Bot Farms: What They Are, How AI Has Changed Them, and How to Govern Them?
Sanja Trajcheva
Cyber Risks & Threats
July 09, 2026

-
A bot farm is a network of scripts, software, or AI agents that automatically generates clicks, traffic, views, and social engagement at scale
-
Bot farms have evolved from physical phone-bank warehouses to AI-powered cloud operations using headless browsers and residential proxies
-
Automation tools, not traditional malicious bots, are now the single largest source of invalid traffic in CHEQ’s network, a direct reflection of how AI has transformed bot farm operations
-
AI-powered bot farms generate sessions that are functionally indistinguishable from legitimate human users at the browser and network level
-
Entity-level trust decisions (evaluating what an entity is, whether it’s authentic, and what it intends to do) are the evolved response to AI-powered bot farms
The demand for automated traffic has given rise to an entire industry built on bot farms. And the best way to generate this traffic in bulk is through a bot farm.
But why is there such a demand for this form of coordinated automated traffic? What is a bot farm, and what is it used for?
And perhaps more importantly, how do bot farms affect organizations today, and what does governing the entities they generate actually look like?
What is a bot farm?
Bots are a system of scripts or software designed to click automatically. They are programmed to generate IP addresses and web sessions and interact with various online features. A bot farm is a collective of these bots, which may or may not be in the same physical location.
Often, a bot farm will consist of a large bank of smartphones or tablets connected by a controlling device. They will then carry out repetitive tasks, usually engaging with social media, viewing videos, or simply visiting websites to boost traffic.

These farms are built to serve people and organizations looking to generate coordinated automated traffic.
We did a full investigation into click farms right here.
Over the years, bot farms have become more advanced so that they are not just simple scripts. Instead, they’ve evolved in intelligence, scale, and cunning and now have dedicated infrastructure with servers, multiple computers, and routers.
The result? They are more effective at generating inauthentic clicks and harder to differentiate from real human users.
The increased sophistication and number of bot farms are partly because more people want to buy bot clicks to boost their online traffic. As demand grows, the number of bot farms and inauthentic clicks will also rise.
What’s the difference between bot farms and click farms?
Bot farms are essentially a form of click farms. The classic image of a click farm is of a large room full of people carrying out repetitive tasks on computers. However, these days, a click farm might actually be a bot farm or could even be remote workers using paid-to-click (PTC) sites.
These workers are often paid based on how many clicks they perform, which is, as you might have guessed, usually very low paid. Bots can, of course, conduct many more clicks, but humans will be able to bypass security such as captchas or bot filters.
There isn’t much difference between click and bot farms in the actual work done. They both generate inauthentic clicks for many reasons, including click fraud and ad fraud.
How traditional and AI-powered bot farms compare:
The more useful distinction today is between legitimate automation, like search crawlers or AI agents acting on a user’s behalf, and adversarial automation generating inauthentic traffic.
Why are bot farms a thing?
Both farms exist solely for profit. Every time bots execute inauthentic clicks on Google Ads, someone profits. The same goes for social media clicks and follows and streaming views.
Here are a few ways that people use bot farms.
Social media follows, likes, and comments.
This is a huge market as people spend six to seven figures annually to buy bot clicks on social media. Bots like and follow accounts to lend more credibility and make specific accounts more popular. Some estimates put Instagram bot accounts in the tens of billions, though methodologies vary.
Twitch/YouTube streams
Streamers’ profits are directly related to the number of views they get. Naturally, they buy traffic bots to increase their views and draw in more advertisers. These are known as view bots.
PPC clicks
Clicking on PPC ads will drive up a marketer’s ad spend, making the ad platform more money. Inauthentic clicks on some PPC campaigns can constitute a significant portion of total click volume. CHEQ analysis across thousands of customer campaigns has documented rates exceeding 10% for some industries.
Website Traffic
Webmasters might buy traffic bots to increase their site’s visitors and get paid more for advertising. They may also monetize these inauthentic clicks in other ways by charging for “quality backlinks,” for example.
How AI has changed bot farms?
The image most people associate with bot farms is a physical one: rows of smartphones mounted on shelving units, connected to a control device, generating traffic and clicks at scale.
That image still exists.
But it no longer represents how the most sophisticated bot farm operations work.
The shift started with headless browsers, automated browser environments without a visible interface.
Tools like Puppeteer and Playwright give bot operators the ability to simulate a complete, JavaScript-rendering browser session: loading pages, executing clicks, filling forms, navigating across multiple pages, all without physical hardware.
Unlike older bots, headless browser bots can pass many traditional detection checks because they genuinely behave like a browser.
Then generative AI changed the economics again.
Language models and multimodal AI systems can now: solve CAPTCHA challenges automatically; generate convincing human-like browsing patterns with realistic timing and scrolling behavior; operate through residential proxy networks so each session appears to originate from a different real household IP; and adapt behavior in real time to evade detection signals that would stop simpler bots.
The result: a modern AI-powered bot farm may be nothing more than a cloud server running hundreds of AI agent instances in parallel, each routing through residential proxies, each generating traffic that is functionally indistinguishable from organic human behavior.
No physical phone banks. No warehouse to raid. No employees to pay.
This is the Governance Gap in action.
The right question is no longer “is this a bot farm IP?” but: what is this entity, is its behavior consistent with authentic human engagement, and what is its presence on this site likely intended to accomplish?
Entity-level trust decisions (evaluating the full combination of Traffic Intelligence, Trust Intelligence, and Identity Intelligence) are what makes it possible to govern AI-powered bot farms in a way that legacy IP-blocking cannot.
The composition of invalid traffic itself confirms this shift.
CHEQ’s network data through April 2026 shows automation tools are now the single largest threat category by volume, ahead of traditional malicious bots by a wide margin.
In fact, malicious bot visit volumes peaked in fall 2025 and declined significantly into 2026, even as total invalid traffic volume grew 44% year-over-year.
The bots that IP-blocking was designed to catch are becoming a smaller share of the problem.
Automation tools that mimic legitimate browser behavior are becoming the dominant force.
Bot farm crackdown
As people continue to buy bot clicks, anti-bot measures have also increased. Social media platforms are cracking down on bot accounts, and advanced solutions are now available to protect your PPC ads.
Here are three noteworthy examples of the ongoing effort to detect and govern bot farm operations.
Fake Instagram purges
Instagram is constantly cracking down on fake followers and bot accounts. Over the years, there have been several purges during which the algorithm uses machine learning to identify and remove fake followers. The platform’s bot detection strategies are more sophisticated than ever, and now, these fake accounts‘ engagements and likes are also getting deleted.
However, that’s not to say that Instagram doesn’t still have a big problem with bot traffic. In fact, it’s still estimated that approximately 10% of Instagram accounts may be automated, though this figure varies by source and methodology.
Ukraine bot farm bust
In March 2022, the Ukrainian government destroyed five bot farms being used to spread misinformation and inspire panic among the citizens during the Russian invasion. During the raid, at least 100,000 online accounts, 100 GSM gateway devices, and close to 10,000 sim cards were discovered.
The bust gives some insight into how extensive the network of bot farms can be. They can run multiple accounts at any time, generating mind-boggling traffic.
Thai click farm
You’ve probably seen footage of the click farm bust in Thailand from 2017. Three Chinese nationals were arrested by Thai police, but not for actually operating the click farm, but for using unregistered SIM cards and illegally imported devices.
However, this became one of the most well-known images of the click farm and remained a common model for bot farm operators around the world.

