Study: Nation-State Actors and Cybercriminals Shift from ‘Breaking In’ to ‘Logging In’

Cloudflare, Inc., a San Francisco-based cloud connectivity company, has issued a new research report suggesting that threat actors are using DDoS attacks of unprecedented scale, leveraging AI systems to exploit vulnerabilities, and continuing to strike at traditional weak spots like email to find ways to “log in” versus “break in.”

The inaugural 2026 “Cloudflare Threat Report” says that cybercriminals are not just crashing websites via DDoS; they are quietly infiltrating payroll systems and tricking software into trusting them. Threat actors are using Large Language Models (LLMs) to map networks in real-time, develop new exploits, and create hyper-realistic deepfakes.

State-sponsored actors, specifically Salt Typhoon and Linen Typhoon, have shifted focus toward North American telecommunications, government entities, and IT services. These actors are shifting from traditional espionage to persistent pre-positioning — the act of installing code on the network or system of a rival state to allow for future attacks within U.S. critical infrastructure.

The report also says that North Korean operatives are using AI-generated deepfakes and fraudulent IDs to bypass hiring filters, embedding state-sponsored workers directly into Western corporate payrolls. Using U.S.-based “laptop farms,” these threat actors are masking their true location.

Meanwhile, large-scale botnets like Aisuru have evolved into nation-state level threats capable of taking down entire country’s networks. With record-breaking attacks reaching 31.4 Tbps, these high-speed strikes now demand fully autonomous defenses.

“Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims,” said Blake Darché, head of threat intelligence at Cloudflare. “To avoid being caught off guard, organizations must shift from a reactive posture to one fueled by real-time, actionable intelligence.”

The company says the report leverages telemetry from Cloudflare’s global network, which protects approximately 20% of the web, to drive threat research and operational response.

Channel Impact^®
This report helps partners to understand the scale of attacks, and how threat actor aggression and techniques are shifting.