Between July 2 and July 8, 2026, elTOQUE’s website was targeted for the second time in less than a year by a sustained distributed denial-of-service (DDoS) campaign: a flood of automated traffic designed to knock our site offline and prevent Cubans from accessing our journalism.

Although we first alerted our audience to the incident on July 4, the attack had actually begun on July 2, with nearly 66 million requests delivered in two short bursts. Our protection systems handled those initial waves successfully, so they did not immediately trigger alarms. On July 4, however, the attack resumed at full scale—the most intense day of the campaign—with more than 400 million requests and a peak of 66.6 million requests in a single hour. Heavy pressure continued through July 5 and 6, before the campaign finally ended on July 8.

Screenshot showing the volume of attacks targeting elTOQUE by day. Data collection ended on July 8 at 08:00.

Of the 1.09 billion total requests, the overwhelming majority—more than 919 million—could not even be evaluated individually because of the sheer volume. This is the hallmark of a saturation attack. During the entire week, there were only about 2,400 genuine attempts to exploit vulnerabilities and gain access to the site, and none of them succeeded. The attackers were not trying to break in—they were trying to take our website down.

Screenshot showing the number of malicious requests per hour from July 2 to July 8.

The target was eltoque.com, specifically its homepage—the gateway to our journalism and the location of our most widely consulted widget, which provides data on Cuba’s informal U.S. dollar exchange rate. The attack coincided with a new surge in the informal currency market, where the dollar rose from 605 CUP to 680 CUP after previously falling from around 700 CUP.

This was not the first time we had faced such an attack. On December 17, 2025, a DDoS attack involving more than 400 million requests knocked our website offline for several hours. The following day, an even larger attack followed, but we barely noticed it because, in the time between the two incidents, we had activated Cloudflare’s bot protection.

The July 2–8, 2026 campaign—more than seven times larger than that first attack and sustained over an entire week—confirmed that this had been the right decision. Cloudflare’s automated protection absorbed the bulk of the attack at the network edge, blocking or challenging approximately 849 million requests before they ever reached our origin server. The requests that did get through encountered additional safeguards implemented by our development team, providing a second layer of defense.

One characteristic we identified in this latest incident is that the malicious traffic originated from rented cloud and data center infrastructure in countries including the United States, China, Indonesia, the Netherlands, and Germany. The location of these servers does not reveal who orchestrated the attack—attackers routinely rent infrastructure in different countries to conceal their identity—but it does confirm that the traffic was generated by machines rather than human users.

Screenshot showing the countries where the attack infrastructure originated. Server locations do not indicate who orchestrated the attack, as the infrastructure was rented and the traffic was generated by machines rather than real users.

During the emergency response, some of the defensive rules we deployed were initially too broad and unintentionally affected legitimate readers, particularly those in Cuba. Our team quickly corrected this collateral impact without giving ground to the attackers, ensuring that the website remained online throughout the incident while full access for our genuine audience was restored.

For elTOQUE, our website is the bridge that connects our journalism with both the Cuban diaspora and people living on the island. When the site becomes slow, blocked, or unavailable, people lose timely access to information they rely on to make everyday decisions—from deciding when to exchange their dollars to understanding what is happening in their country.

A week-long attack of this magnitude, deliberately aimed at our homepage, seeks to deny people access to that information. In practice, it is an attempt at censorship through saturation, adding to a broader pattern of harassment that has included the interrogation, detention, and intimidation of colleagues inside Cuba, surveillance of the families of journalists living in exile, and the formal blocking of our domains by Cuba’s only authorized telecommunications provider.

We were able to withstand this latest attack thanks to the protection we receive through the Plus Hub, led by the International Center for Journalists (ICFJ) in partnership with Cloudflare’s Project Galileo, a program that provides free cybersecurity services to public-interest organizations at risk. elTOQUE is one of more than 20 newsrooms currently receiving this protection through the partnership.

The package includes automatic attack detection and mitigation, a content delivery network (CDN) that improves loading times for readers with unstable or limited internet connections—such as those in Cuba—encryption that protects the privacy of our readers, and a web application firewall that blocks emerging threats before they reach our origin infrastructure.

As our Executive Director, José Jasán Nieves, told ICFJ, having access to these tools fundamentally changed how the team responds to cybersecurity incidents. Instead of improvising under pressure to protect critical infrastructure, the team can now apply security controls proactively, reducing downtime and minimizing the burden on a small newsroom.

We are publishing this account not only to explain what happened, but because we know we are not the only independent Cuban news organization—or the only newsroom operating in exile—to face these kinds of attacks. Most small and medium-sized news organizations cannot afford this level of protection, which can cost more than USD 5,000 per year.

If you lead or work at an independent newsroom—especially one reporting from exile or covering high-risk issues—Plus Hub and Project Galileo may be able to provide your organization with the same level of protection, free of charge, that allowed us to remain online throughout seven consecutive days of attack. You can complete the ICFJ+ Expression of Interest Form to find out whether your organization is eligible.

Expression of Interest Form — Plus Hub / Project Galileo

Our infrastructure remains a target. But every time we withstand an attack without going offline, we demonstrate something even more important: that independent Cuban journalism, even in exile, has the means to defend itself.

___________________________________________________________________________

This article was written by Abraham Calás Torres, El Toque’s Director of Innovation and Development. It has been republished in this space with the appropriate permissions, translated into English with the assistance of AI, and reviewed for accuracy by our journalists.