Can Someone Please Explain Whether Cloudflare Blackmailed Canonical?

Canonical’s main web services, including ubuntu.com and security advisories, were disrupted for approximately twenty hours after a cyberattack on 30 April 2026. The attack was claimed by a group using a commercial DDoS bypass service, raising questions about potential involvement of Cloudflare’s infrastructure in facilitating or enabling the attack.

On 30 April 2026, Canonical’s monitoring systems detected a service outage affecting key websites and APIs, including ubuntu.com, security.ubuntu.com, and the developer portal. The disruption lasted until 1 May 2026, when services were restored.

The group claiming responsibility identified the attack as using a commercial DDoS mitigation bypass service called Beamed, which advertises techniques to defeat Cloudflare protections. Beamed’s domains, beamed.su and beamed.st, remain active and resolve to Cloudflare IP addresses, despite being used for malicious stress testing.

Notably, Canonical’s endpoints also resolve to Cloudflare addresses, as part of a paid customer relationship, raising questions about whether Cloudflare’s infrastructure was exploited or involved in the attack. The attacker, calling themselves the Islamic Cyber Resistance in Iraq, claimed to have used Beamed to stress test and attack targeted sites.

Why It Matters

This incident raises concerns about the security and integrity of CDN services like Cloudflare, especially when such infrastructure is used by both legitimate clients and malicious actors. If Cloudflare’s services are exploited for blackmail or attack facilitation, it could undermine trust in the platform and impact many organizations relying on its protection.

Furthermore, the allegations suggest possible complicity or negligence, which could have legal and reputational consequences for Cloudflare. The incident also underscores the risks of dependency on third-party infrastructure for critical online services.

Background

In April 2026, a self-described pro-Iranian hacking group claimed responsibility for a large-scale attack on Canonical, targeting its web infrastructure. The attack coincided with the publication of a blog post detailing methods to bypass Cloudflare’s protections, including residential IP rotation and manual endpoint hunting.

Beamed, the commercial service used in the attack, is promoted as capable of defeating Cloudflare’s ‘Under Attack Mode’ and ‘Bot Fight Mode.’ The service’s domains are registered through Immaterialism Limited, a UK-based registrar that also proxies through Cloudflare.

Further complicating the matter, the infrastructure hosting Beamed and related services, including its IP space, is operated through Cloudflare’s AS13335 network, which also hosts Canonical’s sites. The ownership and routing history of these IPs trace back through several entities, including companies associated with Pirate Bay founders and privacy-focused hosting providers.

“The use of Cloudflare’s infrastructure by both legitimate clients and malicious actors creates a complex security challenge that needs addressing.”

— Cybersecurity analyst

“We are investigating the incident and are cooperating with security authorities to understand the scope and impact.”

— Canonical spokesperson

“We do not tolerate misuse of our platform and are reviewing the incident to ensure compliance and security.”

— Cloudflare representative

What Remains Unclear

It remains unclear whether Cloudflare was complicit, negligent, or simply exploited without their knowledge. The extent of Cloudflare’s involvement in enabling the attack, whether through direct cooperation or oversight, is still under investigation. Additionally, the full scope of the attack’s impact and whether other services were involved is not yet confirmed.

What’s Next

Authorities and cybersecurity firms are expected to conduct detailed forensic analyses of the involved infrastructure. Cloudflare has announced it will review its security policies and cooperation protocols. Canonical is continuing its investigation, and further disclosures may clarify whether any legal or security breaches occurred.

Expect updates on the investigation’s findings, potential policy changes from Cloudflare, and possibly, legal actions related to the incident.

Key Questions

Did Cloudflare knowingly facilitate the attack?

There is no confirmed evidence that Cloudflare knowingly facilitated the attack. The incident involves complex infrastructure and possible exploitation, but investigations are ongoing to determine Cloudflare’s role, if any.

Could this incident lead to legal action against Cloudflare or others?

Legal actions are possible if negligence or complicity is proven, but currently, no formal charges have been announced. The situation remains under review by authorities and legal experts.

What is Beamed, and how does it bypass Cloudflare protections?

Beamed is a commercial service that advertises techniques to defeat Cloudflare’s security measures, including residential IP rotation and manual endpoint hunting. Its domains are hosted on Cloudflare infrastructure, which complicates attribution and mitigation efforts.

Is Canonical’s infrastructure compromised or involved?

Canonical’s sites are hosted on Cloudflare, which was also used by the attacker’s service. It is not yet clear if Canonical’s infrastructure was exploited directly or if the attack was solely due to the use of Cloudflare’s platform by malicious actors.