SEE THE TRENDS

Key Findings

SEE THE TRENDS

Key Findings

361 Config Files

In Q1 2025, KasadaIQ observed 361 OpenBullet configs listed by adversaries.

1,000+ Brands

Over 1,000 large companies were targeted since January 2024, compromising millions of customer accounts.

2.5 Million Accounts Breached

Stock of stolen accounts peaked in early January, with nearly 2.5 million available for sale.

Tracking ATO: Monthly Attack Patterns

Kasada observed steady growth in ATO and fraud activity throughout 2024, with sharp spikes in October and again in early 2025. The surge coincided with enhanced monitoring of criminal marketplaces and culminated in a record number of stolen account listings in January—nearly 2.5 million. In Q1 2025 alone, 67% of all tracked account sales targeted webmail, retail, and social platforms. One group, ALTSRUS, stood out for its widespread ATO campaigns targeting vulnerable communities, including EBT-linked accounts, highlighting a troubling shift toward exploiting vulnerable communities..
👉 Explore the Q1 Threat Report to learn more.

Total Companies Attacked by Month

361 Config Files

In Q1 2025, KasadaIQ observed 361 OpenBullet configs listed by adversaries.

1,000+ Brands Targeted

Over 1,000 large companies were targeted since January 2024, compromising millions of customer accounts.

2.5 Million Accounts Stolen

Stock of stolen accounts peaked in early January, with nearly 2.5 million available for sale.

Tracking ATO:

Monthly Attack Patterns

Kasada observed ATO attacks spiking in summer months and October, highlighting the seasonality of bot-driven threats. These fluctuations may be driven by attackers with more free time in the summer — such as students experimenting with credential stuffing — and increased fraud activity in October as cybercriminals ramp up for the holiday shopping season, testing stolen credentials and refining their tactics before peak retail periods.

Companies Targeted by ATO 2025

Industry Breakdown: Who’s Being Targeted?

Credential stuffing is a cross-industry threat, but certain sectors are more frequently targeted due to the high value of customer accounts, such as loyalty and rewards points, and the sensitive financial information and personal data they store.

Kasada Bot Intel ATO Industries

Unique Companies Targeted by ATO Attacks (2024–2025), by Industry

*Data shown only for January to May 2025

Industry Breakdown:
Who’s Being Targeted?

Credential stuffing is a cross-industry threat, but certain sectors are more frequently targeted due to the high value of customer accounts, such as loyalty and rewards points, and the sensitive financial information and personal data they store.

Kasada Bot Intel ATO Industries
kasada ATO attacks by industry line graph

Traditional Defenses Are Failing

Among targeted and compromised companies, 85% already had a bot detection solution—proving just how aggressive and advanced these attackers have become.

ATO attacks by bot defense

 Traditional Defenses Are Failing

Among targeted and compromised companies, 85% already had a bot detection solution—proving just how aggressive and advanced these attackers have become.

ATO attacks by bot defense
ATO bot Attack sophistication bar graph

How Bots Are Outsmarting Detection

When launching account takeover attacks, threat actors use advanced tools like OpenBullet, which enable large-scale automation with minimal effort. This allows adversaries to configure custom scripts that bypass common defenses, such as CAPTCHA, using techniques like rotating proxies and mimicking human behavior to remain undetected.

How Bots Are Outsmarting Detection

When launching account takeover attacks, threat actors use advanced tools like OpenBullet, which enable large-scale automation with minimal effort. This allows adversaries to configure custom scripts that bypass common defenses, such as CAPTCHA, using techniques like rotating proxies and mimicking human behavior to remain undetected.

ATO bot Attack sophistication bar graph

SEE THE TRENDS

Uncover how attackers exploit ATO—and how to stop them.

SEE THE TRENDS

Uncover how attackers exploit ATO—

and how to stop them.

The latest from Kasada

  • Q1 2025 Quarterly Threat Report

    Automated threats are growing smarter, faster, and more difficult to detect. Kasada’s Quarterly Threat Report reveals what to watch for and what to do next – powered by millions of real-time signals analyzed through KasadaIQ.

  • A CISO’s Guide to Bot Protection Effectiveness – Breaking Open the Black Box

    Learn how to validate bot protection effectiveness, mitigate business risks, and ensure your defenses align with operational and regulatory needs.

  • Kasada’s Reflections on the Q3 2024 Forrester Wave™ – Bot Management Evaluation

    Kasada named a Strong Performer. Here are some of our own reflections having taken part in this evaluation.

Take the next step to stopping threats now