Application programming interfaces (APIs) have become the primary target for cybercriminals, according to Thales’ latest API Threat Report covering the first half of 2025.

The cybersecurity company monitored more than 4,000 environments and recorded over 40,000 API-related incidents between January and June, averaging more than 220 attacks a day. If the trend continues, total incidents could surpass 80,000 by year-end.

Although APIs account for just 14 per cent of an organisation’s digital attack surface, they now attract 44 per cent of advanced bot traffic, underscoring their growing role in cyberattacks.

Record Financial Services DDoS Attack

Thales highlighted a record-breaking 15 million requests-per-second (RPS) application-layer DDoS attack on a financial services API. Unlike traditional volumetric campaigns, this attack exploited the application layer itself, exhausting resources and disrupting operations.

Financial services bore the brunt of such attacks, with 27 per cent of API-focused DDoS traffic targeting the sector. Thales said this reflects banks’ heavy reliance on APIs for real-time services such as balance checks, transfers and payments.

Attackers are also deploying large botnets and headless browsers to mimic legitimate requests, making it harder for defenders to distinguish genuine activity from malicious traffic.

Broader Attack Patterns

The report found that:

• 37% of attacks targeted data-access APIs, while 32% focused on checkout and payment endpoints.
• Credential-stuffing and account takeover attempts rose 40% against APIs lacking adaptive multi-factor authentication (MFA).
• Data scraping made up 31% of API bot activity, often extracting sensitive fields such as emails and payment details.
• Coupon and payment fraud represented 26% of attacks, exploiting promo loops and weak checkout validation.
• Remote code execution probes accounted for 13% of threats, with Log4j, Oracle WebLogic and Joomla among the most targeted vulnerabilities.

Industries most affected included financial services (27%), travel (14%), entertainment and arts (13%), and telecoms/ISPs (10%).

Shadow APIs — active interfaces unknown to IT teams — also remain a significant blind spot. Organisations typically run 10 to 20 per cent more APIs than they realise, Thales said.

Rising Urgency

“APIs are the digital economy’s connective tissue – but that also makes them its most attractive attack surface,” said Tim Chang, vice president of application security products at Thales.

Daniel Toh, Thales’ chief solution architect for Asia-Pacific and Japan, warned that Singapore organisations in particular must act quickly. “The best time to act was yesterday – the next best time is now. Companies must discover every live endpoint, understand its business value, and protect it with adaptive defences if they are to safeguard revenue, trust and compliance.”

What’s Next

Thales expects API attacks to increase in both volume and sophistication through the remainder of 2025. The company is urging enterprises to prioritise endpoint discovery, deploy adaptive authentication, and strengthen monitoring to defend against business logic abuse.