Cloudflare report: stolen session tokens, cloud abuse and record DDoS surge

Cloudflare’s Cloudforce One unit says its inaugural 2026 Threat Report shows attackers moved from "breaking in" to "logging in" in 2025, exploiting stolen session tokens and trusted cloud services even as distributed denial of service activity set new records. The company says its network, which it estimates handles roughly 20 to 25 percent of global web traffic, blocked an average of 230 billion threats per day and recorded 47.1 million DDoS attacks last year.

The report frames a pragmatic shift in attacker behavior. Infostealer families such as LummaC2 are harvesting live session tokens from infected machines, enabling adversaries to bypass conventional defences including many forms of multi factor authentication and sell validated access to ransomware groups. Cloudflare cites a Verizon statistic that 54 percent of ransomware incidents in 2025 were traced to infostealer enabled credential theft. The company linked the marketization of stolen logs and tokens to high profile intrusions at organizations named in its analysis, including Jaguar Land Rover and Telefónica. In May 2025 Cloudforce One said it helped disrupt LummaC2 command infrastructure by deploying warning pages and taking action against accounts used to configure the malware.

DDoS volumes surged alongside identity theft. Cloudflare reported 19 new world records in 2025 and identified the single largest attack as a 31.4 terabits per second UDP flood by the Aisuru botnet in November 2025. Network layer attacks more than tripled year over year and most incidents lasted under 10 minutes, a cadence that Cloudflare warns shortens the practical window for human led mitigation. The company estimates Aisuru and its successor Kimwolf control between one million and four million infected hosts; early 2026 mitigations saw more than 550 Kimwolf command and control nodes null routed.

Cloudflare also documents the rising practice of using legitimate cloud, SaaS and platform tooling as attack infrastructure. The report calls this "offence by the system" or Living Off the Cloud and names Google Calendar, Dropbox and GitHub as examples of services abused to hide malicious activity. It highlights actors such as CrustyKrill, attributed in Cloudflare’s materials to Iran, for running SaaS hosted phishing that uses Azure Web Apps and ONLYOFFICE to lend operations a veneer of legitimacy. The report warns of "LotX" reputation shields and AI tooling serving as force multipliers for delivery and scale.

The company ties nation state tradecraft to these trends as well. Cloudflare says North Korea has operationalized a remote hire scheme that embeds fraudulent or deepfake personas on Western payrolls to conduct espionage and illicit revenue generation. Thread hijacking and business email compromise remain lucrative; Cloudflare flagged more than £91 million in attempted BEC thefts in 2025, a figure published in company summaries.

Blake Darché, head of threat intelligence at Cloudforce One, said, "Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims. To avoid being caught off guard, organizations must shift from a reactive posture to one fueled by real-time, actionable intelligence." The report reiterates a core maxim from Cloudflare: "Security is no longer about keeping strangers out, it’s about proving that the users inside your network are who they say they are."

Cloudflare’s prescriptions emphasize identity first and zero-trust architectures, phishing resistant MFA such as FIDO2 passkeys, least privilege audits of SaaS integrations, AI aware data loss prevention, automated DDoS defences and stronger remote hire verification and segmentation. For public health systems, small local governments and under resourced institutions, the report underscores an equity risk: increasingly automated, credential focused attacks favor attackers with scale and leave smaller organizations with brittle defences. Policymakers and health system leaders will need targeted funding and coordinated incident response to protect critical services as attackers exploit identity and the cloud as infrastructure.