API vulnerabilities drive new wave of cyber threats

APIs have become a primary entry point for cyber attacks in 2025, according to new research from Thales.

The company’s latest API Threat Report, covering the first half of the year, documents more than 40,000 API-related security incidents across over 4,000 monitored environments.

This volume equates to an average of more than 220 incidents daily, with projections suggesting the total could exceed 80,000 by year-end if current patterns hold.

Although APIs account for only a fraction of overall attack surfaces – 14% – they now attract nearly half (44%) of advanced bot activity.

This shift signals a strategic focus by threat actors on the digital infrastructure that underpins essential business operations, including those in financial services, telecommunications, and travel.

Financial services targeted by large-scale DDoS campaigns

A notable event highlighted in the report is a record-setting application-layer distributed denial-of-service (DDoS) attack, which reached 15 million requests per second against a financial services API.

Unlike traditional DDoS attacks that target network capacity, this campaign exploited the application layer, aiming to disrupt operations by overwhelming the API itself.

Financial services organisations accounted for 27% of API-specific DDoS traffic in the first half of 2025, reflecting the sector’s dependence on APIs for real-time processes such as payments and account management.

Attackers are increasingly using sophisticated tools, including botnets and headless browsers, to mimic legitimate API traffic. This approach complicates detection and mitigation efforts.

Tim Chang, vice president application security products at Thales, said APIs serve as the backbone of today’s digital infrastructure, which also makes them a prime target for attackers.

“What we’re witnessing is not just the scale of attacks increasing, but a fundamental shift in how criminals operate: they don’t need to inject malware; they can simply bend your business logic against you. The requests look legitimate, but the impact can be devastating,” he said.

Key attack trends and industry breakdown

The report identifies several trends in API exploitation:

• Data-access APIs were the most frequently targeted (37%), followed by payment and checkout endpoints (32%), authentication (16%), gift card or promotion validation (5%), and shadow or misconfigured APIs (3%).
• Incidents involving credential stuffing and account takeover attempts rose 40% on APIs lacking adaptive multi-factor authentication.
• Data scraping, often focused on sensitive fields like email and payment details, accounted for 31% of API bot activity.
• Coupon and payment fraud made up 26% of attacks, frequently exploiting weaknesses in promotional or checkout validation processes.
• Remote code execution probes, targeting vulnerabilities in platforms such as Log4j, Oracle WebLogic, and Joomla, represented 13% of attacks.

Shadow APIs – those not tracked by organisations – remain a persistent issue, with most companies having 10% to 20% more active APIs than they realise.

Methodology and recommendations

The findings are based on telemetry from Imperva customer environments, covering sectors including financial services, telecoms, travel, healthcare, and e-commerce. The analysis incorporates bot fingerprinting, endpoint behaviour, and DDoS forensics.

Thales’ research team used behavioural analytics and machine learning to categorise attack types and identify industry trends.

Chang emphasised the urgency of proactive defence.

“The next six months will only see the volume and sophistication of API attacks grow. The best time to act was yesterday – the next best time is now. Organisations must discover every live endpoint, understand its business value, and protect it with context-aware, adaptive defences if they are to safeguard revenue, trust, and compliance,” he said.