
Online retail has become the world’s most heavily targeted industry by cybercriminals, driven by a rapid shift toward agentic commerce, a model in which autonomous artificial intelligence (AI) agents browse, compare and purchase on behalf of human users. As that shift accelerates, it is creating a new class of security vulnerability that traditional defenses are failing to catch.
By December 2025, nearly half of all commerce traffic across Akamai’s global network consisted of AI bots. Commerce accounted for 48% of all AI bot activity across every industry the firm monitors, more than three times the share of the second most targeted sector.
“We are securing a digital frontier where the ‘customer’ is increasingly an AI agent operating on behalf of the human user,” Patrick Sullivan, chief technology officer of security strategy at Akamai, said in a press release. “This report reveals how and why security leaders must embrace ‘agentic readiness’ to architect sites that welcome legitimate AI while aggressively shutting down malicious bots.”
The findings come from Akamai’s State of the Internet (SOTI) report, Securing the Agentic Storefront: Attacks on Commerce, published July 15, covering January 2024 through December 2025.
The report’s most alarming finding concerns fraud enabled by agentic commerce itself. Because AI shopping agents precisely mimic human browsing behavior, traditional bot detection has been rendered largely obsolete. Threat actors exploit this through agent hijacking, compromising a legitimate AI assistant to abuse its stored payment credentials and execute unauthorised purchases before the customer or retailer notices.
Large language models (LLMs) are also being deployed to generate synthetic identity fraud through “Frankenstein” accounts, fabricated profiles blending genuine personal data with invented elements to bypass standard fraud checks.
Application programming interface (API) exposure compounds the problem. Web attacks targeting APIs rose 9% year over year between the fourth quarters of 2024 and 2025. A companion Akamai API Security Impact Study found that 85% of commerce respondents experienced at least one API-related incident in the past year, yet only 22% know which of their APIs expose sensitive data.
Commerce platforms were targeted by application-layer distributed denial-of-service (DDoS) attacks nearly 3 trillion times in 2025, with retail absorbing 84% of that volume. Attackers use HTTP botnets timed to peak shopping periods, blending into genuine traffic surges to exhaust servers and halt sales.
Between July and December 2025, the retail vertical in EMEA recorded 26 billion AI bot counts, representing 12.4% of all AI bot activity.
EMEA commerce platforms faced 40 billion web attacks between January 2024 and December 2025. Average daily phishing volume rose from 56,600 in February 2026 to 134,600 in April, fuelling account takeover (ATO) attempts and loyalty point theft.
The report urges security leaders to adopt risk-based bot governance, continuously inventory API estates, and deploy microsegmentation to contain the damage from breaches. Only 35% of organisations have achieved true microsegmentation despite 92% applying basic network segmentation.
Akamai is a Cambridge, Massachusetts-based cybersecurity and cloud computing company whose network spans approximately 340,000 servers across 130-plus countries.

