Google Cloud & Cloudflare Missed 3-Year Phishing Campaign

Phishing Campaign Exploits Google Cloud and Cloudflare

Overview

An industrial-scale phishing campaign leveraging Google Cloud and Cloudflare infrastructure persisted undetected for over three years, impacting Fortune 500 companies and resulting in significant revenue losses.

Investigation Findings

Research by Deep Specter revealed that Google Cloud and Cloudflare failed to act on threat intelligence regarding malicious domains, IP addresses, and SSL certificates. This oversight effectively enabled the continuation of illicit activities.

Technical Details

More than 48,000 virtual hosts across over 80 infrastructure clusters utilized expired, high-trust domains to disguise phishing sites or distribute gambling content. Despite 265 public detections, affected accounts were not suspended.

Lockheed Martin’s public website was cloned and served alongside illegal gambling content under the domain militaryfighterjet[.]com. This approach involved cloaking techniques to present legitimate content to bots while delivering phishing and gambling content to human users.

Scope and Scale

According to Censys and ZoomEye data, the phishing infrastructure expanded from 34 hosts in 2021 to nearly 2,800 by mid-2025, with a peak of 33,890 observations in March 2025. Each campaign paired high-reputation expired domains with brands based on industry keywords.

A total of 78 regular clusters were managed by eight hosts, rotating cloned sites and adjusting phishing payloads dynamically. Only 1,000 of the 48,000 hosts supported HTTPS with consistent TLS fingerprints.

Business and Regulatory Impact

Brands experienced duplicate-content SEO penalties, risking de-ranking of legitimate sites. The association with gambling and malware damaged reputations. Companies like Lockheed Martin faced potential GDPR breaches, DMCA logistics, and FTC scrutiny, leading to revenue declines and legal costs.

Deep Specter Research identified this operation as a phishing-as-a-service platform, evolving through seven generations of activity. Malware campaigns, including Windows executables and Android apps, communicated with these clusters, heightening the threat.

Recommendations

The research emphasizes the need for Google, Cloudflare, and affected brands to improve threat detection, monitoring, and account termination processes to prevent future phishing campaigns. Collaboration with legal and privacy experts is recommended to translate findings into actionable insights.

Infrastructure providers’ reluctance to act on threat intelligence and enterprises’ need for proactive monitoring of digital footprints are critical areas for improvement. This case underscores the importance of maintaining public trust and avoiding legal and financial repercussions.