Media groups and exiled journalists bear the heaviest concentration of cyberattacks against civil society, Cloudflare data shows
Civil society organisations were targeted by cyberattacks more frequently, and held under sustained assault for far longer, than the wider population of Internet users over the past year, according to new research from Cloudflare that draws on traffic data from more than 3,400 domains protected under its Project Galileo programme. The findings point to a threat environment in which distributed-denial-of-service campaigns, vulnerability probing, phishing and government-directed Internet shutdowns increasingly converge on the organisations least equipped to absorb them.
DDoS attacks were the dominant threat by volume, accounting for 31.43 billion of the 38.5 billion malicious requests Cloudflare recorded between February 2025 and January 2026, or 81.7% of the total. What distinguished these attacks was not their scale, which the company classified as small to medium, but their persistence. Whereas roughly three-quarters of all application-layer DDoS attacks Cloudflare mitigated across its network ended within 10 minutes, nearly every one of the largest campaigns against civil society ran longer, with several extending across days and in some cases weeks.
The Iraq-based digital rights organisation Tech4Peace absorbed an eight-day campaign in May 2025 that featured more than 2.6 billion malicious requests spread across 15 distinct bursts, an attack that followed its publication of an article debunking an AI-generated image of a Syrian politician bowing to the US President.
Persistence, not scale, is what sets these campaigns apart
The chunked, intermittent structure of these longer campaigns reflected a deliberate strategy rather than a technical limitation. By delivering traffic in short bursts separated by engineered pauses, attackers were able to slip out of scope of mitigation defences before resuming, using the intervals to reverse-engineer rate limits, observe which rules had triggered and adjust their signatures accordingly. The pauses also exploited dynamic fingerprint rules, the short-lived defences built to match an attack's specific patterns that expire once traffic stops, forcing the mitigation system to detect each fresh wave from scratch. Wahana Visi Indonesia, a Christian humanitarian organisation, faced a three-day attack in February 2025 carried across 13 bursts and totalling 4.9 billion requests, while the British Refugee Council weathered a campaign spanning seven days and 15 hours.
The media absorbs a share of attacks far beyond its share of the population
The concentration of attacks fell most heavily on the media. Cloudflare blocked a malicious request probing a media organisation roughly once every seven seconds, and media groups absorbed 40.5% of the 7.1 billion vulnerability-exploitation attempts the company mitigated despite making up only 22.7% of the participant population. That worked out to an average of 4.49 million malicious probes per media organisation, well ahead of environmental groups at 2.70 million, human rights defenders at 2.13 million and social welfare organisations at 1.65 million. Across the board, civil society faced attempts to exploit website vulnerabilities at a rate more than seven times higher than other Cloudflare customers, with HTTP anomalies accounting for 44% of probing activity, SQL injection 16% and automated vulnerability scanners 15%, almost all of it conducted by bots operating at machine speed.
Exile offers no refuge from the reach of the attackers
Journalists working in exile occupied the most exposed position of all. Nearly 5% of the 41 billion requests directed at journalism-in-exile sites were malicious, a rate almost four times that seen across journalism organisations more broadly. In December 2025, the Cuban outlet elTOQUE, run by journalists in exile, faced an attack of nearly 426.8 million malicious requests that it believes was aimed at disabling its tool comparing the Cuban peso against foreign currencies, a tool the Cuban government has characterised as economic terrorism, and its website was blocked inside Cuba during the same month. The Moscow Times, relocated to Amsterdam and designated undesirable in Russia in 2024, sustained a separate attack of 123.4 million requests in July 2025.
Phishing is growing more sophisticated faster than basic defences can adapt
Phishing rounded out the picture of escalating sophistication. Nearly 10% of the approximately 29 million emails Cloudflare processed for civil society contained potential phishing material, with the company flagging 2.8 million such messages and identifying 1.2 million as highly malicious. Almost a third of those highly malicious emails, 30.2%, bypassed standard authentication checks built on sender, origin and content-integrity signatures, evading the basic defences before more sophisticated detection caught them. Deceptive links featured in 19.5% of identified attacks, identity deception in 16.8% and brand impersonation in 13.4%, with Apple, Docusign, Datadog, American Express and Intuit the five most frequently spoofed names. A Citizen Lab investigation in April 2025 documented a campaign against the World Uyghur Congress that trojanised a trusted Uyghur-language text editor, while a March 2026 Huntress investigation identified a suspected AI-generated email campaign targeting Microsoft cloud accounts across more than 340 entities, including civil society groups.
Shutdowns extend the assault from the network to the state
Beyond direct attacks, Cloudflare identified 183 Internet disruptions across its network, 85 of which public reporting attributed to government action, clustering around elections, protests, student exam periods and armed conflict. Ahead of Uganda's January general election, the Uganda Communications Commission ordered providers to restrict access, producing a 95% drop in traffic within 30 minutes, a shutdown that the organisation CIPESA estimated cost the economy $16 million. In Iran, eight government-directed shutdowns occurred during the coverage period, including one beginning on 8 January that drove national traffic to effectively zero and lasted until 1 February, constraining organisations documenting the use of force against protesters.
The pattern running through the data is one of timing as much as volume. Attacks repeatedly coincided with the moments when civil society work carried the most weight, the publication of investigative reporting, the conduct of elections, the staging of public advocacy, suggesting organisations are targeted not merely for what they do but to blunt their impact precisely when it matters. With the cybersecurity budgets of fewer than one-third of non-profits considered adequate, according to NetHope, and with AI poised to accelerate existing threats while also offering new defensive tools, Cloudflare's recommendations centre on promoting universal access to cybersecurity services, increasing transparency around attacks and shutdowns, and lowering the barriers to AI-enabled defences so that the technical gap between attackers and the organisations they target does not widen further.
