To increase awareness of the scale of attacks faced by organizations protected under the project, we’ve published the 11th anniversary Project Galileo Radar dashboard. The dashboard identifies the threat landscape targeting organizations to shed light on the risks facing civil society online and support a broader dialogue around digital safety and resilience. The dashboard also serves as a valuable resource for policymakers, researchers, and advocates working to protect public interest organizations worldwide.

This year, we broke down the dashboard into sections:

• Protecting global journalism and media organizations
• Protecting human rights and civil society organizations
• Protecting environmental groups and disaster relief response efforts
• Protecting social welfare and humanitarian organizations
• Traffic trends broken down by region and organization type

Our analysis for this dashboard spanned the period between May 1, 2024 and April 30, 2025.

• Our data indicates a growing trend in DDoS attacks against these organizations, becoming more common than attempts to exploit traditional web application vulnerabilities.
• Between May 1, 2024 to March 31, 2025, Cloudflare blocked 108.9 billion cyber threats against organizations protected under Project Galileo. This is an average of nearly 325.2 million cyber attacks per day over the 11 month period, and a 241% increase from our 2024 Radar report.
• Journalists and news organizations experienced the highest volume of attacks, with over 97 billion requests blocked as potential threats across 315 different organizations. The peak attack traffic was recorded on September 28, 2024. Ranked second was the Human Rights/Civil Society Organizations category, which saw 8.9 billion requests blocked, with peak attack activity occurring on October 8, 2024.
• Cloudflare onboarded the Belarusian Investigative Center, an independent journalism organization, on September 27, 2024, while it was already under attack. A major application-layer DDoS attack followed on September 28, generating over 28 billion requests in a single day.
• Many of the targets were investigative journalism outlets operating in regions under government pressure (such as Russia and Belarus), as well as NGOs focused on combating racism and extremism, and defending workers’ rights.
• Tech4Peace, a human rights organization focused on digital rights, was targeted by a 12-day attack beginning March 10, 2025, that delivered over 2.7 billion requests. The attack saw prolonged, lower-intensity attacks and short, high-intensity bursts. This deliberate variation in tactics reveals a coordinated approach, showing how attackers adapted their methods throughout the attack.

For this report, we took a similar approach to identifying attack trends for organizations under Project Galileo as we did last year. We separate these out into two key attack mitigations: DDoS mitigations and the Web Application Firewall mitigations. DDoS mitigation targets Layer 7 (application-layer) attacks, which involve malicious floods of requests designed to overwhelm a site and force it offline. We block these harmful requests, allowing legitimate traffic to pass and keep the site operational. In this report, "daily DDoS mitigations" refers to the total number of Layer 7 DDoS requests blocked by Cloudflare each day. For example, a small nonprofit might suddenly experience thousands of fake requests per second to its homepage making the site slow or completely unavailable to real visitors. This could happen during a fundraising campaign or after publishing a news article. Cloudflare’s DDoS mitigation automatically identifies and filters out this surge in malicious traffic, keeping the site online.

The second type of mitigation is requests blocked by the Web Application Firewall (WAF). Through Project Galileo, organizations get free access to Cloudflare's Business-level services, including the WAF, which protects websites from common threats like SQL injection and cross-site scripting by filtering HTTP traffic. These attacks often target input fields, such as donation forms or comment boxes, to steal data or redirect users. For example, an attacker might inject SQL code into a "Name" field or embed malicious JavaScript in a comment section. The WAF detects and blocks these threats before they reach the site. It also allows organizations to set custom rules based on traffic patterns or specific mitigation strategies. In this report, “malicious traffic” refers to attacks blocked by managed rules which are pre-configured protections against these types of threats.

A majority of the organizations we protect under Project Galileo are small non-profits that rely on volunteers and lack dedicated cybersecurity resources. Therefore, a traffic surge of 1 million requests per second, which might be manageable for a large bank or e-commerce site, could easily overwhelm and take down an organization under Project Galileo.

Project Galileo was originally launched to support free expression online. Over the last 11 years, it has grown beyond the scope of protecting independent media organizations to safeguard a range of public interest organizations around the world. A 2024 global survey by the Center for News, Technology & Innovation (CNTI) found that one in three journalists regularly face serious security risks. These threats include online harassment, cyberattacks, and surveillance, disproportionately affecting women and journalists from marginalized communities. Such risks not only compromise their digital presence but also endanger their personal safety, which shows the need for comprehensive digital security tools to help them stay safe online.

Overall, we protect 560 organizations that work in journalism and media around the world. We categorized these organizations as media and journals as they cover everything from politics and social issues to business and global events. This can include local news sites, radio stations, and independent media outlets. Over the course of the last year, Cloudflare mitigated 97 billion requests, an average of 290 million per day, against media organizations protected under Project Galileo.

