The first half of 2025 has marked a sharp escalation in API-focused threats, according to a new data-driven briefing from Imperva Threat Research.
Drawing on telemetry from more than 4,000 monitored environments, the report reveals that APIs now sit at the center of modern attack campaigns, with over 40,000 incidents recorded in just six months.
The findings expose a dangerous trend: attackers are not only exploiting exposed APIs for direct intrusion, but also using them as covert channels to smuggle malicious code, siphon sensitive data, and disrupt critical services.
APIs Under Siege
The report highlights that 44% of advanced bot activity is now aimed at APIs, even though APIs account for around 14% of overall application traffic.
This imbalance underscores the operational risk organizations face as attackers shift from traditional web applications to dynamic endpoints increasingly buried in the shadows. Shadow and third-party APIs remain blind spots for most organizations, greatly expanding the attack surface.
Among targeted resources, data-access endpoints made up 37% of all attempted intrusions, checkout and payment APIs represented 32%, and authentication points accounted for 16%.
Each of these endpoints poses high-value risks, from direct financial losses to stolen customer data and compromised accounts.
Real-world probes against Log4j vulnerabilities, Oracle WebLogic servers, and Joomla instances also resurfaced, emphasizing how attackers continue to recycle proven exploits in API contexts to gain remote code execution (RCE).
From Bots to Business Logic Abuse
The tactics observed in the telemetry span scraping, credential stuffing, coupon fraud, and large-scale abuse of business logic flaws (BOLA).
Imperva researchers highlighted one case where attackers exploited a gift-card redemption flow, chaining weak API validation with botnet-driven automation to siphon off value at scale.
Another case saw a massive application-layer DDoS peaking at 15 million requests per second against a financial services API, demonstrating that adversaries now blend stealth and volume in hybrid attack scenarios.
The report provides a taxonomy of these techniques, with bots increasingly morphing payloads to evade detection and leveraging third-party integrations as pivot points.
Attackers are also honing in on revenue-generating transactions, checkout flows, and promotional APIs to commit fraud while masking activity inside regular business traffic.
Imperva’s recommended playbook stresses a lifecycle approach: Discover → Assess → Mitigate. Discovery involves the continuous cataloging of shadow APIs that operate outside of developer awareness.
Assessment means mapping attack paths against high-value endpoints, while mitigation involves deploying real-time API-specific protections, rate limits, bot management, and schema validation.
To support board-level accountability, the report outlines key KPIs from time-to-detect anomalies in API traffic to trial runs of tabletop scenarios simulating data theft or prolonged downtime.
Executives are urged to treat APIs not as secondary infrastructure but as primary business assets whose compromise directly impacts revenue, trust, and compliance.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
