Keeping the Lights On: How Cloudflare Sustains Violent Extremism, Graphic Violence and Terrorism Online

Introduction: Cloudflare’s Role in High-Threat Digital Ecosystems

Cloudflare (NYSE: NET), an industry-leading internet infrastructure provider, has a record of providing critical web services to high-threat sites that peddle violent extremism and terrorism, raising longstanding questions about the adequacy of the company’s content policies and gaps in enforcement.

Research from the ADL Center on Extremism (COE) and the Center for Technology and Society (CTS) found that the San Francisco-based company currently serves as an infrastructure provider to:

• Gore forums like WatchPeopleDie, whose users have been tied to at least six violent attacks worldwide that have killed 12 people and injured scores more in just over two years 
• Sites dedicated to violent extremism and white supremacist accelerationism that venerate mass killers and collectively reach thousands of people
• Propaganda outlets for ISIS, a U.S.-designated foreign terrorist organization that has killed thousands in global terror attacks

Across these disparate platforms, antisemitic rhetoric is a recurring theme, ranging from the tropes and memes of extremist subcultures to the explicit calls for violence against Jews found in terrorist propaganda.

Cloudflare ensures these spaces maintain their online presence through a broad suite of services, including its widely used Content Delivery Network (CDN), which speeds up website load times by routing visitor traffic to the closest global caching server. Cloudflare’s analytics service lets webmasters measure traffic, while its domain registrar manages domain records that function as a phonebook for internet users. Cloudflare also provides a cybersecurity shield that protects sites from digital attacks. Together, these services help keep websites accessible, fast, and secure from disruptions that would otherwise knock them offline.

Cloudflare’s “Pass-Through” Defense

Cloudflare defends its role in the web infrastructure and security stack as a neutral "pass-through" utility that does not often “definitively store” content, which ostensibly precludes it from moderating content or offboarding customers at the infrastructure level.  

This approach contrasts with industry peers like Amazon Web Services (AWS), which maintain explicit prohibitions and termination mechanisms for content that incites violence or terrorism.

Report overview

This report details the real human impact of some of the sites Cloudflare sustains and evaluates the systemic policy and enforcement gaps that allow them to remain operational. 

This first section delves into the specific websites — by threat category — that Cloudflare continues to facilitate, alongside the physical violence linked to their user bases, based on COE research. It also presents ADL’s reporting efforts to Cloudflare and its response.

The second section examines Cloudflare’s history of inaction on bad-actor sites, the limits of its “pass-through” defense, and the reputational and legal risks the company has faced while largely evading accountability, per CTS research. 

The last section provides actionable recommendations for reforms Cloudflare should undertake, rooted in the position that the only effective means of turning off the lights on high-threat sites and disrupting these digital ecosystems of extremism is establishing and enforcing rigorous service termination policies for platforms that serve as catalysts for violent attacks.

Sites Dedicated to Graphic Violence and Extremism Supported by Cloudflare

I. The Gore-Extremism Nexus: Mass Murders and Antisemitic Manifestos

COE research has repeatedly identified a correlation between violent targeted attacks and participation in online ecosystems where graphic violence and extremist ideologies converge. These spaces expose users, often young people, to high volumes of graphic content, desensitizing them to violence and gore. Extremist content with narratives of white supremacy, antisemitism, violent misogyny, and other forms of hate also circulate freely alongside footage of extremist mass shootings and terror attacks. 

This gore-extremism nexus has created a fertile environment for radicalization that has cultivated would-be attackers.

 (Scott Olson/Getty Images)

A police officer walks in front of Abundant Life Christian School on December 16, 2024, in Madison, Wisconsin, where a student and teacher were killed in a shooting attack.

WatchPeopleDie (WPD)

The most prominent website at the intersection of violence, gore, and extremism is WatchPeopleDie, which claims some five million registered users. ADL research has tied at least six attacks over the past two years to users on the internet forum, established just four years ago. These attacks have resulted in 12 people killed and 134 injured.