Over the course of the year, we’ve seen an increase in attacks against journalism in Europe. For reference, in our dashboard last year, the daily spikes never crossed the threshold of 4 billion requests. This year, we have a multiple-day entry which surpasses that threshold by nearly 5 times. According to our data, DDoS traffic makes up 92.88% of mitigated traffic towards media organizations, with less than 6% of traffic identified as being blocked by the web application firewall. This clearly shows more DDoS attacks compared to WAF-blocked traffic, which attempts to exploit web vulnerabilities.

We can see this in the mitigation methods for journalism organizations, with the largest spike in requests mitigated by Cloudflare’s Layer 7 DDoS mitigation. Cloudflare’s Layer 7 DDoS protection detects malicious application-level traffic, like HTTP floods, using behavior analysis and machine learning. It then blocks or challenges suspicious requests in real time, keeping websites online without affecting legitimate users. At its peak, Cloudflare mitigated more than 28 billion requests for journalism organizations in September 2024.

When it came to the small percentage of requests to journalism organizations that were mitigated by the managed ruleset on the Web Application Firewall, 41.71% were classified as “HTTP Anomaly”. We’ve found this in previous reports. For context, requests for Web content (HTTP requests) have an expected structure, set of headers, and related values. Some attackers will send malformed requests, including anomalies like missing headers, unsupported request methods, using non-standard ports, or invalid character encoding. These requests are classified as "HTTP anomalies". These anomalous requests are frequently associated with unsophisticated attacks, and are automatically blocked by Cloudflare's WAF.

We also monitor levels of bot traffic, meaning any non-human Internet traffic, to help spot potential malicious activities. We identified a majority of the traffic to journalism organizations as human traffic.

As we were developing the report, we found an attack against the Belarusian Investigative Center, an independent nonprofit newsroom dedicated to exposing corruption and debunking disinformation from authoritarian regimes, primarily in Belarus and Russia. The organization applied to Project Galileo on September 27, 2024 and was quickly onboarded to Project Galileo. The attack was over a duration of 4 days with an average of 320 thousand requests per second, totaling 86 billion over the course of the attack. On September 28, the DDoS generated over 28 billion requests in a single day. More on the full attack and work of the organization can be found on our Project Galileo case study page.

This attack takes a different approach to the attack we’ve seen against organizations under the project as the strength of the attack lies in its duration, rather than intensity. For example, the attack against Meduza, a media organization covering stories in Russia and across Eastern Europe, had 7 million requests per second, with an attack duration of 7 minutes.

Human rights organizations are frequent targets of cyberattacks due to the sensitive nature of their work. By investigating and exposing government abuses, corporate misconduct, and human rights violations, they often find themselves at odds with powerful interests, particularly authoritarian regimes and corrupt actors seeking to silence dissent and avoid accountability. Unfortunately, many human rights groups, especially smaller ones, lack the resources to implement strong cybersecurity defenses, making cyber attacks an easy attack vector for those aiming to undermine their efforts. A majority of civil society organizations rely on donations and grants to fund their efforts, and, as the Global Cyber Alliance has published, this makes establishing long-term strategic cybersecurity solutions difficult to put in place.

In April 2025, Amnesty International reported that leaked internal government documents revealed a coordinated, state-sponsored cyber campaign in Thailand targeting civil society organizations, including Amnesty itself. Meanwhile, Access Now has raised alarm over recent U.S. funding cuts to digital security programs that directly support civil society and human rights defenders worldwide. These cuts threaten to erode the already limited protections available to at-risk groups, further exposing them to online surveillance, censorship, and cyberattacks at a time when such threats are rapidly increasing.

For this report, we identified 700 human rights and civil society organizations protected under Project Galileo around the world. A majority of these organizations work in advocacy, equality, and protection from abuse, offering legal support, documenting violations, and pushing for change. These organizations include UN Women Australia Tech4Peace, Bendayaa, Insight Crime, The Youth Initiative for Human Rights, and more.

Over the course of the last year, Cloudflare mitigated 8.9 billion requests, an average of 26.6 million per day, against human rights and civil society organizations protected under Project Galileo.

When we compare the types of attacks against journalism and media groups to human rights organizations, we see similar attack trends with DDoS requests overshadowing requests that were mitigated by the WAF. In some instances, as we see in October 2024, these spikes reach up to 1.4 billion requests.

For attacks against organizations under Project Galileo, we saw an attack against a large organization working in international human rights. On October 4, the organization saw an attack lasting 32 minutes during which nearly 90 million mitigation actions were recorded. On average, the system handled approximately 45,000 requests per second, with a peak rate of 97,000 requests per second.

