Cloudflare may have provided service to terrorists, drug traffickers in violation of U.S. sanctions

The update to Cloudflare's regulatory filing comes just before the company's IPO on Sept. 13.
Cloudflare IPO
Cloudflare headquarters in San Francisco. (Getty Images)

Internet services and cybersecurity provider Cloudflare has acknowledged it may have violated U.S. sanctions by doing business with terrorist groups and international drug traffickers, an admission that comes as the San Francisco company prepares to go public as soon as this week.

Cloudflare voluntarily disclosed the possible economic and trade sanction violations to the U.S. Department of Treasury in its S-1 filing, amended to stipulate that Cloudflare technology was “used by, or for the benefit of, certain individuals or entities” named on the Office of Foreign Assets Control’s list of Specially Designated Nationals, as the Wall Street Journal first reported.

The filing does not name specific parties, saying only that the group includes “entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions.” A small number of those entities also made payments to Cloudflare.

The updated regulatory filing also notes that Cloudflare submitted a voluntary self-disclosure to the Census Bureau to notify the government it included “incorrect electronic export information” regarding hardware exports, a potential violation of foreign trade regulations. Few other details about that case were made available, though the disclosure comes after other security companies, namely Fortinet, have settled charges of intentionally mislabeling Chinese-made technology in violation of U.S. law.


Cloudflare offers distributed domain name server services, making it one of a few companies charged with ensuring vast swaths of the internet operate without interruption. It also provides mitigation for distributed denial-of-service (DDoS) attacks and says it blocks 44 billion cyberthreats per day. Top customers include IBM, the text and chat app Discord and the Chinese internet company Baidu.

The company filed its S-1 prospectus with the U.S. Securities and Exchange Commission on Aug. 15, announcing its intention to make stock available on the New York Stock Exchange under the “NET” symbol. Cloudflare listed a previous association with a white supremacist site and 8chan, a forum where hate speech is tolerated, as potential risk factors to its own business.

The firm is scheduled to make its initial public offering (IPO) on the market Friday with a price range of $10 to $12 per share. In its last funding round as a private company, Cloudflare raised $332.1 million in total funding, earning a valuation of $3.25 billion.

“If we are found to have violated the U.S. or foreign laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and fines,” the company states.

Latest Podcasts