Cloudflare has provided services to WPD since the forum’s founding in April 2022. The site allows users to post and view real images and videos of extreme violence, including murders, torture, rape, executions, beheadings, suicides, dismemberments, accidents, and animal killings.

The redistribution of extremist material, such as white supremacist and antisemitic manifestos, and videos of mass murders, is pervasive. Footage of the 2019 Christchurch Mosque and 2022 Buffalo Tops supermarket attacks has received hundreds of thousands of views and thousands of comments on the forum. Footage of the May 18, 2026, shooting attack at the Islamic Center of San Diego, in which three were killed, quickly made its way to WPD forums.

Attacks tied to WatchPeopleDie users include:

• The February 10, 2026, mass shooting at Tumbler Ridge Secondary School in British Columbia, Canada, in which an 18-year-old former student killed eight and injured 27. The shooter spent considerable time on WPD and described her consumption of death and violence videos as an addiction. She posted pictures and videos of her guns on the gore forum, including footage of herself shooting. Two months before her attack, she viewed the WPD profile associated with the 2024 Abundant Life school shooter.
• The September 10, 2025, school shooting at Evergreen High School in Evergreen, Colorado, in which a 16-year-old student injured two others. The attacker commented on WPD posts about mass shootings in Parkland, Florida, Buffalo, New York, and Quebec City, Canada.
• The January 22, 2025, school shooting at Antioch High School in Nashville, Tennessee, in which a 17-year-old killed one and injured another. The teenager posted a fan edit-style video to WPD featuring white supremacist mass killer Payton Gendron as a saint. He also followed several white supremacist accounts on the forum.
• The December 16, 2024, school shooting at Abundant Life Christian School in Madison, Wisconsin, where a 15-year-old student killed two and injured six. The teen followed multiple white supremacist accounts on WPD, including an account dedicated to Norwegian terrorist and mass killer Anders Breivik. She also followed an account associated with 764 and posted that she was considering targeting a predominantly black church.
• The April 2, 2024, school shooting at the Viertola school in Vantaa, Finland, where a 12-year-old student allegedly killed one fellow student and injured two more. According to Finnish law enforcement, the student visited WPD prior to his attack, where he searched for a school shooting fan edit that featured clips from several other school shootings, including at Sandy Hook, Columbine, and Uvalde.

Documenting Reality

Documenting Reality is another internet forum using Cloudflare’s infrastructure that sits at the gore-extremism nexus and has been connected to real-world violence. The forum hosts a huge array of violent content and related discussions with more than 198,000 threads, 7.7 million posts, and nearly 200,000 registered users. Different types of gore have dedicated sub-forums and threads on the website. Popular categories include “Real Death Pictures,” “Real Death Videos,” and “Real Street Fighting Videos.”

Antisemitism and other forms of hate are common on this forum as well. Using the forum’s search function, we found hundreds of results for slurs like k*ke (135 hits), n**ger (217 hits) and tr**ny (400 hits). Though slurs like these are often superficially censored by the platform, they still show up in searches. 

Like WatchPeopleDie, footage of extremist violence, including the 2019 El Paso, Texas Walmart shooting and the 2019 Christchurch, New Zealand Mosque shootings is readily available as well.

In July 2022, a man who was active on Documenting Reality opened fire on an Independence Day parade in Highland Park, Illinois, killing seven and wounding 48 others. The shooter posted graphic content to Documenting Reality even in the days leading up to the attack. 

While the ADL Center on Extremism does not define this person as an extremist, his online activity did reveal that he harbored racist and antisemitic sentiments. This, combined with his intense interest in deaths and killing exemplifies the pattern of intersection between gore and extremism in the radicalization process.

Violent Misogyny and Incel Subculture

Cloudflare provides CDN services to the largest involuntary celibate (i.e., incel) forum on the internet. With more than 37,000 members and 17.6 million posts, the Involuntary Celibate Forum is central to the violent misogynist incel subculture, serving as a gathering space for incels to discuss their ideology, react to world events, and venerate incel mass killers, whom they often lionize as “saints.”

