Cloudflare abuse infrastructure (pages.dev/workers.dev) enables phishing and credential harvesting at scale

8/10 High

Cloudflare's free developer domains (pages.dev and workers.dev) have become a platform for brand-impersonation, phishing kits, and credential-harvesting campaigns. Pages.dev incidents rose 198% (460→1,370) and workers.dev by 104% (2,447→4,999) in 2024, with multiple security vendors documenting widespread abuse. Researchers report <30% takedown rates despite submitting hundreds of reports.

Cloudflare PagesCloudflare Workers
Category
security
Workaround
partial
Stage
monitoring
Freshness
worsening
Scope
single_lib
Upstream
open
Recurring
Yes
Buyer Type
enterprise
Maintainer
slow

Sources

Collection History

Query: “What are the most common pain points with Cloudflare for developers in 2025?4/8/2026

pages.dev incidents rose by 198% (460 → 1 370) and workers.dev by 104% (2 447 → 4 999). Multiple security vendors (Fortra, Trustwave, CloudSEK) and independent researchers show brand‑impersonation and credential‑harvesting on Cloudflare infrastructure at scale.

Created: 4/8/2026Updated: 4/8/2026