AI-Empowered Botnets and the 77/27 API Gap: What New Research Means for ANZ Financial Services

A blunt 77% of financial services security leaders in APAC say they have a full picture of their API estate. Only 27% know which of those APIs return sensitive data. That gap is where attackers live now. And as AI accelerates both attack scale and API proliferation, the gap is widening fast.

Akamai's latest State of the Internet Security report, the snappily titled 'AI-Empowered Botnets and API Visibility Gaps: Attack Trends in Financial Services', lands at a moment when Australian and New Zealand regulators have already started pulling on the same thread. The APRA letter on AI risk landed on 30 April 2026. The ASIC open letter on frontier AI followed on 8 May 2026. The RBNZ Financial Stability Report arrived in mid-May with, to an extent, the same warning. The message to boards across the Tasman, whether you sit above a bank, an insurer, a superannuation trustee, a payments business, a capital markets firm or a fintech, is now unified: existing controls are about to be tested more often, at greater scale, and under greater pressure.

This is what the data shows, and this is what we are telling clients to do about it.

Financial services tops the global target list. Banking is the bullseye within it.

The headline numbers from Akamai's 2026 financial services report are uncomfortable reading for any board sitting above an ANZ financial institution.

Financial services is now the most targeted industry globally for Layer 3 and 4 DDoS attacks. The median duration of those attacks has increased by 738% since 2024. Volumetric DDoS attacks against the sector grew in scale by 236% between 2024 and 2025. Advanced bot activity surged 147% in late 2025, and in one Akamai case study, 96% of a financial site's total traffic was identified as malicious scraping bots.

Within the sector, banking absorbs the largest share of attacks: 60% of all web attacks and 83% of all API endpoint attacks in 2025 targeted the banking vertical. But insurers, superannuation trustees, payment providers, capital markets firms, wealth and brokerage businesses, and fintechs operate in the same threat environment. They share infrastructure, share APIs, and share third-party platforms with the institutions in the bullseye. Concentration risk runs both ways.

The attack pattern is not new. The economics behind it are. Akamai's view, and we share it, is that 2025 marked the industrialisation of cybercrime. DDoS-as-a-Service is now a packaged commodity. AI is making the bots smarter. Hacktivist groups are coordinated and persistent. Pro-Iran groups including Keymous+, DieNet, Handala, and the Cyber Islamic Resistance ran multi-vector campaigns through 2025 against payment systems and login portals, and named US financial institutions as 2026 targets, prompting high-priority alerts from the US Department of Justice and the Financial Industry Regulatory Authority.

The takeaway for ANZ financial services is straightforward. The threat is global, the targeting is sector-specific, and the volume is rising.

The APAC angle: where ANZ sits in the Layer 7 firing line

APAC is now the most targeted region for Layer 7 DDoS attacks against financial services, for the fourth consecutive year. 52% of all global Layer 7 attacks against the sector in 2025 hit APAC institutions. That was 314 billion attacks across the region in one year, more than double the next closest region.

Why APAC? Because the region's financial sector is moving the fastest. Real-time payments, open banking and consumer data rights, mobile wallets, neobanks and digital insurers, embedded finance, API-first architectures. Every one of those competitive advantages also expands the attack surface.

Australia and New Zealand sit firmly inside that envelope. Both markets carry aggressive digital banking expansion, large insurance and superannuation industries, active open data initiatives (the Consumer Data Right in Australia, the Customer and Product Data Bill progressing in New Zealand), and a tightly interconnected payments ecosystem. Where APAC leads in attack volume, ANZ financial institutions are in the same neighbourhood.

The 77/27 problem: full inventory, partial visibility

The single most useful data point in the Akamai report, from a governance perspective, is the gap between API inventory and sensitive data visibility.

That is the visibility gap. It is not a technology problem. It is a knowing-what-you-have problem.

Globally, 96% of financial services organisations reported at least one API security incident in the past 12 months. That is the highest rate of any industry. APIs are now the connective tissue of digital banking, claims processing, member services, payments, brokerage execution, and increasingly AI. If you do not know which of your APIs touch sensitive data, you cannot meaningfully protect them, monitor them, or report on them. You also cannot answer the information security questions in APRA CPS 234, or the third-party and fourth-party visibility questions in APRA CPS 230, which came into force on 1 July 2025.

This is the part that should keep CISOs and CIOs up at night. Not the DDoS volume. The visibility gap.

Vibe coding, shadow APIs, and AI as a new attack surface

There are two AI dynamics in play in the Akamai data, and they compound each other.

First, AI is making attacks more effective. Akamai recorded an average of 2.5 billion AI-related bot requests per day across its network, nearly doubling in the second half of 2025. AI-driven bots now mimic browser behaviour with near-perfect accuracy. Threat actors are using AI to map infrastructure, probe APIs at scale, and generate functional exploits within hours of vulnerability disclosure. Hyperscale botnets like Aisuru and Kimwolf, even after the March 2026 law enforcement takedowns of more than 3 million compromised IoT devices, are already being replaced by successor infrastructure.

Second, AI is expanding the API attack surface inside financial institutions themselves. Akamai uses the term "vibe coding" to describe AI-assisted development that ships working code faster than security teams can review it. The result: shadow APIs and zombie APIs reach production without documentation, monitoring, or proper authentication. Add to that the APIs that AI systems themselves require to function, and the attack surface grows faster than any traditional inventory process can keep up with.

The Akamai report puts it precisely: AI does not replace traditional security risks, it amplifies them, particularly through vulnerable API endpoints that serve as the connective tissue for these new models.

