APIs Become Primary Target for Cybercriminals: Over 40,000 API Incidents in First Half of 2025

Thales has announced the findings of its latest API Threat Report (H1 2025), warning that APIs – the behind-the-scenes connectors powering apps, payments, and logins – have become the primary target for cybercriminals.

Across more than 4,000 monitored environments, Thales recorded over 40,000 API incidents in the first half of 2025 alone. Although APIs represent only 14% of overall attack surfaces, they now attract 44% of advanced bot traffic, demonstrating how attackers are focusing their most sophisticated automation on the workflows that underpin critical business operations.

Record-Breaking Financial Services DDoS Attack

One of the most striking findings from the report is the scale of a record-breaking 15 million requests-per-second (RPS) application-layer DDoS attack against a financial services API. 

Unlike traditional volumetric DDoS campaigns aimed at overwhelming network bandwidth, this attack was targeted specifically at the application layer – exploiting the API itself to exhaust resources and disrupt operations. 27% of all API-focused DDoS traffic in H1 2025 hit financial services, reflecting the sector’s heavy reliance on APIs for real-time transactions such as balance checks, transfers, and payment authorisations.

This incident demonstrates how attackers are now combining scale with stealth: leveraging massive botnets and headless browsers to mimic legitimate API requests, making it far harder for defenders to distinguish malicious traffic from genuine users.

Key Findings from the Report:            

• 40,000+ API incidents recorded in H1 2025, averaging over 220 per day; projected to exceed 80,000 by year-end if trends continue.
• Attack distribution by endpoint: 37% data-access APIs, 32% checkout/payment, 16% authentication, 5% gift-card/promo validation, and 3% shadow or misconfigured endpoints.
• Credential-stuffing and account takeover attempts rose 40% on APIs without adaptive MFA.
• Data scraping accounts for 31% of API bot activity, often targeting high-value fields such as email addresses and payment details.
• Coupon and payment fraud represents 26% of attacks, exploiting promo loops and weak checkout validation.
• Remote code execution (RCE) probes account for 13% of attacks, with Log4j, Oracle WebLogic, and Joomla being the most targeted CVEs.
• By industry, financial services (27%) lead, followed by telecoms and ISPs (10%), travel (14%), and entertainment & arts (13%).
• Shadow APIs remain a critical blind spot: organisations typically have 10–20% more active APIs than they are aware of.

“APIs are the digital economy’s connective tissue – but that also makes them its most attractive attack surface,” said Tim Chang, Vice President Application Security Products at Thales. “What we’re witnessing is not just the scale of attacks increasing, but a fundamental shift in how criminals operate: they don’t need to inject malware, they can simply bend your business logic against you. The requests look legitimate, but the impact can be devastating.

“The next six months will only see the volume and sophistication of API attacks grow. The best time to act was yesterday – the next best time is now. Organisations must discover every live endpoint, understand its business value, and protect it with context-aware, adaptive defences if they are to safeguard revenue, trust and compliance.”