Cloudflare's Abuse Blind Spot: When Scale Outweighs Safety

## Executive summary - Explosive abuse growth. Cloudflare developer domains set new records in 2024: **pages.dev** incidents rose by 198 % (460 → 1 370) and**workers.dev** by 104 % (2 447 → 4 999). Total campaigns are on pace to exceed 1 600 in 2025. - Systemic misuse. Multiple security vendors (Fortra, Trustwave, CloudSEK) and independent researchers show brand‑impersonation and credential‑harvesting on Cloudflare infrastructure at scale. - Process dead‑ends. Despite thousands of submissions - **including from trusted flaggers**- Cloudflare’s abuse desk replies with boilerplate denials and places the burden of proof on reporters. - Legal collision course. NIS2, its national transpositions, and the Digital Services Act (DSA) impose strict duties on “online platforms,” CDNs, DNS and reverse‑proxy providers. Cloudflare’s current practice is **non‑compliant** and creates**material liability** for EU customers. - Action items. Regulators must clarify CDN liability; enterprises should block **pages.dev / workers.dev by default**; incident responders should lobby for trusted‑flagger status; and procurement teams must reassess Cloudflare against**NIS2 supply‑chain obligations**. … ... … - Trustwave SpiderLabs highlighted “a huge number of phishing and scam pages abusing **pages.dev** Cloudflare services.” - CloudSEK described a generic phishing kit hosted on **workers.dev** that can impersonate any brand on demand. - A Reddit thread with >600 up‑votes chronicles a researcher’s frustration after reporting 200+ malicious **pages.dev** sites - with <**30 %** ever taken down. ## Why Cloudflare’s process fails trusted flaggers 1. **Form‑only reporting**– Email complaints receive an automated bounce directing reporters to the web form. Bulk incidents cannot be submitted efficiently. 2. **High evidentiary bar**– Reporters must prove phishing is active at the time of review, ignoring that campaigns often operate in short bursts. 3. **Opaque outcomes**– Cloudflare rarely discloses whether any action was taken, citing privacy and customer confidentiality. … ### For enterprises & SOCs - Re‑evaluate CDN providers during 2025 vendor risk reviews; require written evidence of NIS2 compliance and breach‑handling metrics. - Block or sandbox links ending in pages.dev and workers.dev until verified safe. - Sinkhole newly created Cloudflare subdomains that spoof your brand via DNS filtering. - Update incident‑response runbooks to include NIS2 supply‑chain obligations: document due diligence, preserve abuse evidence, and, if necessary, switch CDN rapidly. … ## Conclusion Cloudflare’s vision of “building a better Internet” rings hollow while its infrastructure operates as a turnkey phishing platform. Under NIS2, every **ignored report** is no longer just a user‑experience issue - it is a **potential regulatory offence** that can cascade fines down the **supply chain**. Enterprises that continue to **delegate critical traffic** to Cloudflare infrastructure without demanding transparent, audited abuse processes, now face a double jeopardy: compromised credentials and compliance penalties.**The time to act is now **- before the first NIS2 enforcement actions make headlines.