What 25,000 Bots Taught Me About GenAI in Fraud
Going into 2025, we knew a lot about how GenAI was impacting fraud. We knew it was powering larger, more frequent attacks, and we knew those attacks were more sophisticated than ever before.
But there’s still a lot to learn. Yes, fraudsters are embracing GenAI, but how quickly are they advancing it? Can we predict what the next evolutionary phase will look like? And, most importantly, are fraud leaders ready to respond?
Like any other fraud expert, I spent the first part of this year trying to answer those questions. I read all the latest reports, studied months of data — our team even tested fraudsters’ techniques ourselves. But it wasn’t until one major attack that I found the answers I was looking for. Here’s what one bot attack revealed about the future of GenAI in fraud.
90 days. 25,000 Bots. Countless Questions.
Bot attacks are nothing new; I’ve studied them at companies of all types and sizes. Regardless of the industry, advanced bots have become a common foe for digital businesses, and a key component of fraudsters’ attack plans. With any large bot attack, we’ve come to expect a pattern: human fraudsters scout their targets’ defenses and tailor bot scripts to exploit vulnerabilities, making a step-by-step march towards a full-scale attack (this is something we can see happening in real-time, and a dead giveaway of an incoming attack).
But earlier this year, one attack broke the mold.
A BNPL provider was hit by a swarm of 25,000 bots over 90 days. About half of these bots didn’t do anything special — they entered the form as expected and were stopped by OTPs as intended.
The remaining bots weren’t as straightforward. Over 10,000 bots found a weakness that opened an alternative entry to the BNPL provider’s application. Once they were in, 350 were able to skip steps and successfully submit an application without providing an email or phone number.
Something Was Wrong, But What?
The aforementioned behavior wasn’t abnormal in itself. In fact, we’d expect to see bots making it further and further as fraudsters gather more intel about their target’s controls. Still, it’s rare to see even today’s bots have this much success in such a short period of time. I dove deeper to see if any clues lied ahead of the attack.
That pre-attack pattern I mentioned earlier? It wasn’t present in this attack. These bots weren’t the result of a weeks-long scouting mission, and nothing indicated that humans were tailoring these scripts to bypass checks in the way that they did.
Even more concerning: each group of bots attacked at the same time. Typically, bot clusters appear sequentially, with each one more successful than its predecessor until one group finally breaks through. In this attack, these bots appeared to iterate and adapt in real-time, all on their own. We’ve studied bot attacks extensively, but this was something we’d never seen before.
What It Means for Fraud Teams
My big takeaway from this attack is that GenAI-powered fraud is advancing faster than any of us thought, and the increased attack intensity we’ve seen is only the beginning. Just months ago, GenAI was a cog that worked alongside humans to amplify attacks. Now, GenAI is the nucleus of the attack, powering bots that test, tweak, and attack all on their own.
I’m sure many fraud leaders have the same reaction as me — a little bit of admiration for how far GenAI has come, and a whole lot of worry for how we’ll keep pace.
But the good news is we didn’t miss this attack. Behavioral analytics caught all of these sophisticated bots as they arrived. We needed a follow-up analysis to realize just how sophisticated this attack was, but our real-time bot detection reinforced behavioral analytics’ critical role in a modern fraud stack.
Keeping Up with Evolving Fraudsters
To stay ahead of rapidly advancing fraudsters, fraud teams need to know the ways in which fraudsters are attacking their defenses, including how to spot attacks before they strike.
Download the Fraud Attack Strategy Guide for a deeper dive into this attack and other sophisticated strategies, and reach out to our team to learn more about how behavioral analytics can protect your business from evolving threats.