The veneration of mass killers as “saints” within this subculture is an adoption of “saint culture,” which first emerged among white supremacist accelerationists in the late 2010s. By bestowing this title on perpetrators of violent attacks, they aim to inspire others to commit similar acts and achieve “sainthood” themselves.

The rhetoric on the forum notably overlaps with white supremacist accelerationism, antisemitism, transphobia, and other forms of hate alongside violent misogyny. The perpetrator of the January 2025 Antioch school shooting was a regular user on the website, in addition to WPD. The suspect in the September 2025 Evergreen school shooting used a picture of incel mass killer Elliot Rodger on his TikTok profile.

Countless threads on the forum with titles like “ER worship megathread [sic]” discuss and worship Rodger, who killed six and injured 14 others in a 2014 vehicle ramming attack and mass shooting. 

Users on the forum have posted similar threads about Alek Minassian, another violent incel who killed 11 and injured 15 others in a 2022 Toronto van attack. One user created a thread titled “St. Alek Minassian Day” on the anniversary of Minassian’s attack, while another posted “Alek Minassian is a hero.”

These attacks, the veneration of their perpetrators, and the subsequent saint culture that pervades this forum are contributing factors for future attacks. 

Rodger’s name and initials are often used as code for committing an incel-motivated attack, i.e., “I’m going to pull an ER one of these days.” Many threads on the forum discuss “pulling an ER,” including users expressing their urge to conduct an attack and weighing targets. Minassian referenced Rodger before his attack, for example.

II. Violent Extremism and Accelerationism: Neo-Nazi Narratives and Sabotage Manuals

Cloudflare’s infrastructure also sustains forums run and used by white supremacist accelerationists. These forums provide a space for ideological adherents to celebrate violence, share propaganda and operational tactics, and otherwise commiserate in hatred. Members openly express their support or desire for violence, creating concerning high-risk environments. 

Notably, propaganda materials produced by The Terrorgram Collective, a U.S. State Department-designated terrorist group, can also be found on some of these websites.

FashFront

FashFront uses Cloudflare’s CDN and analytics services to run its white supremacist accelerationist forum, established in June 2025 as a successor to the now-defunct Iron March forum, a platform previously central to the global neo-Nazi accelerationist movement. 

While comparatively smaller than its predecessors, FashFront’s active user base of over 800 members has generated some 44,500 posts, including operational guides for attacks and propaganda from groups advocating for the violent collapse of societal infrastructure.

“I don't urge anybody to do anything like that, but when it gets done, I won't disown them [...] I [kind] of welcome the chaos” — FashFront user quoting James Mason following the October 2025 stabbing attack at Manchester synagogue

On August 3, 2025, a FashFront user created a thread dedicated to propaganda published by current and former white supremacist accelerationist groups like the now-defunct neo-Nazi group Atomwaffen Division, The Base, and The Terrorgram Collective.  These groups have repeatedly been tied to white supremacist violence; the Terrorgram Collective, in particular, is a decentralized network of white supremacists who use internet propaganda and networking to promote terrorism.

In a February 7, 2026, post, a user shared a link to a “Sabotage Field Manual” which instructs readers on how to engage in various forms of sabotage, including attacks on critical infrastructure.

Following the stabbing attack at Manchester’s Heaton Park Hebrew Synagogue in October 2025, resulting in two deaths, FashFront users celebrated the assault in a thread. One user described it as “based,” a slang term expressing approval, while another suggested the attacker didn’t kill enough people. A third user quoted James Mason, a prominent neo-Nazi whose writings are considered influential in the white supremacist accelerationist community: “I don't urge anybody to do anything like that, but when it gets done, I won't disown them [...] I [kind] of welcome the chaos."

