Asia Pacific’s (APAC) fast-growing commerce economy is becoming a bigger target for cybercriminals as retailers, travel platforms and hospitality brands accelerate the use of AI-powered shopping, booking and customer experiences. According to Akamai’s latest State of the Internet (SOTI) security report, Securing the Agentic Storefront: Attacks on Commerce, bot activity targeting APAC commerce companies rose 63% in 2025 — the highest increase of any region globally. From July to December 2025, commerce also accounted for 38% of all AI bot traffic observed across industries in APAC, underscoring the need for security strategies that can keep pace with the region’s rapid adoption of AI-powered commerce.
Across the region, retailers are pivoting toward agentic commerce, using bots to hyperpersonalise shopping experiences and reduce cart abandonment. Chatbot growth is also especially fast in APAC, as businesses compete to differentiate through more personalised customer experiences. However, this is making it harder to distinguish legitimate automation from malicious bots, scraping, credential stuffing and API abuse.
While retail remained the primary target, travel and hospitality industries in APAC also experienced greater exposure compared to other regions, driven by fragmented travel platforms, high digital and mobile adoption, popular loyalty programs and seasonal booking peaks during regional holidays like the Lunar New Year, Golden Week, Diwali and year-end holidays. APIs are also becoming a growing area of exposure as commerce businesses connect payments, loyalty programs, inventory systems, logistics and booking platforms. In APAC, this is especially prominent in travel, which accounted for 22% of commerce web attacks, with APIs targeted in 25% of attacks against them. Commerce businesses in APAC also faced rising application-layer DDoS pressure, with Layer 7 DDoS attacks increasing 39% from 260 billion to 361 billion events in 2025. Among API-targeted Layer 7 DDoS attacks, retail accounted for 51%, followed by hospitality (28%) and travel (21%).
“APAC’s commerce sector is pivoting quickly toward a more automated and AI-enabled future, as businesses use GenAI chatbots and other AI-powered services to personalise experiences and reduce friction,” said Reuben Koh, Director of Security Technology and Strategy, APJ at Akamai. “But every chatbot interaction, booking flow and loyalty program integration creates another new digital surface that must be discovered, understood and protected. This is especially important in APAC, where travel and hospitality face heightened exposure from fragmented platforms, popular loyalty programs and seasonal traffic surges. Businesses must now implement risk-based defences that are capable of identifying malicious intent hidden within high-volume, legitimate automation, without adding friction to the customer.”

Reuben Koh, Director of Security Technology and Strategy, APJ at Akamai
As commerce organisations continue to embrace AI and automation, resilience must extend beyond a security function and become a business discipline. This includes:
- Mapping the revenue chain: Continuously identify the APIs that support payments, loyalty programs, checkout, inventory and partner integrations, and understand where sensitive data may be exposed.
- Governing automation by risk: Move beyond blanket “allow” or “block” decisions and adopt a risk-based approach that can distinguish legitimate automation from malicious bot activity.
- Preparing for peak traffic periods: Strengthen surge capacity, test DDoS response plans, monitor for fake storefronts and credential exposure, and bring cybersecurity and fraud teams closer together ahead of major shopping and travel peaks.
Now in its 12th year, Akamai’s State of the Internet security reports draw on attack data observed across Akamai’s cybersecurity protective infrastructure, which handles a significant portion of global web traffic.
Read the full report here.




