Bot penalty: developers' resources have been subjected to active cyber attacks
In late spring and early summer, attackers began to actively attack construction companies and educational institutions, cybersecurity companies told Izvestia. In the first case, the goal was to collect data about developers and their facilities for the subsequent sale of information by subscription in Telegram. The volume of such traffic to developers' resources can be about a third, which is comparable to the effect of DDoS attacks. And educational institutions were actively attacked by schoolchildren and students, including with the help of AI—written bots. See the Izvestia article about which other areas are increasingly becoming targets of cyber attacks.
How bots attacked developers
In the second quarter of 2025, the construction industry, retail and insurance companies, as well as schools and universities experienced a sharp surge in bot attacks, cybersecurity companies told Izvestia. At the same time, the plans of the attackers attacking these areas are completely different. For example, parser bots designed to collect information from web resources actively attacked developers.
"They collected information about thousands of objects on developers' websites, imitating the behavior of legitimate users," said Servicepipe, a cybersecurity company.
This data acquisition mechanism is used, in particular, by specialized Telegram bots that accumulate information about facilities under construction or commissioned and sell it by subscription. Izvestia got acquainted with the proposals of one of these resources, which offers detailed information about facilities under construction and completed, land plots, credit conditions, and sales dynamics.
As explained in Servicepipe, the amount of information that parsers collect can be significant and attacks by bot parsers put a significant strain on developers' services.
— And one botnet crawl can generate tens of thousands of heavy database queries. To provide operational information to users who have a subscription, access to resources can be several times a day, they said. — If the bot is not smart enough, it continuously sends a request to the service, creating a load comparable to a DDoS attack for the service (a hacker attack aimed at disabling the resource. — Izvestia).
At the same time, several botnets can "manage" on one site at the same time, constantly pumping out information, and developers often simply do not have resources designed for such peaks of load.
Izvestia sent inquiries to several major real estate companies asking them to report on the consequences of such parsers' activities.
"Over the past few months, we have recorded a significant increase in the activity of automated bot systems on public resources, especially in terms of collecting information about existing projects, objects for sale and real estate properties," Mikhail Marmylev, Director of Information Security at the Aeroplane Group, told the publication. — The main purpose of such scans is to aggregate data for subsequent resale, use in third—party storefronts and chatbots.
According to him, bots are mainly interested in publicly available data: descriptions of facilities, layouts, prices, and construction progress.
Such automated information gathering "eats up" the advertising budgets of construction companies, Servicepipe explained.
— According to our calculations, up to 30% of the budgets for online advertising of developers goes nowhere, — they said. — Impressions, clicks, and leads (potential customers. — Izvestia) If they cost money, an advertising campaign can work with pay-per-impressions, pay-per-clicks, or pay-per-leads. The use of bots increases these indicators in order to get money from the advertising system.
Currently, the most expensive thing in online advertising is leads (users who came for the first time), including those received as traffic from "target" sites to the advertiser's site. But in general, the company pays 70 rubles for any click from an advertisement, 3.5 thousand rubles for a unique lead, and 15.6 thousand rubles for a target lead (a customer interested in buying).
An analysis of traffic on the resource of one of the large developers showed that out of 471 thousand clicks on the site, bots accounted for 98.5 thousand, that is, about 20% of all traffic. Another developer had a 27% share of bot traffic. The company's total advertising traffic was no more than 4,000 clicks, and bots accounted for 25%.
How the educational sphere was attacked
In the second quarter of 2025, the volume of DDoS attacks increased by 42% compared to the same period in 2024, the cybersecurity company StormWall told Izvestia. The majority of attacks were directed at the financial sector (28%), the public sector (21%) and telecom (16%). In addition, retail (14%) and entertainment (9%) were actively attacked. The consequences of such attacks were not too serious.
In particular, a large online store's website was down for about three hours. When it abruptly became unavailable, there were suggestions that a technical glitch had occurred, but 10 minutes later, abnormal bot traffic was registered on the site. Next, the technical services first filtered the traffic, but then activated the anti-DDoS protection, and the site returned to operation.
The botnet also disabled the website of one of the insurance companies: in two hours, all client web services and the official website of the insurer were unavailable, users could not log into their personal accounts.
Attacks on the educational sphere amounted to 7% due to the USE and the start of the admission campaign at universities, which is quite a high indicator for this industry, the cybersecurity company said. At the same time, it was the educational sector that was among the three industries where the growth in the number of attacks was the fastest — by 47% compared to the same period last year.
"Attacks launched by ordinary hackers who sought to enrich themselves at the expense of companies from key industries prevailed," said Ramil Khantimirov, CEO and co—founder of StormWall. — There were also many incidents organized by hacktivists who tried to harm the public sector. Especially many attacks by hacktivists were discovered during the celebration of Russia Day.
Small-scale attacks on educational institutions were initiated by school graduates, the expert noted.
Yuri Fadeev-Murashov, head of the Servicepipe technical solutions integration team, noted that the most noticeable trend of the half—year was an increase in the number of DDoS attacks that were created using generative AI.
"Such attacks are especially typical for the so—called novice pioneers in the cybercrime environment," he said. — Previously, in order to write botnet control code, you needed at least basic technical knowledge and skills working with the source code. Now everything is different: it is enough to set the necessary AI command and you can get a ready-made script, albeit not the most effective, but working.
So far, such "pioneer" traffic does not reach critical volumes, but in the future it may significantly affect the overall picture of DDoS threats, the expert believes. Theoretically, an attack created using generative AI can be of any speed — it all depends on the capacities available to attackers.
Переведено сервисом «Яндекс Переводчик»