American Futurist

Cloudflare provides domain registrar, CDN, and analytics services to American Futurist, a prominent white supremacist accelerationist publishing group. Cloudflare actioned The American Futurist after ADL reported the website to the company, but then backpedaled and later replatformed the website.

Established by former members of the Atomwaffen Division and other defunct successors, like National Socialist Order and the National Socialist Resistance Front, the site serves as a repository for violent accelerationist and extremist propaganda, with an extensive library of texts that include books, archives of white supremacist content, and instructions on providing support to incarcerated white supremacists.

The site published articles by Atomwaffen Division founding member Brandon Russell, who in 2025 was sentenced to 20 years in prison for conspiring to destroy critical electrical infrastructure around Baltimore, Maryland. In 2022, the platform published an article in defense of Sam Woodward, an Atomwaffen member convicted of first-degree murder with a hate crime enhancement in the killing of Blaze Bernstein, a gay Jewish man. The site framed the murder as self-defense, calling for Woodward’s release and for the anniversary of the killing to be commemorated as "Sam Woodward Day."

More recent articles on American Futurist include explainers on how to navigate laws against terrorism and militia activity alongside antisemitic diatribes like a July 2025 post that declared “The American Revolution was Jewish” and “anti-White.”

III. Foreign Terrorist Organizations: Terror Propaganda and Calls for Violence Against Jews and Others

Internet records indicate that at least two ISIS propaganda outlets are currently using Cloudflare infrastructure. The Islamic State of Iraq and Syria (ISIS), a designated foreign terrorist organization, has claimed more than 17,000 attacks around the world, resulting in over 65,000 casualties, according to data from the Washington Institute. The terror group frequently touts these claims via websites that distribute photos and videos of executions and attacks and issue direct calls to followers to engage in violence. The ADL has noted an increase in Islamist terror incidents targeting the United States.

ISIS Archives and Incitement to Violence

One website located by researchers provides an archive of ISIS materials, including discussion of the organization’s hierarchy and leadership, threatening messages to governments (which often include executions), and other communiques. The website breaks down its content by region of the so-called Islamic State, so visitors can find videos of ISIS attacks by location.

The website also posts the terror group’s weekly newspaper, which regularly celebrates the beheading of civilians – and specifically Christian civilians – in Africa. The editorial section often calls for violence against Jews. 

Following the December 2025 Bondi Beach massacre in Sydney, Australia, the ISIS newspaper published an editorial titled “Sydney Pride,” celebrating the Hanukkah attack that killed 15 people. In another article, the publication urged Muslim immigrants in Europe to attack Jews and Christians with trucks and hammers if they could not acquire guns. 

This website also hosts ISIS video propaganda, including a January 2025 video produced by a known ISIS media production company that primarily consists of a series of close-up field executions and includes an image of the ISIS flag.

A second ISIS propaganda website identified by ADL to be using Cloudflare services hosts the terror group’s weekly newsletter, which also regularly celebrates the beheadings and suicide attacks, and encourages violence. Videos hosted on the website are produced by ISIS propagandists and include calls to violence against Jews and other non-Muslims, as well as graphically violent gore content. 

This website hosts sermons and exhortations from famous ISIS figures, particularly those who have been killed. For example, the website features a 2024 sermon by ISIS spokesman Abu Hudayfa al-Ansari titled “And Kill Them Wherever You Find Them,” in which he describes the war against Israel as also being a religious war against all Jews everywhere.

ADL Evaluation of Reporting Mechanisms and Transparency Gaps

ADL routinely tracks the landscape of hate, extremism, and terrorism online. As part of long-term monitoring and reporting into the infrastructure facilitating extremism, ADL researchers submitted formal flags of harmful content on the websites covered in this report through Cloudflare’s official reporting mechanism.

