This article examines the dual‑use nature of Cloudflare’s services, reviews publicly available evidence, and proposes concrete policy changes that could curb systemic abuse without undermining the company’s legitimate customers.
A security giant with a dark side
Cloudflare accelerates traffic and blocks DDoS floods for millions of domains. At the same time, the same infrastructure shields phishing kits, malware stagers, hate forums and darknet mirrors. Critics contend that Cloudflare’s policy of infrastructure neutrality - combined with minimal upfront verification - creates a fertile environment for cyber‑criminal operations.
The “orange‑cloud” cloak
When a DNS record is proxied (orange cloud), Cloudflare replies to queries with its own anycast IP addresses, hiding the server’s real location. Without an origin IP, defenders struggle with attribution, geofencing and rapid takedowns - precisely why threat actors favour the orange cloud.
Phishing factories on Pages & Workers
Free developer surfaces such as “pages.dev” and “workers.dev” accelerate continuous integration for start‑ups - and for criminals. According to Fortra’s Suspicious Email Analysis portal, 4,999 phishing incidents abused Cloudflare Workers in 2024, a 104% year‑on‑year jump, with projections of nearly 6,000 by December 2025 (Fortra, Oct 2024). Fortra also measured a 198% rise in Pages‑hosted lures (460 → 1,370 incidents).
Interisle Consulting’s 2024 “Cybercrime Supply‑Chain Report” lists eight major sub‑domain providers (including Cloudflare) that together account for most of the sub‑domain phishing; the top four alone host more than 60% of such abuse.
Tunnels that smuggle RATs and stealers
“TryCloudflare” tunnels let anyone spawn a temporary outbound connection from a private machine to Cloudflare’s edge. Proofpoint, eSentire and Securonix threat briefs document AsyncRAT, Remcos and XWorm campaigns leveraging these disposable endpoints to bypass block‑lists and frustrate forensic investigators.
Abuse reporting that doxes reporters
When researchers submit trademark, phishing or malware complaints at “abuse.cloudflare.com”, Cloudflare forwards the entire report - including the reporter’s name, email and phone - to both the hosting provider and the website operator by default when you perform reports on trademark infringements. The company’s form presents a pre‑selected, non‑removable checkbox: “Include my name and contact information with the report. This disclosure gives cybercriminals an early warning, allowing them to migrate infrastructure or wipe logs before any hosting takedown occurs, effectively weaponizing the reporter’s identity.
Reverse‑proxy as reputation laundry
Cloudflare’s reverse proxy has long been the final hop for controversial or illegal sites. The neo‑Nazi “Daily Stormer” lost Cloudflare protection only after a unilateral August 2017 decision, while harassment forum “Kiwi Farms” was dropped in September 2022 amid life‑threatening danger to targeted individuals. In ordinary circumstances, Cloudflare defers action until courts or law‑enforcement mandates, a latency criminals readily exploit.
Cloudflare’s counter‑narrative
Cloudflare argues that its infrastructure neutrality preserves an open Internet and that blanket de‑platforming would punish innocent customers. The company points to:
- A 2025 pipeline overhaul that auto‑remediates 78 % of phishing reports within one hour (Cloudflare Transparency Report H2 2024).
- “Project Galileo”, which blocks an average 325 million attacks per day against at‑risk nonprofits, journalists and human‑rights groups (Cloudflare Radar, 2025).
Are Cloudflare nurturing criminals?
The dual‑use dilemma is summarised in Table 1.
| Mechanism | Legitimate security win | Criminal upside |
| Proxied IPs hidden | Stops DDoS on activists | Masks phishing & C2 servers |
| Pages/Workers free tier | Rapid CI/CD for small businesses | Mass kit hosting at zero cost |
| Tunnel service | Secure remote access | Stealth malware staging |
| Abuse‑form disclosure | Per‑policy transparency for hosts | Tips criminals to move fast |
Table 1: Dual‑use features of Cloudflare services
What would actually tilt the scales?
User‑side mitigations
- Use origin‑hardening: limit inbound traffic to Cloudflare IP ranges and enable authenticated origin pulls.
- Subscribe to threat‑intel feeds that map Cloudflare‑proxied domains to serverless sub‑domains or tunnels.
Cloudflare/regulator actions
- Make abuse‑report disclosure "opt‑in" by default.
- Require low‑friction KYC (SMS code) for new free‑tier accounts.
- Cap tunnel lifetimes and throttle mass sub‑domain creation.
- Publish a public abuse dashboard that tracks takedown latency and recidivism.
- Offer service credits for customers with a clean track record; apply penalties for repeated abuse.
Conclusion
Cloudflare did not invent cybercrime, but the company’s architecture and policies undeniably nourish it. Until abuse‑prevention is woven into onboarding - and reporter identities are protected by default - the orange‑cloud badge will continue to serve as both a shield for the good and fertilizer for the bad. The remaining question is not whether Cloudflare can act, but how urgently it will deploy the levers alrea.
