← Back to Dashboard
Most Abused Cloud Providers — Hosting Networks Used for Cyber Attacks
Which cloud and hosting providers have the most malicious IP addresses in our threat intelligence database
Cloud providers and hosting companies appear frequently in threat intelligence data — not because they are malicious, but because attackers exploit their infrastructure. Low-cost virtual machines, API-driven provisioning, and clean IP reputation make cloud platforms attractive to threat actors who spin up attack infrastructure, launch campaigns, and abandon instances before abuse reports are processed.
The table below ranks cloud and hosting providers by the number of unique malicious IP addresses observed in our threat intelligence network. This data is derived from multiple sources including community reports, automated detection systems, and curated blocklists.
| # |
Provider / Network |
ASN |
Malicious IPs |
Total Reports |
Countries |
| 1 |
DigitalOcean, LLC
|
AS14061 |
286,062 |
1,079,686 |
8 |
| 2 |
Amazon.com, Inc.
|
AS16509 |
217,526 |
362,768 |
40 |
| 3 |
AMAZON-02
|
AS16509 |
121,781 |
3,340,087 |
33 |
| 4 |
DIGITALOCEAN-ASN
|
AS14061 |
120,193 |
7,162,108 |
8 |
| 5 |
Hangzhou Alibaba Advertising Co.,Ltd.
|
AS37963 |
72,252 |
651,801 |
1 |
| 6 |
Google LLC
|
AS396982 |
65,982 |
196,844 |
28 |
| 7 |
Microsoft Corporation
|
AS8075 |
56,616 |
207,553 |
34 |
| 8 |
OVH SAS
|
AS16276 |
56,029 |
697,164 |
25 |
| 9 |
Alibaba US Technology Co., Ltd.
|
AS45102 |
54,948 |
1,298,140 |
14 |
| 10 |
Amazon.com, Inc.
|
AS14618 |
47,618 |
116,454 |
2 |
| 11 |
Shenzhen Tencent Computer Systems Company Limited
|
AS45090 |
43,546 |
322,908 |
1 |
| 12 |
GOOGLE-CLOUD-PLATFORM
|
AS396982 |
43,487 |
2,601,058 |
28 |
| 13 |
Tencent Building, Kejizhongyi Avenue
|
AS132203 |
39,076 |
787,447 |
12 |
| 14 |
MICROSOFT-CORP-MSN-AS-BLOCK
|
AS8075 |
36,583 |
1,834,273 |
31 |
| 15 |
Hetzner Online GmbH
|
AS24940 |
33,590 |
421,892 |
4 |
| 16 |
Oracle Corporation
|
AS31898 |
25,152 |
58,009 |
27 |
| 17 |
Contabo GmbH
|
AS51167 |
19,972 |
497,775 |
3 |
| 18 |
Cloudflare, Inc.
|
AS13335 |
16,623 |
86,160 |
95 |
| 19 |
AMAZON-AES
|
AS14618 |
15,867 |
1,044,710 |
1 |
| 20 |
IONOS SE
|
AS8560 |
8,872 |
240,780 |
6 |
| 21 |
CLOUDFLARENET
|
AS13335 |
6,823 |
125,550 |
41 |
| 22 |
Cloudflare London, LLC
|
AS209242 |
5,999 |
12,265 |
4 |
| 23 |
GOOGLE
|
AS15169 |
5,151 |
254,806 |
17 |
| 24 |
Hostinger International Limited
|
AS47583 |
4,495 |
98,084 |
12 |
| 25 |
Google LLC
|
AS15169 |
4,453 |
9,882 |
23 |
| 26 |
ORACLE-BMC-31898
|
AS31898 |
4,349 |
243,002 |
24 |
| 27 |
Contabo Inc.
|
AS40021 |
3,278 |
11,733 |
2 |
| 28 |
Hetzner Online GmbH
|
AS212317 |
3,032 |
12,708 |
1 |
| 29 |
Contabo Asia Private Limited
|
AS141995 |
2,999 |
67,326 |
6 |
| 30 |
AS-VULTR
|
AS20473 |
2,793 |
72,337 |
20 |
Why Cloud Providers Are Abused
Cloud platforms are not inherently insecure, but several characteristics make them attractive to threat actors:
- Low cost and instant provisioning — Attackers can spin up virtual machines for a few dollars or use free-tier credits to launch attacks. API-driven provisioning means infrastructure can be created and destroyed programmatically, making it difficult to trace.
- Clean IP reputation — Newly provisioned cloud IPs often have no history in blocklists, allowing attackers to bypass reputation-based security controls until enough reports accumulate.
- Jurisdiction shopping — Global cloud providers operate in many regions. Attackers can deploy infrastructure in jurisdictions where abuse complaints are slow to process or where legal cooperation is limited.
- Scale and anonymity — Large cloud providers manage millions of IPs. Individual malicious instances are difficult to distinguish from legitimate workloads, and stolen payment methods are commonly used to create accounts.
What This Means for Security Teams
Seeing a major cloud provider on this list does not mean you should block all traffic from that network. These providers host millions of legitimate services — blocking an entire ASN like Amazon AWS would break access to countless websites and APIs.
Instead, security teams should:
- Use IP-level threat intelligence to identify and block specific malicious addresses rather than entire networks
- Apply enhanced monitoring for traffic from cloud providers, especially for authentication endpoints
- Implement rate limiting and behavioral analysis to detect automated attacks from cloud infrastructure
- Integrate the WAYSCloud API to check IPs in real time before allowing access
Related Threat Intelligence