None of this makes bot farms themselves illegal in most jurisdictions. Operating the infrastructure isn’t explicitly outlawed almost anywhere; the Thai bust above led to arrests for unregistered SIM cards and illegally imported devices, not for running a bot farm. Liability tends to arise only when that infrastructure is used for click fraud, ad fraud, or manipulating paid platforms, which can violate platform terms of service and, in some cases, fraud statutes.
What do bot farms mean for you?
Bot traffic isn’t just a policy question. It creates concrete costs for the businesses dealing with it.
Hard-to-interpret analytics data
Marketers rely on data to make informed decisions and improve performance. But when half of your traffic is made of bots, it becomes tough to make sense of your reports and harder to improve your strategies.
The strain on your site resources
An increase in traffic means that your website now has to handle more requests at any given time, which is doubly damaging since the increased traffic won’t lead to increased revenue. Attackers use this same strategy during a layer 7 DDoS attack when they try to overwhelm your site resource.
Increase your PPC campaign budget
Inauthentic clicks on your Google Ads mean that your “visitors” will never make it to the sale. And with you paying for every click, your ad spend will rise while conversions remain stagnant, which can also skew automated bidding algorithms that optimize on signals that include those same bot interactions. Is there anything more frustrating for a digital marketer?
Distorted ad platform optimization
People who buy traffic bots for their websites and platforms make it challenging for marketers to pick the best places to advertise. You never know if the traffic is from real users interested in your product or bots that will dump your cart and bounce.
What does bot activity look like?
If you advertised on a bot-infested website or have been exposed to inauthentic Google Ads clicks, how can you know for sure? Here are four simple ways to tell.
Abandoned shopping carts
Users abandon their carts often; that’s why retargeting is crucial. But when you observe an unusually high bounce rate, something fishy may be happening.
High clicks, low conversions
Upticks in clicks could mean that your campaign is working. But if it’s followed by the same conversion numbers (or lower), bots might be involved.
New and unfamiliar sources of traffic
Is a large chunk of your traffic originating from a new area outside your target audience? If so, investigate the entity sources and consider governing that traffic.
Spam
Another common sign of bot traffic is high volumes of spam comments or fake sign-ups. Spam bots are one of the many ways that bot farms are monetised – but they can be more than just an annoyance. Spambots can carry out serious attacks such as DDoS and SEO spam attacks.
How can you govern bot farm traffic?
Although many ad networks, such as Google and Facebook, are always trying to combat bot traffic, their methods are not always the most effective.
This is because the ad giants want more traffic, which translates to more ad revenue. Their filters do block obvious fraud sources, but with fraudsters constantly innovating their click-generation software, Google and co are usually playing catch up.
Read more about what is bot traffic and how to spot bot traffic in Google Analytics
Entity-level classification tools like CHEQ have become an essential layer for enterprise teams navigating the full spectrum of automated web traffic. By using detection that goes beyond what the ad platforms provide, you can classify entities and govern automated traffic at the source.
When it comes to organic and direct traffic, neither Google nor Facebook detection applies, which is where entity-level classification becomes essential.
Whether this is on Google Ads or the display network, Facebook Ads, or Instagram Ads, CHEQ provides entity-level governance across all your advertising channels.
CHEQ Agent Intent gives organizations the ability to identify not just what type of entity is visiting, but what it’s there to do, enabling proportional enforcement across the full spectrum from legitimate automation to adversarial bot farm activity.
Final thoughts
Bot farms are not a static threat.
They began as crude networks of scripts, evolved into sophisticated phone-bank operations, and have now shifted again into AI-powered cloud operations that are harder to detect than anything that came before.
Understanding this evolution matters because the response has to evolve with it.
The organizations that govern automated traffic most effectively today are those that have moved from binary detection to entity-level trust evaluation: asking not “is this a known bot IP?” but “what is this entity, is it authentic, and what is it trying to do?”