 This evaluation revealed several barriers to reporting high-threat content:

• Cloudflare’s reporting form entirely lacked abuse categories for graphic violence, violent extremism or terrorism. The most relevant reporting category available, “Violent Threats and Harassment,” woefully understates the harms of these websites. 
• Cloudflare did not substantively respond to three of ADL’s reports. In a fourth reply, it deferred responsibility to the origin hosting provider, citing its so-called “pass-through” status. 
• In the case of the two ISIS websites reported by ADL, Cloudflare requested additional information to prove the allegations of abuse, despite both homepages prominently featuring ISIS iconography, footage, and propaganda.
• Cloudflare took action on The American Futurist in response to our report, but subsequently reversed course and replatformed the website. This highlights the seeming lack of standardized policies and consistent enforcement that allow high-threat websites to operate freely.

Transparency and Data Omission

Cloudflare’s inadequate approach to reporting also extends to its public accounting. While Cloudflare releases semi-annual transparency documents, offering details and metrics on abuse reports and government requests, it excludes most private-sector reports, such as the ones submitted by ADL regarding its "pass-through" services. Cloudflare only lists “pass-through” abuse reports it received from government agencies or those that involve technical abuse.

Cloudflare acknowledges that these services represent a majority of the reports it receives, yet it omits most of this reporting data from public documentation. 

This reporting structure allows Cloudflare to project an image of responsibility and transparency while effectively obscuring the true scale of high-threat content relying on its infrastructure.

Policy and Advocacy

Cloudflare’s Policy of Inaction and Evasion

Cloudflare frames its services as an invisible “utility” that does not “store” content, effectively abdicating responsibility for the platforms it keeps accessible and protected. This positioning creates a self-imposed barrier to enforcement, as the company argues that offboarding customers is a disproportionate response to content concerns.

Unlike industry peers, the company does not specifically prohibit websites dedicated to graphic violence or violent extremism, and only a small subset of its services, namely those that Cloudflare considers to “store” content, maintains policies that prohibit content that incites or exploits violence. Its policies bar sanctioned entities like foreign terrorist organizations (FTOs), but this language has not translated to effective enforcement.

This inadequate internal policy framework has allowed for a long record of extending services to sites whose primary function is the promotion of violent extremism and graphic content. 

Legal and Compliance Risks

Cloudflare's policies have exposed the company to documented legal and compliance risks. Researchers and activists have repeatedly flagged that Cloudflare has facilitated websites tied to FTOs. In 2019, Cloudflare self-disclosed to the U.S. Department of the Treasury and disclosed to regulators that it may have violated sanctions law, in part, by providing services to individuals sanctioned by the U.S. for their involvement in designated terrorist groups. In April 2026, the Treasury’s Office of Foreign Assets Control (OFAC) closed its review without penalties or further action, according to Cloudflare’s May 8, 2026, quarterly report. Despite this closure, propaganda sites for ISIS, a foreign terrorist organization, continue to operate via Cloudflare.

In November 2024, Cloudflare was hit with a lawsuit brought by victims of the 2014 terrorist attack at the Kehilat Bnei Torah Synagogue in Jerusalem and their families for providing cybersecurity services to the website of the Popular Front for the Liberation of Palestine (PFLP). The dozens of plaintiffs who brought the ongoing lawsuit under the Antiterrorism Act are claiming that Cloudflare knowingly provided services to a designated foreign terrorist organization, violating federal law, and therein “knowingly aided and abetted the PFLP to commit the Terrorist Attack [sic].”

“Cloudflare purposely provided the PFLP with cybersecurity, and cyber protection and concealment services, which Cloudflare knew would – and in fact did – enable, facilitate, support and assist the PFLP to commit terror attacks,” says a lawsuit against Cloudflare

Such events continue to expose Cloudflare to reputational harm and potential liability.

Contrast with Industry Peers

The company’s failure to establish clear, proactive boundaries contrasts with competitors who place more robust guardrails against extremism and terrorism. AWS, for example, prohibits customers from using their services to “threaten, incite, promote, or actively encourage violence, terrorism, or other serious harm.” Vercel, another industry peer, prohibits content that “threatens, promotes, or enables violence, terrorism or other serious harm.” They also bar “graphic or violent” content and hate speech. 

