← Back to Dashboard

Most Abused Cloud Providers — Hosting Networks Used for Cyber Attacks

Which cloud and hosting providers have the most malicious IP addresses in our threat intelligence database

Cloud providers and hosting companies appear frequently in threat intelligence data — not because they are malicious, but because attackers exploit their infrastructure. Low-cost virtual machines, API-driven provisioning, and clean IP reputation make cloud platforms attractive to threat actors who spin up attack infrastructure, launch campaigns, and abandon instances before abuse reports are processed.

The table below ranks cloud and hosting providers by the number of unique malicious IP addresses observed in our threat intelligence network. This data is derived from multiple sources including community reports, automated detection systems, and curated blocklists.

# Provider / Network ASN Malicious IPs Total Reports Countries
1 Amazon.com, Inc. AS16509 466,939 4,312,857 41
2 DigitalOcean, LLC AS14061 463,932 10,266,794 8
3 Google LLC AS396982 160,583 5,492,670 32
4 Amazon.com, Inc. AS14618 111,903 1,807,999 2
5 Microsoft Corporation AS8075 99,661 3,959,496 34
6 Alibaba US Technology Co., Ltd. AS45102 80,566 2,767,418 14
7 Hangzhou Alibaba Advertising Co.,Ltd. AS37963 78,769 1,029,315 1
8 OVH SAS AS16276 73,447 1,158,489 25
9 Shenzhen Tencent Computer Systems Company Limited AS45090 48,631 541,574 1
10 Tencent Building, Kejizhongyi Avenue AS132203 47,159 1,328,793 12
11 Hetzner Online GmbH AS24940 41,162 690,631 4
12 Oracle Corporation AS31898 34,672 564,075 27
13 Cloudflare, Inc. AS13335 29,944 326,840 96
14 Contabo GmbH AS51167 26,799 837,182 3
15 IONOS SE AS8560 11,325 375,316 6
16 Google LLC AS15169 10,375 286,815 25
17 Hostinger International Limited AS47583 6,625 182,978 12
18 Cloudflare London, LLC AS209242 6,262 13,145 6
19 Contabo Inc. AS40021 5,920 155,727 2
20 Contabo Asia Private Limited AS141995 3,922 110,915 7
21 Hetzner Online GmbH AS212317 3,202 19,051 1
22 Hetzner Online GmbH AS213230 1,978 47,851 1
23 Google Fiber Inc. AS16591 1,101 31,820 1
24 Cloudflare, Inc. AS14789 535 549 5
25 Amazon Data Services Ireland Ltd AS8987 356 1,248 1
26 Microsoft Corporation AS3598 353 739 2
27 Google LLC AS19527 306 2,306 4
28 Hetzner Online GmbH AS215859 285 6,964 1
29 GOOGLEWIFI AS36492 200 258 0
30 Google LLC AS394089 154 3,362 26

Why Cloud Providers Are Abused

Cloud platforms are not inherently insecure, but several characteristics make them attractive to threat actors:

  • Low cost and instant provisioning — Attackers can spin up virtual machines for a few dollars or use free-tier credits to launch attacks. API-driven provisioning means infrastructure can be created and destroyed programmatically, making it difficult to trace.
  • Clean IP reputation — Newly provisioned cloud IPs often have no history in blocklists, allowing attackers to bypass reputation-based security controls until enough reports accumulate.
  • Jurisdiction shopping — Global cloud providers operate in many regions. Attackers can deploy infrastructure in jurisdictions where abuse complaints are slow to process or where legal cooperation is limited.
  • Scale and anonymity — Large cloud providers manage millions of IPs. Individual malicious instances are difficult to distinguish from legitimate workloads, and stolen payment methods are commonly used to create accounts.

What This Means for Security Teams

Seeing a major cloud provider on this list does not mean you should block all traffic from that network. These providers host millions of legitimate services — blocking an entire ASN like Amazon AWS would break access to countless websites and APIs.

Instead, security teams should:

  • Use IP-level threat intelligence to identify and block specific malicious addresses rather than entire networks
  • Apply enhanced monitoring for traffic from cloud providers, especially for authentication endpoints
  • Implement rate limiting and behavioral analysis to detect automated attacks from cloud infrastructure
  • Integrate the WAYSCloud API to check IPs in real time before allowing access

Related Threat Intelligence

Why Cloud IPs Are Abused → ASN Threat Ranking → Top Malicious IPs → ASN Intelligence → API Documentation →