2026 Cloudflare Report on Cyberattacks Against Civil Society
An ISOC LIVE summary
Cloudflare Project Galileo - June 2026
Authors: Cloudflare Research Team; contributions and case studies from Xiao Qiang — China Digital Times; Bojan Perkov — SHARE Foundation; Khairil Zhafr — EngageMedia; Patricia Ainembabazi — CIPESA.
Cloudflare’s 2026 report examines the cybersecurity threats facing civil society organizations protected under Project Galileo, the company’s initiative that provides free cybersecurity services to more than 3,400 domains in 120 countries. Drawing on one year of traffic and email data collected between February 1, 2025 and January 31, 2026, the report argues that civil society organizations face a disproportionate level of online attack because of the politically sensitive and public-interest nature of their work. The analysis combines quantitative attack data — drawn from 2,801 of the more than 3,400 active Internet properties for DDoS and vulnerability attacks, and from a smaller subset of more than 70 participants using Cloudflare Email Security for phishing — with case studies involving journalism organizations, digital rights defenders, humanitarian groups, and human rights organizations.
The report identifies four principal categories of threat: distributed denial-of-service (DDoS) attacks, exploitation of website vulnerabilities, phishing attacks, and government-directed Internet shutdowns. Across all categories, Cloudflare finds that civil society organizations are attacked more frequently and more aggressively than other Internet users. The report emphasizes that attacks often coincide with moments when organizations are publishing investigative reporting, conducting advocacy, documenting abuses, or operating during elections, protests, or crises.
DDoS attacks dominate malicious traffic
Application-layer DDoS attacks account for 81.7% of all malicious requests directed at Project Galileo participants, totaling 31.43 billion of the 38.5 billion malicious requests recorded during the reporting period. These attacks attempt to overwhelm websites and APIs with traffic that resembles legitimate user activity, exhausting server resources and rendering sites inaccessible. Unlike many large commercial DDoS attacks that Cloudflare typically mitigates within minutes, attacks against civil society organizations are notable for their duration. Many persist for days or even weeks.
Human rights organizations receive the highest proportion of DDoS traffic, with more than 10% of all traffic to such organizations classified as malicious — roughly 40 times the rate for social welfare organizations. Media organizations are also heavily targeted, with more than one in eight facing malicious DDoS traffic during the reporting period.
The report describes how attackers increasingly use “chunked” attack patterns, sending traffic in bursts separated by pauses. This strategy allows attackers to study defensive responses, reverse-engineer rate limits, and repeatedly restart attacks after automated protections expire. In particular, the pauses let attackers exploit dynamic fingerprint rules — short-lived defenses built to match an attack’s specific pattern that expire once traffic stops — forcing the mitigation system to detect each new wave from scratch. Cloudflare interprets these tactics as deliberate attempts to wear down both technical defenses and organizational capacity.
Several detailed case studies illustrate these patterns. Wahana Visi Indonesia, a Christian humanitarian organization, faced a three-day attack in February 2025 involving 4.9 billion malicious requests spread over 13 bursts, with a peak of 366,666 requests per second. The UK Refugee Council faced an attack in April 2025 spanning seven days and 15 hours — smaller in scale at 261.3 million malicious requests over 14 chunks, peaking at 18,333 rps. Médecins Sans Frontières Germany, South Africa’s Daily Maverick, and a Dutch LGBTQ+ rights organization were also targeted. The Dutch organization experienced a 15-minute, single-burst attack peaking at 375,000 rps (99.9 million requests total) shortly after the International Day Against Homophobia, Transphobia and Biphobia.
One of the most severe examples involves Tech4Peace, an Iraq-based digital rights organization countering online threats in the Middle East. The organization experienced five DDoS attacks during 2025. One attack lasted eight days and included 2.6 billion malicious requests delivered in 15 separate bursts. Cloudflare notes that the attack followed publication of an article debunking an AI-generated image of a Syrian politician bowing to US President Trump. Another attack occurred within a day of an article that drew more than 156,000 views, far above the organization’s typical readership. The report argues these patterns suggest deliberate attempts to suppress visibility and public engagement.
