Russia’s FSB Blames U.S. Tech Giants in Unsubstantiated Phone Hacking Allegation

Crucially, the FSB’s statement did not accuse Cloudflare and Fastly employees of writing the malware or directly orchestrating the hacks. Instead, the agency claimed that the “technical capabilities” of these companies were “used” in the operation—a phrase broad enough to imply their content delivery networks, security services, or reverse-proxy infrastructure played a role in data exfiltration or communication . To accompany the announcement, the FSB released video footage of Cloudflare’s office in San Francisco, Fastly’s locations in San Francisco and London, and an unidentified building in New York, implying a connection to the spyware’s development or operational control .

The FSB did not explicitly name the United States but highlighted that British government ministries, including the Ministry of Defence, were clients of Cloudflare’s and Fastly’s network security services . Russian state media nevertheless characterized the scheme as being orchestrated by “U.S. and British intelligence” .

No independent investigation has verified any part of the claim. Neither Cloudflare nor Fastly has publicly commented on the specific allegation, and the FSB did not release forensic evidence of the malware, network logs showing traffic flows through the accused infrastructure, or technical detail linking server-side configurations to a spying operation. The U.S. Department of Justice has previously indicted FSB officers for directing criminal hacking operations, including the compromise of millions of Yahoo accounts, underscoring the FSB’s own role as an offensive cyber actor and making its unverified claims the assertion of an active rival intelligence service .

A Pattern of Tech-Infrastructure Blame

This is not the first time the FSB has accused Western technology companies of being active participants in intelligence operations. In June 2023, the FSB claimed that the U.S. National Security Agency had exploited a vulnerability in Apple iPhones to compromise the devices of thousands of Russian citizens and foreign diplomats, and it publicly stated that Apple had “cooperated” with the NSA for the attacks . Apple denied the allegation, and no supporting forensic evidence was made public. The structural similarity is striking: an unsubstantiated claim that a prominent Western technology company’s infrastructure or software is a direct instrument of state espionage, delivered with video or photographic material but no verifiable technical data.

From Technical Blocks to Espionage Claims: The Cloudflare Campaign

The FSB’s allegation of phone-hacking collusion lands in the middle of a documented, year-long Russian government campaign to throttle, block, and discredit Cloudflare.

In October 2024, Roskomnadzor—Russia’s federal communications watchdog—blocked thousands of websites using Cloudflare’s Encrypted Client Hello (ECH) protocol, a TLS extension that encrypts the initial handshake and makes it difficult for a network operator to see which website a user is visiting . At the time, the regulator stated that ECH “violates” Russian regulations governing the ability to inspect traffic.

On March 20, 2025, the campaign escalated dramatically when Roskomnadzor temporarily blocked entire Cloudflare subnet ranges—comprising more than 500,000 IP addresses, with a technical expert from Russian digital rights group Roskomsvoboda estimating that around 1.5 million IP addresses were affected across multiple regions . The block caused widespread outages for online banking systems including Sberbank and Alfa-Bank, government portals, communication apps, and gaming services—all of which relied on Cloudflare’s CDN . When users and businesses reported the disruptions, Roskomnadzor blamed “foreign server infrastructure” and recommended that Russian organizations migrate to domestic hosting providers .

The most sustained technical attack began on June 9, 2025, when major Russian ISPs—including Rostelecom, Megafon, Vimpelcom, MTS, and MGTS—initiated a nationwide throttling campaign against all Cloudflare-proxied traffic . The throttling was surgical: it allowed end-user devices to download only the first 16 kilobytes of any web asset before severing the connection . For a modern browser, 16 KB is enough to render perhaps a single HTTP header and the first few lines of text, but nowhere near enough to load a functioning page, a script, or a stylesheet. The result was that millions of websites protected by Cloudflare effectively disappeared for users inside Russia, while the websites gave the illusion of being reachable to casual network checks .

Cloudflare publicly confirmed the throttling on June 26, 2025, calling it state-level interference beyond its control . The company’s internal data showed that the cap was being enforced through multiple concurrent mechanisms including packet injection and rate limiting, indicating active management rather than a network misconfiguration . Freedom House and independent internet monitors documented that total Cloudflare traffic from Russia had dropped substantially, and that the disruptions coincided with Roskomnadzor adding Cloudflare to its register of “organizers of information dissemination” . That register is a surveillance regime that requires listed companies to store Russian user data on local servers and provide decryption keys to the FSB on demand. Companies that do not comply face mandatory throttling or outright blocking—exactly the outcome observed since June 2025.

When the June 2025 throttling is read alongside the March 2025 subnet blocks and the October 2024 ECH ban, a clear progression emerges: Russia first targeted a specific encryption protocol, then blocked whole network ranges, and is now using technical controls to degrade the entire Cloudflare service indefinitely. The FSB’s June 2, 2026 espionage accusation adds a narrative overlay of criminal collusion to a technical suppression campaign that was already fully underway.

The Wider Drive for a Sovereign Russian Internet

The moves against Cloudflare and Fastly are part of a much larger, multi-year project by the Kremlin to bring the Russian internet under full domestic control—a policy framework the government calls “digital sovereignty.”

New legislation now requires telecom operators to install state-controlled Deep Packet Inspection (DPI) equipment, known as the “Technical Means of Counteracting Threats” (TSPU) system, which gives the FSB the ability to monitor, filter, and throttle traffic at the network level . Telecoms that fail to register with Roskomnadzor or comply with FSB data requests face fines and service restrictions.

In September 2025, Russian authorities introduced a “registry of socially significant services,” a formal whitelist of initially 57 pre-approved websites—including state news agency RIA Novosti, major banks, the Gosuslugi government portal, domestic social networks, and select Yandex services—that are guaranteed to remain accessible during network disruptions and shutdown tests . Any foreign-hosted service not on the list can be severed at any time.

The government has also moved forcefully against encrypted communications and circumvention tools. By early 2026, Roskomnadzor had restricted hundreds of VPN applications and protocols . In August 2025, voice and video calling through Telegram and WhatsApp were restricted, and direct restrictions on Telegram itself soon followed .

The trajectory is unambiguous. Russia’s approach has evolved from targeted website blocks a decade ago, through large-scale DPI-based filtering, to the current phase in which entire Western content-delivery and infrastructure providers are systematically degraded, disconnected, or subjected to official criminal accusations. The goal is a Russian internet space in which all traffic is inspectable by the FSB and foreign infrastructure holds no operational foothold .

The June 2, 2026 allegation against Cloudflare and Fastly is the latest turn in that project. It is an unsubstantiated espionage charge leveled against the same companies whose infrastructure Russia has spent two years methodically making inaccessible to its own citizens.