One thing is certain: The ROI for cyberattacks is greater than ever in 2022. The digitalization of our lives and work means bad actors can attack companies and threaten consumer trust long before a transaction takes place.

Meanwhile, the automated fraud ecosystem grows daily as new tools and resources are created to reduce the barrier to entry for sophisticated bot attacks and abuse schemes.

Catching evolving attacks early requires deeper insight and intel into the tactics and financial motivations of cybercriminals.

Each quarter, Arkose Labs analyzes billions of sessions to uncover the latest attack patterns seen on the most targeted user touch points, across our global network.

This report reveals the top attack trends from Q1 2022.

2022 Attack Trend Highlights

Attack Probability

Attack Probability

Up to 20% attack rate during peak weeks

Account Takeovers

Attack Probability

4% of all logins (good or bad) are a credential stuffing attempt


Attack Probability

250% increase in scraping attacks QoQ

Fake Accounts

Attack Probability

1 in 4 new accounts is fake

Mobile Attacks

Attack Probability

2x increase in mobile-led attacks over Q4 2021

Top Attacking Countries

The top 5 attacking countries contributed over 60% of all attacks in Q1. Attack patterns differ in each region because of varying incentive levels due to differences in wages, cost of labor, and comparative currency values.

Top Attacking Countries

North America

North America
  • 1 in 5 attacks comes from North America
  • More than of attacks targeted logins, primarily in gaming and retail
  • NA attackers are 30% more likely to be human than the global average

South America

North America
  • 2/3 of attacks targeted chat channels and direct messaging in social media and gaming
  • Attacks are 5x more likely to be human-led
  • Top attacking countries: Brazil, Venezuela, Argentina


North America
  • 1 in 3 attacks comes from Europe
  • Attacks are 50% less likely to leverage fraud farms
  • 40% of attacks in gaming came from European attackers


North America
  • 2/3 of attacks were fake account registrations
  • Scraping was the most commonly deployed tactic by fraud farms from Africa
  • Top attacking countries: Egypt, Morocco, Algeria


North America
  • 40% of attacks come from Asia
  • 2/3 of attacks targeted tech and travel industries
  • Attacks from China & India increased 70% from Q4

The Growing Cybercrime Workforce

Bots versus Humans

It no longer takes years of mastery to be an effective cybercriminal. Since the pandemic, the cybercrime workforce has exploded, thanks to the vast information sharing on the dark web and ROI opportunity for Rookie Criminals and Master Fraudsters alike.

Skilled cybercriminals use marketplaces and messaging platforms to promote their own personal fraud business, recommend attack tools and techniques, and offer free step-by-step guides for rookie cybercriminals to quickly become masters at their game.

Profile: Rookie Fraudster

  • Leverages the automated fraud ecosystem to make money fast
  • Uses marketplaces and messaging platforms to purchase bots-as-a-service and execute attacks at scale
  • Earns up to $20,000 per month

Profile: Master Fraudster

  • Uses multi-pronged attack strategy with multiple tools scripted, together alongside click farm workers
  • Continually invests in resources and development to bypass defenses
  • Earns up to $600,000 per month

Estimated Cybercrime Workforce:


We estimate there has been a 10-fold increase in people taking up fraud as a career since 2019 because of the wealth creating opportunities presented.

Brett Johnson

Chief Criminal Officer
Arkose Labs

Brett Johnson

Bot vs Human Attack Trends

Bots are Becoming More Intelligent & Effective

93%of attacks are bot-driven

Bot Attacks are Becoming More Intelligent & Efficient

  • Q1 saw consistently higher bot-oriented attacks than the average across 2021, driven by large-scale scraping and credential stuffing attempts.
  • Bot attack signatures are 3x more complicated today than in years prior, creating greater detection complexity for businesses.
  • Cybercrime-as-a-Service (CaaS) is on the rise, with marketplaces enabling amateur criminals to attack at scale.
Bots are Becoming More Intelligent & Effective

7%of attacks are human-driven

Cybercriminals Leverage Click Farms to Abuse Chat Channels

  • 90% of human attacks in 2022 have targeted communication channels in gaming, dating, and tech.
  • Top targeted companies can see up to 35% of traffic coming from human attackers.
  • Bad actors leverage click farms mostly for in-game abuse, spam, scams, and account takeovers.
  • Cybercriminals sabotage cost savings for the business and diminish ROI

The Bot vs Human Attack Mix

Bot attacks can overwhelm workflows with a single high volume attack, with peak attack periods being up to 2.5x normal traffic volume across the global network.

Human-led attacks are low-and-slow, allowing attackers to consistently target a platform while staying under the radar.

Hybrid attacks are increasingly common for persistent attackers. They start with intelligent bots, then switch to click farms when bots are deterred.

The role of Human-Lead Attacks
The role of Human-Lead Attacks

Top Threats to Trust and Account Security

Q1 Key Trends

Q1 Key Trends

  • Automated ATOs were 30% higher in Q1 than the average over the past 2 years
  • 1 in 4 accounts created was fake
  • 250% increase in scraping attacks from Q4 2021 to Q1 2022
Q1 Key Trends

Top Attack Types

  • Credential stuffing
  • Phishing
  • Mass fake accounts
  • Scraping
Q1 Key Trends

Top Signals of Fraud

  • Distributing traffic via proxies, hosting, or VPN services
  • IP masking
  • Short-term velocity spikes
  • Traffic coming from fraud farm countries

The Downstream Effect of Account-Based Fraud

As reported by IC3, many of the most costly cybercrimes start with credentials being stolen or a fake account being created. The growing prevalence of fake account attacks reflects the lucrative nature of romance scams, while account takeovers continue to be an attacker favorite for the multitude of ways they can be used for profit. Protecting consumers and preventing fraud losses requires stronger security technology that can detect malicious activity where it originates—on login and registration workflows. Implementing such technology can lead to significant cost savings and improved ROI, allowing businesses to maintain security while also optimizing their operations.

The role of Human-Lead Attacks

Fintech Reduces ATOs by 70% with Arkose Labs

The Customer

A major US fintech company experienced 20x growth in one year. This massive popularity attracted cybercriminals, who began attacking on multiple fronts.

The Problem

Attackers were executing ATOs at scale and creating fake new accounts to then send phishing messages to users. This caused poor user experience and customer financial losses, and overwhelmed fraud and security teams.

The Solution

Arkose Detect was implemented on the customer’s web and mobile flows to classify traffic risk and determine the appropriate response. Arkose Labs shared detection data with the customer to enhance their internal models.


  • Credential stuffing attacks stopped completely
  • 6.4 million token replay attacks stopped
  • No impact to good user throughput
  • Improved ROI and long-term cost savings

Request a Demo to See How Arkose Labs Catches and Deters Automated Fraud