At 11:55 am on a Wednesday morning, the first message came in. A Follow the Money editor sent a screenshot of the FTM app via the internal communication channels: “502 bad gateway”. Just a minute later, then-editor-in-chief Arne van der Wal sent the message: “SITE IS DOWN”.
An hour later, the website and app were still down. “Looks like a targeted DDoS attack on us,” FTM’s systems administrator told the rest of the company.
During a DDoS attack – short for distributed denial-of-service – attackers send massive amounts of internet traffic at their target until the system is overloaded. The aim? To bring down websites, at least temporarily.
Later that day, FTM publisher Jan-Willem Sanders sent a message to staff: “A massive amount of automated traffic is being directed at us to disrupt our sites – unfortunately, that mission has been successful.”
“Under attack?”
The attack, on 24 April 2024, was the first the company had ever experienced. On that day, the servers had to cope with traffic that was 28,000 times higher than on a normal Wednesday, originating from servers in Russia and Bulgaria. One of the pages that was attacked? The section on the website that collects articles on Russia.
That afternoon, the FTM system administrator scrambled to connect the website to Cloudflare’s services. That firm provides a popular service: The US company “blocks an average of 247 billion threats online every single day for its millions of customers”, according to its website. Independent research found that almost a quarter of all websites on the internet are protected by Cloudflare.
An added bonus: you can connect your systems to it in a flash – even during an attack. It’s no coincidence that the website features a red “under attack?” button; click it, enter your details, and you’ll be protected by Cloudflare “in minutes”.
Disrupting sites
Although Cloudflare managed to block 99% of the Russian and Bulgarian traffic, that 1% meant the FTM website was only up and running again at around 8 pm.
Since then, Follow the Money has luckily suffered few such attacks, thanks to Cloudflare.
And yet, earlier this month the news outlet parted ways with that company’s services.
Not because the threats from Russia (or elsewhere) have subsided, or because the services of Cloudflare haven’t been helpful – but because using Cloudflare also comes with a risk.
In February, FTM announced that it would reduce its dependence on US software as much as possible, in view of the rapidly deteriorating relations between Europe and the US. In other words: FTM wants to use, as much as possible, alternatives to US services.
Our journalism is only possible thanks to the trust of our paying members. Not a member yet? Sign up now
That’s because it has become increasingly clear that the US government can leverage Europe’s dependence on US tech. For example, the chief prosecutor of the International Criminal Court (ICC) found himself locked out of his email account in May last year. Microsoft had denied him access after US president Donald Trump sanctioned him for having issued an arrest warrant for Israeli Prime Minister Benjamin Netanyahu.
Such risks should be reduced as much as possible.
Cloudflare’s software in particular poses a risk, said Erik Willems. He started working as FTM’s project manager for digital autonomy last month and is responsible for the search for European alternatives.
“It is simply the flip side of protection against DDoS attacks”
Because all of FTM’s traffic ran via Cloudflare’s servers, that company theoretically had access to a huge amount of sensitive data. “Cloudflare can see everything you, as a member of FTM, do on our site,” Willems said. “So if someone subscribes to FTM or an existing member changes something on their own account page, Cloudflare can see it: your email address, your account number and whether you’ve clicked the ‘change password’ button. And if you then change your password, even that ends up with Cloudflare.”
This data is encrypted, but to assess whether internet traffic to ftm.eu is from a human or a bot, Cloudflare must access unencrypted information. Human users are allowed through, bots are not.
Cloudflare claims that it doesn’t store that data, and there is no evidence that it is actually monitoring traffic. However, Cloudflare did provide data to the US government about 500 times last year – out of a total of 820 legal requests.
By comparison, there were only 18 requests from EU countries during that time. It’s not clear how many were granted.
Cloudflare itself has noted that there are doubts in Europe as to whether the use of “cloud service providers like our company” by (local) governments is in line with European privacy legislation. The reason, in Cloudflare’s own words: “their concerns about the ability of U.S. government agencies to access EU personal data ”.
Willems emphasises that these concerns are neither new nor unique to Cloudflare. “This has long been common knowledge among IT professionals,” he said. “It is simply the flip side of protection against DDoS attacks.”
To reduce risks of US authorities gaining access to your data, FTM is shifting its DDoS-protection to a European company.
The problem that Willems was faced with: Cloudflare’s biggest competitors – Amazon CloudFront, Fastly and Akamai – are also all US companies, or Russian (DDoS-Guard).
So Willems started looking in Europe.
‘Off to bunny 😎’
Enter bunny.net. The company – with 96,000 paying customers, according to a spokesperson – provides similar services to Cloudflare. It also essentially has the same access to data as Cloudflare.
However, because the firm is based in Europe, the US government cannot simply request the data; US authorities also have no way of building in a so-called kill switch that would allow them to shut down FTM. Any data that bunny.net has access to will be protected under EU privacy laws, which are stricter than US ones.
Bunny.net now uses it as its selling point. A week after Donald Trump’s inauguration in January 2025, the company published a blog post on privacy: “The moment your traffic passes through a U.S.-based service provider, your logs could fall under U.S. jurisdiction, opening the door to potential data access under foreign laws.”
“As an EU-based company, bunny.net ensures your logs never leave the region. Free from U.S. Congress jurisdiction, we help you safeguard your customers’ data while delivering a seamless experience.”
Whether that seamless experience is just PR remains to be seen. What is clear though, that FTM-subscriber data is now much more safe, under EU law.
Earlier this month, FTM’s IT department cleared the first hurdle to make it less dependent on US tech. FTM.eu was the first to move to the new service provider, and, last Wednesday the Dutch site ftm.nl was next.
“FTM has moved to bunny 😎,” an administrator wrote.