A UK-based organization focused on countering far-right extremism experienced an attack over the span of 9 hours with a total of 638 million requests, averaging 19,690 requests per second. Although a short attack in duration, the strength of the attack lies in its intensity. As seen in the figure below, the attack was a concentrated effort building in increasing intensity over a short period of time.

Another attack against a human rights organization protected under Project Galileo was Tech4Peace. Tech4Peace (T4P) is a grassroots organization primarily working in Iraq and the border MENA region, dedicated to promoting peace by addressing digital threats such as misinformation, disinformation, and online violence. The organization is constantly under attack, as we’ve reported with them here, and this year is no different. An attack began on March 10, 2025, and continued for over 12 days, concluding on March 22, 2025. During this period, Tech4Peace received 2.7 billion requests, averaging 47 thousand requests per second. The attack peaked on March 10th, with traffic reaching 238 thousand requests per second. This was not a single attack but a series of several separate attacks.

These spikes, separated by at least a day, displayed a number of different patterns. Some of the attacks lasted a long period of time, but the highest point of traffic during those attacks was relatively low compared to others. Other attacks were short in duration but had very intense traffic. The initial attack during the 12 day period included both of these types of attacks, some long and less intense and other short and very intense. This diverse attack pattern indicates a deliberate, multi-layered strategy. The attackers varied their tactics, using sustained moderate traffic and intense bursts, suggesting different tools and strategic intent to breach Tech4Peace's defenses.

On October 8, 2024, the International Trade Union Confederation (ITUC) protected under Project Galileo, saw an attack that lasted for nearly 14 hours. During this period, ITUC's website received more than 1 billion requests, averaging 32,295 requests per second. The attack's intensity peaked at 13:50 UTC, with traffic reaching 46,166.67 requests per second. The attack was notable for its concentrated and relatively constant intensity, lasting for a large portion of the day. The ITUC, a global trade union federation, plays a crucial role in advocating for workers' rights and social justice.

On January 24th 2025, we also observed an attack on an advocacy organization fighting racism, lasting for nearly 4 days. During this attack, the website received over 64 million requests, with traffic averaging at 179,083 requests per second. This is not the first time we’ve seen advocacy organizations be the target of DDoS attacks, as we’ve previously blogged on cyberattacks against these groups increasing.

For this report, we identified over 800 social welfare organizations around the world that are protected under Project Galileo. These organizations support communities by delivering essential services such as food, housing, healthcare, and education. Their work focuses on aiding vulnerable populations, promoting social justice, and enhancing overall well-being. Among them are Muzeon, which preserves the history of the Jewish community in Cluj-Napoca, Romania; Veteran Brotherhood, which helps prevent veteran suicides by supporting those with PTSD; and Dream Girl Foundation, which provides healthcare and education to underprivileged girls in India. You can explore more organizations protected under Project Galileo here.

A study conducted in 2023 by the CyberPeace Institute, a long time partner for Project Galileo found that 41% of these non-profit organizations have been victims of a cyberattack in the past few years. The same study found that 56% of NGOs do not have a budget allocated for cybersecurity needs, while 70% do not believe they have the knowledge, skills, and resilience necessary to respond effectively to a cyberattack.

Over the course of the last year, Cloudflare mitigated 1.5 billion requests an average of 4.47 million requests per day against social welfare organizations protected under Project Galileo.

On January 25, 2025, we observed a sharp but brief DDoS attack that targeted The Great Orchestra of Christmas Charity, an organization in Poland dedicated to fundraising for public healthcare, especially for pediatric and elderly care. The attack occurred at 18:36 UTC and lasted only 2 minutes, concluding at 18:38 WEST. Despite its short duration, the attack was intense, with traffic peaking at 302,666.67 requests per second and averaging 154,611 requests. In total, 27,830,000 requests were recorded during this two-minute window. Their annual "Grand Finale" event, a major fundraising drive, was scheduled for January 26th, just one day after the attack.

Environmental organizations, including climate advocacy groups, are frequently targeted by cyberattacks. Under Project Galileo, we provide services to a range of groups that work in raising awareness on climate change, conducting scientific research to track environmental threats and promoting green solutions. Organizations including Greenpeace Canada Education Fund, Awaq in Colombia, and Citizens of the Great Barrier Reef in Australia who are protected under the project have seen these threats firsthand.

In addition to environmental organizations, many disaster relief groups also play a critical role in providing the public with vital information during crises. These groups often experience sudden surges in traffic and unexpected attacks during environmental disasters, as seen during the wildfires in Portugal with VOST Portugal, and with organizations like the Information Technology Disaster Resource Center, which supports disaster response efforts. These groups are among those receiving protection through Project Galileo.

