Cloud Platforms Are Increasingly Used by Cybercriminals—Study Reveals Strategic Misuse Trends
Cloud platforms are becoming a double-edged sword for Internet security, as cybercriminals increasingly exploit these services while shifting to hybrid infrastructures, according to a recent study by researchers at the University of Twente. The findings expose a strategic evolution in how malicious actors leverage cloud services, focusing on selective use rather than full-stack deployments to avoid detection.
Key Findings: Cybercriminals Shift to Hybrid Cloud Use
The study, titled “Double-Edged Sword: An Empirical Study on the Contribution of Cloud Providers in Malicious Infrastructure,” analyzed domain infrastructure across five leading cloud providers using DNS data from OpenINTEL. Researchers compared usage patterns of malicious (blocked) and benign domains in 2021 and 2025, uncovering critical trends in cloud adoption.
While overall domain adoption of cloud services remained stable, attackers are pivoting to a hybrid approach. Specifically, malicious actors increasingly use cloud services for specific functions like web hosting, rather than fully migrating their infrastructure. For instance, the proportion of blocked domains relying solely on cloud-based resources has dropped, while reliance on partial cloud setups has grown significantly.
This shift may help operators evade detection and reduce dependence on any single cloud provider, adding complexity to abuse mitigation efforts.
Cloud Ecosystem: Diverse Providers, Complex Challenges
The report emphasizes that malicious infrastructure is widely distributed across a range of cloud providers, not concentrated among market leaders like AWS, Google Cloud, and Azure. This dispersion prevents a single-point solution for abuse mitigation. Interestingly, having a dominant market share does not correspond to hosting a high concentration of malicious domains. Instead, factors like security policies, abuse response mechanisms, and provider transparency play critical roles in mitigating misuse.
On a geographic level, the study identified significant disparities in abuse patterns by country. Nations like China and Russia consistently show higher ratios of malicious activity compared to the general hosting footprint. This suggests a localized concentration of abuse, particularly in web hosting, DNS, and email infrastructure.
Implications for Internet Policy and Security Teams
The findings highlight the increasing complexity of securing shared cloud infrastructure. While cloud services are integral to enabling scalability and cost-efficiency for legitimate users, their misuse poses significant risks to the Open Internet. The pivot to hybrid cloud setups underscores the need for updated defensive measures that address the evolving strategies of cybercriminals.
Researchers argue that successful mitigation will depend heavily on providers implementing stricter security practices and governments enacting policies to bolster international cooperation in tackling abuse.
At its core, the study reinforces the double-edged nature of cloud computing: It is foundational to modern Internet services but also a tool for exploitation if safeguards lag behind.
Read the full study for a detailed analysis and methodology at Internet Society Pulse.
