TL;DR: Total attacks from bots and fraud farms rose 121% in Q2 versus Q1 2023, while malicious bot attacks increased 167% and intelligent bot attacks rose 291%, according to Arkose Labs. The core issue is not just volume but economics: attackers are industrialising fraud faster than many enterprise controls can adapt.
At a glance
What this is: This is a quarterly fraud-bot analysis showing sharp growth in malicious automation, fake account creation, scraping, and account takeover activity.
Why it matters: It matters because identity, customer access, and fraud programmes all face the same reality: when non-human traffic dominates, detection, step-up controls, and account lifecycle processes have to be tuned for machine speed.
By the numbers:
- Arkose Labs observed a 121% increase in total attacks from bots and fraud farms in Q2 over Q1 2023.
- 167% in Q2 over Q1 2023.
- 291% in Q2 over Q1 2023.
- 68% of intelligent bot attacks.
👉 Read Arkose Labs' quarterly report on bot abuse and fraud benchmarks
Context
Bot abuse is the use of automated traffic to create accounts, scrape content, hijack sessions, and trigger account-management workflows at scale. In identity terms, it is a governance problem because the attacker is not trying to break authentication once and leave. They are trying to industrialise abuse across the customer lifecycle, from sign-up to password reset to takeover.
The article’s central point is that fraud farms and malicious bots now move faster than many defensive programmes can tune risk signals, step-up challenges, and recovery controls. That makes bot management relevant not only to fraud teams, but also to IAM, customer identity, and lifecycle governance where automated abuse can distort trust decisions.
Key questions
Q: How should security teams reduce bot abuse without blocking legitimate users?
A: Use layered detection and adaptive friction rather than blunt blocking. Combine device intelligence, behavioural signals, velocity checks, and escalating challenges so suspicious traffic pays more to continue, while normal users retain a low-friction path. The goal is to raise attacker cost enough that abuse becomes uneconomical without breaking customer journeys.
Q: Why do fake account creation attacks matter to IAM programmes?
A: Fake account creation pollutes the identity base that IAM, fraud, and analytics systems rely on. Once synthetic accounts exist at scale, they distort trust scoring, overwhelm support workflows, and make later takeover or abuse easier. The result is not just bad accounts, but bad identity data that weakens every downstream control.
Q: What breaks when account recovery is easier than primary authentication?
A: Attackers target the recovery path because it often carries enough trust to bypass stronger login controls. If password resets, support escalation, or account reactivation are weakly verified, bot operators can take over accounts without needing to defeat the main authentication flow. Recovery then becomes the fastest route into the identity system.
Q: Who should own bot abuse response across fraud and IAM teams?
A: Responsibility should be shared, but ownership of control design must sit with the teams that govern identity, recovery, and step-up policy. Fraud teams can detect patterns, while IAM teams control the workflows attackers target. The most effective programmes align both so one team is not optimising detection while the other leaves the doorway open.
Technical breakdown
How malicious bots industrialise account abuse
Malicious bots are automated clients built to mimic user behaviour just enough to get through weak controls. Basic bots repeat simple tasks, while intelligent bots can adapt to page structure, retry patterns, and challenge workflows. That matters because attackers can distribute the workload across bot farms and CaaS operators, turning what used to be manual fraud into repeatable infrastructure. In practice, the same attack kit can be reused for fake registrations, scraping, credential stuffing, and support-channel abuse. The technical shift is not only speed, but also the decoupling of attacker skill from attacker scale.
Practical implication: treat bot traffic as an identity signal problem, not just a network filtering problem.
Why account management workflows become attack surfaces
Password resets, account recovery, and registration flows are high-value because they sit at the boundary between identity proofing and access restoration. If those flows rely on static rules or weak assurance, bots can create accounts in bulk or hijack existing ones by exploiting support paths and recovery logic. Attackers do not need to defeat the whole IAM stack. They only need one weak workflow that grants trust too quickly. That is why bot-led fraud often targets the edges of identity systems rather than primary login alone.
Practical implication: harden recovery, registration, and support workflows with layered verification and risk-based step-up.
How adaptive friction changes the economics of abuse
Adaptive response tools work by increasing the attacker’s effort-to-attack ratio. Instead of blocking all suspicious sessions outright, they use behavioural signals, device intelligence, and challenge escalation to raise the cost of automation while preserving access for legitimate users. The important mechanism is selection pressure: if the challenge becomes expensive enough, low-margin attacks become unprofitable and fraud operators move on. This is especially relevant in environments with high-volume consumer traffic, where blunt blocking creates customer friction and business loss.
Practical implication: tune defences to make abuse uneconomical without degrading genuine user experience.
Threat narrative
Attacker objective: The attacker’s objective is to monetise automated abuse at scale by creating accounts, harvesting data, and taking over accounts with enough volume to remain profitable.
- Entry begins with automated traffic that mimics legitimate users through fake sign-ups, scraping, or credential stuffing against consumer-facing workflows.
- Escalation occurs when attackers use bot farms and support-channel abuse to expand from nuisance activity into account takeover, password reset manipulation, or mass fraud.