For this report, we surveyed 159 environmental groups and disaster relief domains protected under Project Galileo. Over the course of the last year, Cloudflare mitigated more than 1 billion requests, an average of 3.7 million per day against organizations working in environmental issues and disaster relief under Project Galileo.

Similar to what we have observed for journalism and social welfare organizations, a majority of the attacks we saw against environmental organizations was associated with DDoS traffic, compared to threats mitigated by the Web Application Firewall. In this instance, custom firewall rules make up a portion of mitigation efforts. Custom firewall rules allow one to define specific security logic tailored to the application’s needs. In many cases, we see organizations implement custom rules based on traffic patterns they’ve seen or increased traffic they do not want to access the site.

When we dive deeper, we see that the threats that were blocked by the WAF are at 42.39% with vulnerability scanner and 27.36% with SQL injection. These are common web vulnerabilities that are automatically mitigated with the Cloudflare Managed ruleset on the WAF. Created by the Cloudflare security team, the Managed ruleset provides fast and effective protection for all of your applications. The ruleset is updated frequently to cover new vulnerabilities and reduce false positives.

For bot traffic, we saw a majority of the requests associated with human activity. As many of these organizations work in disaster relief, providing essential information during a crisis, it’s normal to see traffic categorized as human as it reflects real people seeking timely updates and resources during emergencies.

On July 12, 2024, we observed a sustained DDoS attack that targeted Pro Natura, Switzerland’s oldest conservation organisation, which oversees over 800 nature reserves across the country. The attack which began on July 12 and ended on August 1, 2024 reached a total of 373,050,000 requests, with an average of 94,205 requests. This was not a single attack but a series of several separate attacks, split into 9 chunks. These chunks of attack show a strategy with the varied intensity and duration of DDoS activity. This suggests the malicious actors may have changed their tactics attempting to knock Pro Natura offline. While this attack was comparably less intense than others found in this report, it demonstrates the importance of nonprofit organizations having access to suitable cybersecurity defences and solutions, as even these arguably smaller DDoS attacks have the potential to have large consequences.

We also observed a later DDoS attack on Pro Natura between December 5th, 2024 to January 12th, 2025, which culminated in 8.15 million requests. During this same period, two other environmental advocacy organizations saw DDoS attacks of 4.87 million and 7.21 million requests respectively.

For the past 3 years, Cloudflare has reported on cyber attacks and Internet resilience in Ukraine, with previous reporting found here. For Project Galileo, since the beginning of the Russian invasion and the progressing conflict, we have seen an increasing and ongoing number of organizations looking for our help to protect their websites and internal networks from cyber attacks. We have observed Ukrainian organizations as recurrent targets from cyber attacks, as previously reported here.

Currently, over 90 Ukrainian organizations are protected under Project Galileo, with the majority of them onboarded after the ongoing Russian invasion that began in March 2022. These organizations focus across a wide range of journalism, independent media, human rights advocacy, disaster relief, and social welfare issues.

Between December 11th, 2024, and January 11, 2025, we observed 3 spikes of DDoS traffic against Ukrainealarm.com, which provides real-time information on air, chemical, man-made, or other types of civil defense system alarms in Ukraine, and acts as an official source for the Ukrainian people for safety alerts. The first DDoS attack began at 17:14 UTC on December 11, 2024, lasting 5 minutes. The second chunk of DDoS activity lasted 1 minute at 00:12 UTC on January 10, 2025. The final attack lasted 8 minutes beginning at 14:25 UTC on January 11, 2025. Despite the staggered nature and relatively short durations of these attacks, they reached 49.72 million, 22.02 million, and 42.65 million requests respectively, totaling 114.39 million requests.

Another Ukrainian organization, alerts.in.ua, also experienced an attack on January 10, 2025. Alerts.in.ua is an interactive, real-time map of air-raid alerts in Ukraine, as well as alerts on artillery fire, street fighting, chemical, and nuclear threats. This attack totalled 46.65 million requests within 6 minutes, with an average of 459,166 requests per second. This short-lived attack, which consisted of 2 spikes of traffic, coincided within a minute of the attack made upon ukrainealarm.com, appearing to be a possible simultaneous attack on both sites. The DDoS attack occurred during a large-scale Russian drone attack on January 10, 2025, when 72 drones were launched against Ukraine, including strikes on Kyiv and Chernihiv. This suggests an attempt to disrupt access to real-time threat information during an actual emergency.

In terms of traffic trends to organizations under Project Galileo, Journalism organizations received the most traffic. This was followed by Social Welfare, which had the highest number of protected websites. Then came Environmental/Disaster Relief, and lastly, Human Rights/Civil Society Organizations.