While not comprehensive, these policies are well beyond Cloudflare’s lackluster policy framework.

Inconsistent Enforcement

In the absence of clear mechanisms and policies, Cloudflare’s enforcement actions have largely been reactive, inconsistent, and often arbitrary.

Action against notable extremist websites and the termination of services to them has often occurred only in response to considerable public pressure or tragic events. 

Cloudflare took action against extremist site 8chan (later rebranded as 8kun) after a third white supremacist mass shooting was tied to the forum in a six-month span in 2019. The forum is notorious for white supremacist, antisemitic, and graphically violent content.

In 2017, Cloudflare terminated services to The Daily Stormer, a neo-Nazi blog, only after the site publicly suggested Cloudflare may be sympathetic to its beliefs. Other infrastructure providers quickly booted the site after it called on readers to harass attendees at the funeral of Heather Heyer, a counter-protester who was killed following the 2017 Unite the Right rally.

In 2022, Cloudflare finally blocked access to KiwiFarms, a forum focused on targeted online harassment, stalking and intimidation, and doxing of individuals, citing “imminent threats to human life posted to the site.”  The company had initially resisted growing public pressure to take action. At least three deaths by suicide had been tied to activity on KiwiFarms. The forum has also rehosted footage of extremist attacks and their associated manifestos, including content connected to the Christchurch mosque shootings.

The Limits of Cloudflare’s “Pass-Through” Defense

Cloudflare’s primary defense shifts the burden of moderation to others in the internet ecosystem, like web hosts and site owners — a framework that assumes a "good faith" internet stack that does not exist for extremist websites.

The concepts of “pass-through services” and definitive storage are abstractions of the technical realities of Cloudflare’s role in supporting these websites. While Cloudflare is not the web host for these websites and is not “definitively storing” the contents of the website (as the company would say), copies of the websites’ content are being cached on (i.e., stored) and served by Cloudflare’s CDN servers. Without Cloudflare’s authoritative DNS records and domain registration services, sites would not be easily accessible. 

Furthermore, Cloudflare’s cybersecurity tools provide a critical layer, protecting high-threat sites from the digital disruptions that would otherwise render them unviable.

Cloudflare’s argument that moderation should occur with web hosts or website owners fails when applied to websites dedicated to extremism or terrorism. Such platforms are often hosted at offshore webhosts, sometimes referred to as “bulletproof” webhosts. These companies exist entirely to flout legal jurisdictions and responsibilities to police content, and they cannot be expected to act responsibly. 

Similarly, sites dedicated to the promotion of violence or sanctioned terror cannot be expected to self-moderate.

While a scalpel approach may be appropriate for websites with a mix of benign and harmful content, withdrawing infrastructure support for websites dedicated solely to inciting or celebrating violence and harm is the only effective way to turn off the lights.

Conclusion and Recommendations

To address the systemic exploitation of its infrastructure by high-threat actors, Cloudflare must move beyond its reactive "pass-through" framework and adopt proactive moderation practices to ensure safety and accountability.

1. Formalize content prohibitions: Cloudflare has an imperative to institute policies that prohibit websites whose primary purpose is to spread targeted hatred, extremism or terrorism.
2. Update reporting for the modern threat landscape: Cloudflare should establish reliable reporting mechanisms for civil society and trusted partners that include proper labeling for extremist and terrorist websites using Cloudflare services. 
3. Establish moderation standards for violent networks: Implement a more responsible moderation standard for websites tied to organized violence to inhibit their ability to expand their influence across the broader internet.
4. Enhance transparency and accountability: To ensure accountability, the company’s future transparency reports must also be expanded to include all abuse data for its pass-through services — a critical category into which there is currently little visibility.
5. Withdraw operational support: The continued technical facilitation of high-threat websites allows them to maintain long-term operational presence, enabling mainstream visibility. By withdrawing critical support, Cloudflare can effectively disrupt threats that would otherwise continue to emanate from these online spaces.