- Impact is measured in distorted business metrics, consumed support capacity, and direct consumer loss through online account-related schemes.
Breaches seen in the wild
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Bot abuse is an identity governance problem disguised as fraud volume. The article shows that the real issue is not only scale, but trust management across registration, login, recovery, and support workflows. When automated actors can repeatedly test the same paths, the organisation is no longer governing individual sessions, it is governing a machine-driven abuse economy. Practitioners should treat bot pressure as a signal that identity assurance has become too permissive at the edges.
Account recovery is the weakest governance seam in many consumer IAM programmes. The article’s examples, especially password resets and account management manipulation, show that attackers do not need to defeat primary authentication if recovery and support channels remain easier to exploit. That failure mode is common because recovery is often designed for convenience first and attack resistance second. Practitioners should re-examine where trust is re-established after initial sign-in.
Fake account creation is the clearest named concept here: identity inflation. When 68% of intelligent bot attacks are aimed at account creation, the programme is not just seeing fraud, it is seeing synthetic identity growth that pollutes downstream trust, analytics, and lifecycle controls. This creates bad data that propagates into access decisions, risk scoring, and customer segmentation. Practitioners should treat registration abuse as a governance input, not a front-end annoyance.
Adaptive challenge design now functions as a control plane for abuse economics. The article’s emphasis on increasing effort-to-attack ratio aligns with a broader shift in identity security: some controls now work by making abuse unprofitable, not by pretending every suspicious session can be perfectly blocked. That matters because bot operators optimise for margin, and defender economics now sit inside the security model. Practitioners should evaluate controls by attacker cost impact, not only by block rate.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For a broader governance lens, read Top 10 NHI Issues for the controls most likely to reduce standing access and abuse.
What this signals
Identity programmes now have to absorb bot pressure as a standing design constraint. If registration, recovery, and support paths can be gamed repeatedly, the organisation is not facing an isolated fraud issue but a repeatable trust failure. Teams should review whether their assurance model still assumes human-paced behaviour, because automated abuse now moves at machine speed and exploits every weak re-entry point.
Identity inflation is becoming a measurable operational risk. When fake accounts enter customer systems at scale, they contaminate lifecycle management, analytics, and downstream entitlement decisions. That is why practitioner teams should align fraud, IAM, and customer identity telemetry around shared thresholds, so synthetic growth is identified before it skews risk scoring or support workload.
The broader signal is that defenders need to measure attacker economics as closely as they measure customer friction. If the effort required to complete abuse stays low, the control stack is only shifting noise, not changing incentives.
For practitioners
- Harden registration and recovery paths Add layered verification to sign-up, password reset, and support-assisted recovery flows. Use risk-based step-up on high-volume or anomalous attempts, and review whether those steps still preserve legitimate customer completion rates.
- Instrument bot-specific identity signals Feed device intelligence, behavioural biometrics, velocity checks, and abuse-pattern telemetry into fraud and IAM decisions. Use those signals to distinguish legitimate users from scripted automation before account state changes occur.
- Measure abuse cost, not only block rate Track how many attempts are required for an attacker to complete a fake registration, password reset, or takeover sequence. If the effort-to-attack ratio stays low, the control set is not changing attacker economics enough.
- Tune controls by attack path Separate responses for scraping, fake account creation, credential stuffing, and account-management abuse. A single blanket policy usually leaves one workflow too soft while over-restricting the others.
Key takeaways
- Bot abuse is no longer a perimeter nuisance, because it directly undermines identity trust, support workflows, and account recovery.
- The report’s numbers show a steep rise in malicious automation, with intelligent bots increasingly used for fake account creation and scraping.
- Practitioners should harden re-entry flows, instrument bot-specific signals, and evaluate whether controls are raising attacker cost enough to change behaviour.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Bot abuse exploits weak assurance in account recovery and registration. |
| NIST SP 800-63 | Identity proofing and authentication boundaries matter for fake accounts and takeovers. | |
| NIST CSF 2.0 | DE.CM-01 | Behavioural monitoring is central to detecting automated abuse patterns. |
Map customer identity workflows to PR.AA-01 and strengthen assurance at every re-entry point.
Key terms
- Bot Abuse: Bot abuse is the use of automated traffic to impersonate or overwhelm legitimate users and processes. In identity programmes, it matters because the attacker targets registration, login, recovery, and support workflows to gain trust, create synthetic accounts, or take over existing ones at scale.
- Identity Inflation: Identity inflation is the growth of synthetic or low-quality accounts that distort the organisation’s view of legitimate users. It weakens lifecycle governance because downstream controls, analytics, and risk scoring begin to operate on polluted identity data instead of trustworthy signals.
- Effort-To-Attack Ratio: Effort-to-attack ratio is the amount of work an attacker must spend to complete an abuse path compared with the payoff they get. Controls that increase this ratio can make bot-led fraud economically unattractive, which is often more effective than trying to block every suspicious request.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Arkose Labs: Breaking (Bad) Bots: Bot Abuse Analysis and other Fraud Benchmarks. Read the original.
Published by the NHIMG editorial team on 2026-05-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
