When the Web Goes Dark: The Hidden Fragility of Centralized Infrastructure

The internet stopped working on November 18, 2025. Not gradually, not with warning signs—just suddenly and completely for millions of users worldwide. Twitter went dark mid-tweet. ChatGPT froze mid-sentence. Even Downdetector, the site you check when everything breaks, couldn't load to tell you everything was broken (Cloudflare, 2025).

Twenty percent of the web vanished because Cloudflare, the company that protects the internet from attacks, accidentally attacked itself. A routine database permissions update triggered a hidden bug, and suddenly the guardian at the gate had locked everyone out.

The Anatomy of a Modern Internet Failure

At 11:05 UTC, Cloudflare deployed what should have been a straightforward change to their ClickHouse database cluster—a security update making table metadata explicitly visible to users who already had implicit access. The problem emerged from an innocuous oversight: a database query generating Cloudflare's bot mitigation configuration file didn't filter for database name (Cloudflare, 2025).

The query started returning duplicate entries—one set from the default database, another from the underlying storage database. The configuration file doubled in size from approximately 60 features to over 200. Cloudflare had set a hardcoded limit of 200 features for memory preallocation, which engineers thought provided a generous safety margin. It didn't.

When the oversized file hit that limit, the Rust code panicked with the error: "thread fl2_worker_thread panicked: called Result::unwrap() on an Err value" (Cloudflare, 2025). This seemingly minor technical failure cascaded through Cloudflare's entire infrastructure. Bot mitigation sits deep in their control layer, and when it died, the health check system that tells load balancers which servers are healthy lost its ability to function properly.

The situation worsened in an unusual way: the configuration file regenerated every five minutes. Bad data only generated if the query ran on an updated cluster node, causing Cloudflare's network to flicker between working and failing every few minutes. This intermittent behavior initially led engineers to believe they were experiencing a hyper-scale DDoS attack, since systems don't typically recover and fail repeatedly from internal errors (Cloudflare, 2025).

Eventually, every ClickHouse node received the update. Every configuration file generated was corrupted. The flickering stopped, replaced by complete, stable failure across the network.

The Cryptocurrency Paradox

The crypto industry spent October mocking centralization when AWS took down Coinbase and other major exchanges. November's Cloudflare outage produced a different response: crickets, at least for the first few hours. It's difficult to tweet about infrastructure fragility when Twitter itself runs on the infrastructure that just died.

The technical truth remains that no blockchain protocol failures were reported during the outage. Bitcoin kept running. Ethereum kept running. The chains themselves worked fine (The Block, 2025). But the practical reality tells a more sobering story: exchange UIs died, block explorers went dark, wallet interfaces failed, analytics platforms crashed, and trading interfaces returned 500 errors.

Users couldn't access the "decentralized" blockchains they supposedly owned. The protocol worked perfectly—if you could reach it.

Major Infrastructure Casualties

The outage's impact extended across the entire Web3 ecosystem:

• Centralized Exchanges: Coinbase's front-end blinked out, Kraken's web and mobile apps went down, and BitMEX posted degraded performance notices (The Block, 2025)
• Blockchain Explorers: Etherscan couldn't load, Arbiscan went down, and users lost their primary means of verifying on-chain activity
• DeFi Platforms: DeFiLlama's analytics dashboard served intermittent internal server errors, disrupting data access for traders and researchers
• Wallet Infrastructure: Even Ledger reported degraded availability of services due to the Cloudflare outage (Ledger, 2025)

Interestingly, major exchanges like Binance, OKX, Bybit, Crypto.com, and KuCoin reportedly experienced no front-end outages, suggesting that diversified infrastructure strategies can provide resilience (CoinStats, 2025).

The Pattern of Centralized Failure

This incident represents just one data point in an accelerating pattern of infrastructure failures:

• October 20, 2025: AWS experienced a 15-hour outage when DynamoDB DNS resolution failed in US-EAST-1. Coinbase froze, Robinhood stuttered, and Infura disrupted MetaMask connections. Multiple Layer 2 networks—Base, Polygon, Optimism, Arbitrum, Linea, Scroll—all went offline simultaneously (CryptoSlate, 2025).
• October 29, 2025: Microsoft Azure suffered configuration propagation problems in Azure Front Door. Microsoft 365 went down, Xbox Live went dark, and business services were interrupted across the platform (AP News, 2025).
• July 2024: CrowdStrike's faulty Windows update halted flights, delayed hospital procedures, and froze financial services, requiring multi-day recovery for full restoration (CNBC, 2024).
• June 2022: A previous Cloudflare outage halted several crypto exchanges, following the exact same pattern with a different technical cause (TechCrunch, 2022).

