and seeking softer ones.
Agentic Commerce and the Problem of Intent
For years, digital fraud analysis has operated on a binary distinction: human-initiated transactions versus automated bot traffic. In 2025, that framework began to break down. Agentic AI — systems capable of taking autonomous actions based on initial human prompts — generated a new category of traffic that sits between the two. Volume was still small: fewer than a thousand agentic events were recorded in January 2025. By the fourth quarter, that figure had risen 450 percent.
The majority of observed agentic activity involved credit card payments at ecommerce sites, with a smaller volume appearing at gaming and gambling platforms. What distinguishes agentic traffic is not its malice — much of it may be entirely legitimate, initiated by consumers using AI assistants to complete purchases — but the difficulty of assessing intent. The behavioral signatures of an AI agent differ from those of both a human and a conventional bot, and the frameworks for authenticating the human behind an agent are still under development.
Analysts noted a related phenomenon: the increasing sophistication of non-agentic bots mimicking human behavior. Mouse movement patterns generated by scripted registrations were observed using Bézier curves to replicate the natural irregularity of human cursor paths — a level of simulation that basic behavioral analysis would not detect. These signals are consistent with the broader trend of automation becoming cheaper and more capable, even where formal agentic frameworks are not yet involved.
Synthetic Identity Fraud Goes Global
Synthetic identity fraud — the construction of fictitious identities using combinations of real and fabricated personal data — has historically been concentrated in North American financial services. In 2025, that geographic boundary dissolved. Synthetic identity theft now accounts for 11 percent of all reported fraud classifications globally, up from lower levels in prior years, and has surpassed true identity theft (which declined to 6 percent) as a category.
The growth is particularly pronounced in ecommerce, communications and media, and gaming and gambling — industries that had not previously reported significant synthetic identity problems. In Latin America, the expansion of regulated gaming and gambling appears to have created new incentives for fraudsters to invest in synthetic identities suited to that sector. Generative AI tools have lowered the barrier to creating convincing synthetic profiles, including fabricated historical data that passes basic verification checks.
Cross-Border Flows and the Limits of National Defense
Analysis of fraudulent fund movements out of the United Kingdom illustrates the structural challenge facing national regulators. As domestic fraud prevention has tightened, fraudsters have responded by routing stolen funds abroad. Spain, the United States, Portugal, the UAE and Thailand rank among the top destinations for fraudulently transferred funds originating in the UK. Tracking these flows through the Digital Identity Network reveals a broader picture: the same fraudulent digital identities detected at UK banks have also been active at financial institutions, crypto exchanges and buy-now-pay-later providers across Europe, Asia-Pacific, North America and Latin America.
In Latin America, the scale of domestic fraud is striking. Independent reporting counted 28 million fraud cases involving PIX — Brazil’s instant payment system — in the first nine months of 2025 alone. Digital financial crimes accounted for nearly 47 percent of all fraud incidents logged in that period. National surveys estimated that 36 percent of Brazilians, approximately 61 million people, were targeted by digital scams or fraud attempts in the prior twelve months. The data from the Digital Identity Network confirm that 98 percent of attacks on LATAM organizations originate within the region — the highest internal attack rate across all four geographic zones analyzed.
The Ecommerce Anomaly
Among industry sectors, ecommerce recorded the sharpest deterioration in 2025. The overall attack rate rose 64 percent year on year, with account takeover at the login stage increasing 216 percent. Bot volume targeting ecommerce grew 123 percent. The attack pattern reflects the strategic logic of account takeover: rather than committing payment fraud directly — which triggers real-time controls — attackers first compromise accounts, then conduct fraudulent activity from within an established trust relationship.
Gaming and gambling experienced comparable pressure. Transactions grew 20 percent year on year, the fastest rate of any sector, but attacks grew faster still — up 84 percent in volume, with the attack rate rising 76 percent. New account creation attacks reached a rate of 14.2 percent, driven in part by the use of synthetic identities during sign-up. The mobile app channel saw the attack rate for account takeover rise 216 percent, mirroring the ecommerce trend.
Collaboration as Infrastructure
Against this backdrop, the most significant structural development may be organizational rather than technical. Inter-bank notification systems — automated alerts triggered when a bank identifies a payment as a scam — are demonstrating measurable value. Data from consortium arrangements show that between 50 and 70 percent of mule account alerts sent to receiving banks flag accounts that those banks had not yet identified as suspicious.
The UK banking consortium established through the ThreatMetrix platform illustrates the trajectory. Begun in 2019 with two founding members, it now includes 13 financial institutions. Annual uploads of confirmed or suspicious fraud indicators have grown from 10,000 to more than 750,000. The consortium contributed to two arrests linked to a modern slavery ring and alerted approximately £7 million in high-risk transactions. Cross-border collaboration through shared digital identity networks extends this logic globally, enabling detection of card-testing operations, mule networks and account takeover campaigns that would be invisible within any single institution’s data.
The 2025 data show an industry in motion: criminal networks adapting to defensive improvements, adopting automation at scale, and exploiting the transition to AI-driven commerce before the tools to assess intent are fully in place. The attack rate increase is modest; the structural change underneath it is not.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de