Independent journalism in exile faces concentrated attacks
Cloudflare identifies independent media operating in exile as particularly vulnerable. Nearly 5% of the 41 billion requests to journalism-in-exile sites are malicious — almost four times the rate seen across journalism organizations overall. Because these organizations depend almost entirely on the Internet to reach audiences inside repressive states, online attacks can directly impair freedom of expression and public access to information.
The Cuban outlet elTOQUE faced a DDoS attack involving nearly 426.8 million malicious requests, peaking at 108,167 rps, in December 2025. The organization believes the attack was connected to its currency comparison tool tracking exchange rates between the Cuban peso and foreign currencies, which the Cuban government publicly criticizes as “economic terrorism.” During the same month, access to the outlet’s website was blocked inside Cuba.
The Moscow Times, which relocated to Amsterdam after Russia designated it an “undesirable organization” in 2024, also faced a major DDoS attack in July 2025 involving 123.4 million malicious requests and peaking at 319,000 rps. The report notes that secure online operations are essential for exiled journalism organizations whose physical operations inside their home countries become impossible.
China Digital Times describes facing “relentless attacks every single day” as a resistance media outlet preserving the memory of the Chinese Internet. The organization explains that exposure of editors’ identities could put them at risk of harassment or arrest when traveling to China. Cloudflare highlights one security rule that blocked all but eight of more than 21,000 suspicious requests in a single 24-hour period in November 2025.
Website vulnerability exploitation intensifies
The report finds that civil society organizations experience attempts to exploit website vulnerabilities at rates more than seven times higher than other Cloudflare customers. These attacks target weaknesses in outdated software, poorly configured systems, or insecure applications in order to gain unauthorized access, extract sensitive data, or compromise infrastructure.
Media organizations receive 40.5% of the 7.1 billion vulnerability probing attempts despite representing only 22.7% of Project Galileo participants. On average, a media organization experiences approximately 4.5 million malicious probing requests during the reporting period, equivalent to roughly one every seven seconds.
Cloudflare identifies three dominant techniques: HTTP anomalies — malformed requests sent in bulk to trick defenses like a Web Application Firewall — accounting for 44% of probing activity, followed by SQL injection (16%) and automated vulnerability scanners (15%). Many attacks are conducted by bots capable of scanning thousands of websites per minute. In September and October 2025, managed rules blocked 162.3 million requests against a US-based publishing non-profit, of which 99.9% were HTTP anomalies. The report stresses that successful compromises can expose confidential sources, donor information, activists, journalists, and internal communications.
The report also documents multilayered attacks in which DDoS campaigns occur simultaneously with vulnerability scanning. One unnamed global environmental organization faced more than 3.34 million malicious vulnerability scanning attempts alongside a 6.97 billion request DDoS attack (peaking at 118,333 rps) during the same month as a major climate conference in Brazil. Cloudflare interprets this as evidence that attackers use DDoS traffic as cover for more targeted intrusion attempts.
Phishing campaigns grow more sophisticated
Cloudflare processes approximately 29 million emails for participating civil society organizations and identifies 2.8 million messages containing potential phishing material — nearly 10% of all emails processed. Compared to other Cloudflare customers, civil society organizations receive a higher concentration of emails designed to gain unauthorized access or steal sensitive information.
The report categorizes the dominant phishing techniques as deceptive URLs (19.5%), impersonation of a trusted individual (16.8%), and impersonation of a trusted brand (13.4%), alongside credential harvesting and abuse of newly registered domains. The most frequently impersonated brands are, in descending order, Apple, Docusign, Datadog, American Express, and Intuit. Nearly half of phishing emails use newly registered domains in an attempt to evade reputation-based detection systems.
Cloudflare warns that phishing attacks are becoming increasingly difficult to detect using traditional security measures alone. Of 1.2 million highly malicious emails identified, 30.2% bypass standard authentication checks before being flagged by more advanced behavioral analysis. The report argues this reflects a growing level of sophistication among attackers.