Four major infrastructure outages in just 18 months. Four times the same lesson: centralized infrastructure creates centralized failure. Four times the opportunity for cryptocurrency to pivot toward genuine decentralization while running on infrastructure owned by three companies.

The Monopolization of Internet Infrastructure

The concentration of cloud infrastructure represents one of the most significant risks to internet resilience. AWS controls approximately 30% of global cloud infrastructure, Microsoft Azure holds 20%, and Google Cloud claims 13% (Statista, 2025). Three companies control over 60% of the cloud infrastructure underpinning the modern internet.

Cryptocurrency's infrastructure dependencies reveal the depth of this centralization:

• Coinbase runs on AWS infrastructure
• Binance operates on AWS
• BitMEX, Huobi, Crypto.com—all built on AWS
• Kraken uses AWS infrastructure, yet still suffered from Cloudflare's CDN failure

The irony becomes stark: an industry built to eliminate trusted third parties proved it cannot function without trusting a handful of corporations to keep the lights on.

The Access Layer Problem

During the AWS outage in October, approximately 2,368 Ethereum execution nodes sitting on AWS infrastructure—representing almost 37% of the network's total—created significant access problems (Ethernodes, 2025). Not enough to stop the chain itself, but more than enough to cripple access for most users who don't run their own nodes.

As crypto commentator Jameson Lopp observed: "We took an amazing decentralized technology and have made it incredibly fragile by centralizing most services behind a handful of providers" (Lopp, 2025).

Why Convenience Trumps Principles

The path to centralization wasn't paved with malicious intent but with pragmatic decision-making. Running your own infrastructure requires expensive hardware, stable electricity, dedicated bandwidth, security experts, geographic redundancy, disaster recovery systems, and 24/7 monitoring.

Using Cloudflare means clicking a button, entering a credit card, and deploying in minutes. Someone else handles DDoS attacks, maintains uptime, and worries about scaling. Startups chose speed to market, venture capitalists demanded capital efficiency, and everyone picked easy over resilient.

The economic reality remains brutally clear: centralized infrastructure is cheaper, faster, and "good enough"—until it isn't. Multi-cloud strategies cost more. Self-hosting requires expertise most teams don't have. Geographic redundancy creates latency issues that traders notice immediately (Schwed, 2025).

The Regulatory Dimension

Another factor rarely discussed in public: the CLOUD Act. U.S. law gives authorities the power to demand data from American cloud providers regardless of where that data physically sits. Whether stored on European servers or Asian data centers, if AWS, Azure, or Google hosts it, U.S. law enforcement can access it with appropriate legal authorization—no foreign court approval needed (LexisNexis, 2025).

European regulators increasingly view American cloud dominance as a sovereignty issue, with some authorities warning against the use of U.S.-based cloud services for sensitive data. Decentralization promised freedom from institutional control. Instead, most crypto infrastructure ended up in the hands of three corporations answerable to one government.

The Path Not Taken

Decentralized alternatives exist, though they remain marginal in adoption:

• Storage: Arweave, IPFS, and Filecoin offer decentralized storage solutions
• Compute: Akash Network provides decentralized cloud computing
• Full-Stack: Internet Computer Protocol promises comprehensive decentralization

The problems hampering adoption are tangible: performance lags behind centralized options, latency issues create noticeable user experience degradation, and costs often run higher than renting from the big three.

XRP Ledger demonstrated that distributed infrastructure works during both AWS outages. Validators distributed across AWS, Google Cloud, Hetzner, DigitalOcean, and independent servers meant no single point of failure could take down the network (U.Today, 2025). As contributor Vet noted: "That's the hard work of decentralization, especially geographical and hosting wise."

The difference? XRP Ledger made infrastructure redundancy an engineering requirement from the beginning, not a nice-to-have feature to implement someday.

The Cost of Comfortable Lies

David Schwed, COO of SovereignAI, captured the severity of the situation: "With Cloudflare down today and AWS just a few weeks ago, it's evident we can't simply outsource resiliency in our infrastructure to a single vendor. If your organization needs to be up 24/7, you have to build your infrastructure assuming these outages will happen. A business continuity plan comprised of 'wait for vendor to restore' is pure negligence" (The Block, 2025).

Not an accident. Not an oversight. Negligence.

Dr. Max Li, CEO of OORT, called out the hypocrisy in a CoinDesk editorial: "For an industry that prides itself on decentralization and constantly lauds its benefits, to be so reliant on vulnerable centralized cloud platforms for their own infrastructure feels like hypocrisy" (CoinDesk, 2025).

