Cloudflare: 1 in 20 Emails Malicious — Crypto Users Heavily Targeted

Cloudflare’s 2025 year-in-review found about 5.6% of global email traffic it analyzed was malicious — roughly 1 in 20 emails — with a November peak approaching 9.7% (nearly 1 in 10). Malicious emails are defined as attempts to steal information, money or account access; deceptive links accounted for 52% of detections and impersonation (spoofed or similar domains/display names) 38%. The report calls out heavy abuse of certain top-level domains (TLDs), notably ".christmas" (over 92% malicious), and high-malware rates in ".lol", ".forum", ".help", ".best" and ".click". Independent research from Barracuda and Hornet Security corroborates rising spam, malicious HTML attachments and year‑over‑year increases in malware-laden email. Cloudflare highlights that crypto traders, executives and investors face elevated risk from increasingly sophisticated phishing campaigns aimed at stealing credentials or tricking users into irreversible transfers to scam addresses. Key trader takeaways: increase email hygiene, verify links and sender domains, treat TLDs and unfamiliar domains with suspicion, enable strong wallet security (hardware wallets, two-factor auth, address whitelists), and avoid on-chain transfers unless destination is verified. Primary keywords: Cloudflare, malicious email, phishing, crypto phishing. Secondary keywords: email threat spike, deceptive links, impersonation attacks, TLD abuse, crypto security.