The report highlights a Citizen Lab investigation involving the World Uyghur Congress. Attackers impersonate a trusted Uyghur-language software provider in order to distribute a trojanized text editor containing surveillance malware. Cloudflare notes that this campaign relies less on technical sophistication than on intimate understanding of the social and cultural context of the targeted community.
Cloudflare further warns that generative AI systems may amplify phishing threats by enabling attackers to rapidly produce realistic, highly personalized messages at scale. A March 2026 investigation by Huntress identifies a suspected AI-generated phishing campaign targeting Microsoft cloud accounts across more than 340 entities, including civil society groups.
Internet shutdowns undermine civic participation
The report identifies 183 Internet disruptions globally during the reporting period, 85 of which appear linked to government action based on public reporting. Shutdowns frequently occur during elections, protests, armed conflicts, or examination periods. Cloudflare argues that these disruptions interfere with the ability of civil society organizations to communicate, document abuses, distribute independent reporting, and deliver humanitarian services.
Uganda’s January 2026 election shutdown serves as a major case study. After the Uganda Communications Commission ordered Internet service providers to restrict public Internet access and certain mobile services, Cloudflare observed a 95% drop in traffic within 30 minutes. The restrictions were justified by authorities as measures against misinformation, electoral fraud, and incitement to violence, and followed the suspension of operating permits for several non-profits. Independent experts describe a resulting chilling effect that constrained election oversight, public communication, and fundraising. CIPESA estimates economic losses of approximately $16 million.
Iran experienced eight government-directed shutdowns during the reporting period. During a January 2026 disruption beginning around 16:30 UTC on January 8, Internet traffic fell by nearly 90% within 30 minutes and dropped to effectively zero by 18:45 UTC, disconnecting the country from the global Internet. The restrictions lasted until February 1. Civil society groups reported that the shutdown hampered their ability to document state violence against protesters.
Cloudflare notes that it supports the Internet measurement community by sharing outage data with projects including Internet Society Pulse, Access Now’s #KeepItOn campaign, and the Open Observatory of Network Interference.
Recommendations and conclusions
The report concludes that cyberattacks against civil society are not incidental but are frequently timed to disrupt organizations at moments of greatest public impact. Cloudflare argues that cybersecurity protections are now essential infrastructure for democratic participation and civic engagement online.
Cloudflare recommends promoting universal access to cybersecurity services, increasing transparency around cyberattacks and Internet shutdowns, and improving the accessibility of advanced defensive technologies including AI-enabled security systems and post-quantum cryptography. The report also emphasizes that improving cybersecurity for civil society organizations benefits the broader Internet ecosystem, because compromised organizations can otherwise become conduits for wider attacks.
RESOURCES
Project Galileo — Cloudflare’s free cybersecurity program for at-risk public-interest organizations
Celebrating 12 years of Project Galileo — Cloudflare’s announcement post accompanying the report and case studies
Citizen Lab: Weaponized Words — investigation into the trojanized Uyghur-language editor targeting the World Uyghur Congress
Tech4Peace — Iraq-based digital rights and fact-checking organization hit by five DDoS attacks in 2025
elTOQUE — Cuban independent outlet targeted over its informal-market currency tracker
China Digital Times — bilingual outlet surfacing censored news from China
SHARE Foundation — Serbian digital rights organization (Bojan Perkov)
EngageMedia — Asia-Pacific digital rights and open-technology organization (Khairil Zhafr)
CIPESA — East and Southern Africa ICT policy organization (Patricia Ainembabazi), which estimated the Uganda shutdown cost
Internet Society Pulse — Internet measurement project that incorporates Cloudflare outage data
Access Now #KeepItOn — coalition tracking and fighting internet shutdowns worldwide
OONI — Open Observatory of Network Interference, measuring internet censorship globally



Thanks for sharing the CloudFlare report. M.