His proposed solution—hybrid cloud strategies where exchanges distribute critical systems across decentralized networks—reflects a growing recognition that centralized clouds will always have their place for performance and scale, but they'll never match the resilience of distributed alternatives when billions of dollars are at stake and every second counts.

Looking Forward: Identity and Infrastructure

The stakes will only increase as digital identity integrates with blockchain infrastructure. Treasury departments are pushing identity credentials into smart contracts, with mandatory KYC gates on every DeFi interaction becoming increasingly common.

When the next outage hits, users won't just lose access to trading—they'll lose access to proving they exist in the financial system. Three hours of downtime becomes three hours of "verify you're human" screens that can't load because the verification service runs on infrastructure that's down.

The guardrails regulators want to build assume the infrastructure stays up. November 18th proved that assumption wrong.

The Question That Remains

Cryptocurrency didn't fail on November 18th. The blockchains worked perfectly. What failed was the comfortable lie that you can build unstoppable applications on stoppable infrastructure, that censorship resistance matters when three companies control the roads to access it, that "decentralized" means anything when Cloudflare's configuration file determines whether millions can trade.

Philosophy doesn't compete with convenience until convenience fails catastrophically enough to change behavior. November 18th wasn't catastrophic enough. Neither was October 20th. Neither was July 2024.

The next outage is coming—AWS, Azure, Google Cloud, Cloudflare round two. Could be next month, could be next week. Infrastructure hasn't changed, dependencies haven't changed, incentives haven't changed. Centralized stays cheaper, faster, easier. Until it isn't.

When the infrastructure you didn't build fails at the moment you can't afford it to, whose fault is it really?

References

AP News. (2025, October 29). Microsoft Azure suffers major outage affecting services worldwide. AP News. https://apnews.com/article/microsoft-azure-downdetector-service-disruption-0deffbd09c09ca4640c2f5452a9e483e

Cloudflare. (2025, November 18). 18 November 2025 outage. Cloudflare Blog. https://blog.cloudflare.com/18-november-2025-outage/

CNBC. (2024, July 19). CrowdStrike suffers major outage affecting businesses around the world. CNBC. https://www.cnbc.com/2024/07/19/crowdstrike-suffers-major-outage-affecting-businesses-around-the-world.html

CoinDesk. (2025, November 1). The AWS outage shows why crypto can't keep relying on centralized infrastructure. CoinDesk. https://www.coindesk.com/opinion/2025/11/01/the-aws-outage-shows-why-crypto-can-t-keep-relying-on-centralized-infrastructure

CoinStats. (2025, November 18). Cloudflare outage resolved after disrupting BitMEX and Kraken front-ends. CoinStats. https://coinstats.app/news/

CryptoSlate. (2025, October 20). AWS failure exposes crypto's centralized weak point. CryptoSlate. https://cryptoslate.com/aws-failure-exposes-cryptos-centralized-weak-point/

Ethernodes. (2025). Ethereum nodes by hosting provider. Ethernodes. https://www.ethernodes.org/networkType/el/Hosting

Ledger. (2025, November 18). Service status update. Ledger Status. https://status.ledger.com/incidents/bvjd0fw4nbwv

LexisNexis. (2025). CLOUD Act and GDPR: Implications for data protection. LexisNexis International Legal Insights. https://www.lexisnexis.com/blogs/int-legal/b/insights/posts/cloud-act-gdpr-implications

Lopp, J. @lopp. (2025, November 18). We took an amazing decentralized technology and have made it incredibly fragile by centralizing most services behind a handful of providers. X (formerly Twitter). https://x.com/lopp/status/1990756066653843861

Schwed, D. (2025, November 18). Quoted in The Block. https://www.theblock.co/amp/post/379242/cloudflare-global-network-outage-hits-multiple-crypto-front-ends-in-widespread-disruption

Statista. (2025). Worldwide market share of leading cloud infrastructure service providers. Statista. https://www.statista.com/chart/18819/worldwide-market-share-of-leading-cloud-infrastructure-service-providers/

TechCrunch. (2022, June 21). Cloudflare outage hits crypto exchanges. TechCrunch. https://techcrunch.com/2022/06/21/cloudflare-outage-crypto-exchanges/

The Block. (2025, November 18). Cloudflare global network outage hits multiple crypto front-ends in widespread disruption. The Block. https://www.theblock.co/post/379242/cloudflare-global-network-outage-hits-multiple-crypto-front-ends-in-widespread-disruption

U.Today. (2025, October 21). XRP Ledger turns AWS crash into case for more decentralization. U.Today. https://u.today/xrp-ledger-turns-aws-crash-into-case-for-more-decentralization