API attacks reached a record high in the first half of 2025, with more than 40,000 incidents recorded. Cybercriminals are increasingly targeting these invisible connections between apps and systems, with financial service providers being the hardest hit.
The urgent need for action is highlighted in the latest API Threat Report from Thales. One of the most striking findings from the report concerns a record-breaking application layer DDoS attack of 15 million requests per second against a financial services provider’s API. This attack specifically targeted the application layer rather than attempting to overload bandwidth.
The financial sector appears to be particularly vulnerable. In the first half of 2025, 27 percent of all API-targeted DDoS traffic was directed at financial services. This sector is heavily dependent on APIs for real-time transactions such as balance checks, transfers, and payment authorizations.
Tip: APIs are indispensable, but also pose a security risk
In-depth analysis of attack patterns
In more than 4,000 monitored environments, the security company recorded an average of more than 220 API incidents per day. Although APIs account for only 14 percent of the total attack surface, they now attract 44 percent of advanced bot traffic.
These figures illustrate a fundamental shift in the way cybercriminals operate. They are deploying their most advanced automation on the workflows that form the core of critical business processes. If the current trend continues, Thales expects the number of incidents to exceed 80,000 by the end of the year.
The distribution of attacks shows a clear pattern. Data access APIs are the most targeted (37 percent), followed by checkout and payment APIs (32 percent). Authentication endpoints account for 16 percent of targets, while gift card and promotion validation represent 5 percent.
Increasing threat and blind spots
Credential stuffing and account takeover attempts increased by 40 percent for APIs without adaptive multi-factor authentication. Data scraping accounts for 31 percent of all API bot activity, often targeting valuable fields such as email addresses and payment details.
A disturbing finding concerns shadow APIs. Organizations typically have 10 to 20 percent more active APIs than they are aware of. These unknown endpoints represent a critical blind spot in security.
Attacks are becoming increasingly sophisticated as criminals deploy massive botnets and headless browsers to mimic legitimate API requests. This makes it much more difficult for security systems to distinguish malicious traffic from real users.
Remote code execution attacks account for 13 percent of total API attacks. Log4j, Oracle WebLogic, and Joomla are the most targeted vulnerabilities. Chang warns that companies must adapt to this threat immediately. Over the next six months, both the volume and sophistication of API attacks will only increase.