Asia Pacific’s financial institutions absorbed 52% of all global Layer 7 distributed denial-of-service (DDoS) attacks targeting financial services in 2025, making the region the world’s most attacked for application-layer threats for the fourth consecutive year, according to Akamai‘s latest State of the Internet Security report.

The report, AI-Empowered Botnets and API Visibility Gaps: Attack Trends in Financial Services, draws on attack data observed across Akamai’s global cybersecurity infrastructure. It paints a picture of a region whose rapid digital banking expansion is outpacing its ability to secure the services it is deploying.

The Attack Breakdown: Banks and Fintechs Under Most Pressure

Within APAC, banking and fintech absorbed the heaviest share of Layer 7 DDoS attacks, 44% and 38% respectively. Banking alone accounted for 92% of lower-level network attacks in the region. Layer 7 attacks are designed to overwhelm customer-facing applications with traffic that mimics legitimate requests, making them far more difficult to detect than conventional network floods.

The threat environment is also evolving at speed. Akamai observed a 147% surge in advanced bot activity in the second half of 2025, with AI-powered botnets increasingly capable of mimicking browser behaviour and bypassing conventional defences. Meanwhile, 96% of financial services organisations globally reported at least one API security incident in the past 12 months, the highest rate of any industry surveyed.

A Dangerous Blind Spot in API Security

The report identifies a significant visibility gap in how financial institutions understand their own API estates. While 77% of financial services IT and security leaders in APAC believe they have a complete picture of their APIs, only 27% know which APIs return sensitive data. This discrepancy creates a structural blind spot at precisely the moment when API-dependent services are multiplying fastest.

“APAC’s banks and fintechs sit at the centre of one of the world’s fastest-moving digital financial environments. Every new payment service, mobile banking feature, fintech integration and AI-enabled workflow creates another dependency for attackers to probe,” said Reuben Koh, Director of Security Technology and Strategy, APJ at Akamai. “If an institution does not know which APIs exist, which ones expose sensitive data, or how they are supposed to behave, it is already operating with an elevated level of risk.”

Microsegmentation as a Response Advantage

The report found that organisations using microsegmentation, isolating critical applications to limit lateral attacker movement, responded to incidents 33% faster than those that did not. In an environment where every minute of disruption carries reputational, regulatory and financial consequences, that response advantage is material.

Akamai’s recommendations include strengthening application-layer DDoS and API defences, investing in security tooling that identifies sensitive data exposure and anomalous API behaviour, and adopting AI-powered defences capable of responding at machine speed.