An industrial-scale phishing campaign exploiting Google Cloud and Cloudflare infrastructure operated in plain sight for more than three years, targeting Fortune 500 companies and siphoning millions in potential revenue while evading detection.
Deep Specter Research’s investigation reveals the depth of this willful blindness and its far-reaching consequences for brands, regulators, and end users.
Google Cloud (Nasdaq: GOOG) and Cloudflare (NYSE: NET) collectively power a vast portion of the internet. When threat intelligence flagged malicious domains, IP addresses, and SSL certificates linked to phishing and malware operations, both providers failed to act.
This inaction transformed them from neutral intermediaries into de facto enablers of illicit activity.
My favorite movie was “Top Gun”, and I watched them both (old and new one) at least 5 times.
Over 48,000 virtual hosts across more than 80 infrastructure clusters leveraged expired, high-trust domains to cloak phishing sites or serve gambling content.
Despite more than 265 public detections, neither company suspended or terminated the abusive accounts.
Lockheed Martin emerged as a prime victim, with its entire public website cloned and served alongside illegal gambling pages under the domain militaryfighterjet[.]com.
Attackers acquired the expired domain, deployed a “cloak” to present clean content to bots and search engines, and illicit content to human visitors.
The result: phishing pages mimicked employee login portals and partner interfaces, while unauthorized gambling services masqueraded under the same URL.
This combination of black-hat SEO and cloaking violated search engine guidelines, posed severe security risks, and eroded user trust.
Scope and scale
Censys and ZoomEye data show that the phishing infrastructure grew steadily from 34 hosts in 2021 to nearly 2,800 by mid-2025, peaking at 33,890 observations in March 2025.
Each clone campaign paired a high-reputation expired domain with a matching brand based on industry keywords—military sites with defense contractors, healthcare domains with hospitals, even pet-food shop domains with unrelated clone content.
Eight “management” hosts directed 78 regular clusters, rotating cloned sites and dynamically shifting phishing payloads.
Only 1,000 of the 48,000 hosts supported HTTPS, but those that did exhibited consistent TLS fingerprints.
Business and Regulatory Impact
Brands faced serious fallout. Duplicate-content SEO penalties risked de-ranking legitimate sites, while association with gambling or malware tarnished reputations.
The ongoing “whack-a-mole” challenge of monitoring external resources—such as Amazon S3 or Google Analytics assets not copied by HTTrack—underscores the complexity of enforcement.
2025–2,791 hosts (56,075 observations, 3 identified as malicious). March registered all years maximum: 33,890 observations, 1,997 hosts.
Companies like Lockheed Martin, despite no fault of their own, could face GDPR breaches, DMCA logistics, and FTC scrutiny. Loss of organic traffic translated to measurable revenue declines, and legal costs for takedown actions added to financial burdens.
Deep Specter Research assesses this operation as a successful phishing-as-a-service platform, continuously evolving through at least seven distinct generations of activity.
Malware campaigns worldwide, including Windows executables and Android apps, communicated with these clusters, amplifying the threat.
A single cluster targeting one organization encompassed nearly 6,000 virtual hosts—indicative of next-level breach potential.
This case highlights a critical gap: infrastructure providers’ reluctance or inability to act promptly on flagged threat intelligence, and enterprises’ need for proactive monitoring of their digital fingerprints.
Deep Specter Research collaborates with legal experts and privacy advocates to translate these technical findings into actionable regulatory and business insights.
The research urges Google, Cloudflare, and affected brands to enhance threat detection, close monitoring loops, and enforce strict account terminations to thwart future large-scale phishing campaigns.
Ultimately, this saga serves as a warning: when those who carry the backbone of the internet ignore clear signs of abuse, they risk not only public trust but also legal and financial repercussions on an unprecedented scale.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