Beyond infrastructure, attackers are also targeting AI systems directly. Prompt injection, sensitive information disclosure, and other categories in the OWASP Top 10 for Large Language Model Applications are now standard attack patterns, not theoretical risks. For financial services organisations using AI in fraud detection, underwriting, claims, advice, KYC and AML, that risk is not abstract. It sits inside the decision systems already in production.

"Do you know where AI is being used inside your business, and do you know what would happen if one of those systems was compromised or manipulated? If you can't answer that, you're not ready to govern it."

Matt Miller, Co-founder and CEO, Insicon Cyber

What APRA, ASIC and the RBNZ now expect

This is where the Akamai data meets the ANZ regulatory environment, and the alignment is striking.

APRA's 30 April 2026 letter to industry made AI risk a board-level matter for every authorised deposit-taking institution, insurer, and superannuation trustee. The letter named the attack vectors explicitly: prompt injection, data leakage, insecure integrations, AI-generated code, exploit injection, and the manipulation of autonomous AI agents. APRA called out that identity and access management capabilities have not yet adjusted to non-human actors such as AI agents, and that the volume and speed of AI-assisted software development is placing strain on the effectiveness of change and release management controls. Where entities fail to adequately manage AI risk, APRA has signalled stronger supervisory action and, where appropriate, enforcement.

ASIC's 8 May 2026 open letter to AFS licensees and market participants pushed the same urgency from a different angle. Frontier AI models are accelerating both attack capability and accessibility. ASIC's message: do not wait for perfect clarity. Strengthen cyber resilience fundamentals now. Patch faster. Validate controls. Adopt layered, defence-in-depth architectures that assume breach. The ASIC v FIIG Securities Federal Court judgement (26-021MR) is the reference point: cyber risk management must be demonstrably effective and proportionate to the size, nature and complexity of the business. That applies whether the licensee is a broker, a fund manager, a financial adviser, or a market operator.

The RBNZ Financial Stability Report (May 2026) reinforced the trans-Tasman picture. Emerging frontier AI models could materially amplify cyber risks. Regulated entities, including registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures, are expected to address those threats. Concentration risk in third-party AI providers is now treated as a financial stability concern. The RBNZ Cyber Resilience Guidance remains the baseline expectation across that regulated population.

Layer that against the existing controls landscape: APRA CPS 234 on information security, CPS 230 on operational risk management, the Privacy Act 1988 (Australia), the New Zealand Privacy Act 2020, the NZISM, and the ASD Essential Eight. ISO/IEC 42001:2023 is the only certifiable international standard for AI management systems, and it is now the most direct path to evidencing AI governance against this regulatory environment.

Three things ANZ financial services boards must do now

We work with mid-market financial services organisations across Australia and New Zealand: ADIs, insurers, superannuation trustees, payments businesses, capital markets firms, wealth managers, and fintechs. The advice we are giving them right now sits on three legs.

How Insicon Cyber helps ANZ financial services

Insicon Cyber is an ANZ-based, cybersecurity advisory and managed services firm. Founded in 2013, we are ISO 27001 certified, headquartered in North Sydney, and operate across both Australia and New Zealand.

Three capabilities matter most for the threats and obligations in this blog. They all sit inside our AI Security and Governance practice, framed as Secure AI. Governed AI. Compliant AI.

For boards that want to engage at the strategic layer first, our Board Cyber Advisory and CISO-as-a-Service offerings sit alongside.

The Akamai research makes the threat picture unambiguous. The APRA, ASIC and RBNZ positions make the regulatory picture unambiguous. The shape of the work for ANZ financial services boards is now clear. The only remaining variable is whether you do it before the next incident, or after.

Have a conversation about your AI and API exposure

Whether you need an honest baseline of where AI is operating in your environment, a path to ISO 42001 readiness, or continuous compliance support against APRA and RBNZ expectations, we can help.

Sources

• Akamai, AI-Empowered Botnets and API Visibility Gaps: Attack Trends in Financial Services, State of the Internet Security report, V12 Issue 02, May 2026. Available at: https://www.akamai.com/security-research/the-state-of-the-internet
• Akamai press release, 20 May 2026: Financial Services at Risk: DDoS Attacks Are Bigger, Longer, and More Complex, Akamai Research Finds.
• Akamai, 2026 API Security Impact Study (referenced within the SOTI report).
• APRA, Letter to industry on artificial intelligence, Therese McCarthy Hockey, 30 April 2026: https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai
• APRA media release: APRA calls for a step change in AI-related risk management and governance: https://www.apra.gov.au/news-and-publications/apra-calls-for-a-step-change-ai-related-risk-management-and-governance
• ASIC, Open letter to AFS licensees and market participants on frontier AI, 26-092MR, 8 May 2026: https://download.asic.gov.au/media/xhrf1w0e/26-092mr-open-letter-to-afs-licensees-and-market-participants.pdf
• RBNZ, Financial Stability Report May 2026: https://www.rbnz.govt.nz/financial-stability/financial-stability-report/financial-stability-reports/2026/may/financial-stability-report-may-2026/web-version
• RBNZ, Cyber resilience for regulated entities, Cyber Resilience Guidance (April 2021): https://www.rbnz.govt.nz/regulation-and-supervision/cross-sector-oversight/improving-cyber-resilience-for-regular-entities
• APRA Prudential Standard CPS 234 Information Security and CPS 230 Operational Risk Management. OWASP Top 10 for Large Language Model Applications. ISO/IEC 42001:2023 Artificial intelligence management system.