Spain's LALIGA knocked half a million websites offline
OONI measured the collateral damage: 554,507 sites, most behind Cloudflare.
To stop illegal LaLiga streams, Spanish ISPs block shared IP addresses during live matches. New OONI measurements put a number on the collateral: 554,507 unrelated domains knocked offline, most of them behind Cloudflare. Here is what happened and why a build studio cares.
Spain spent the first half of 2026 trying to stop illegal football streams during live LaLiga matches. It worked, sort of. It also knocked hundreds of thousands of unrelated websites offline. New measurements from OONI, published on June 30, put a number on the collateral damage, and the number is large: 554,507 domains affected, roughly 5.8% of the most popular sites on the internet.
What actually happened
During live matches, Spanish internet providers block the IP addresses that pirate streams run on. That sounds surgical. It is not, because of how the modern web is built.
Almost no website has its own dedicated IP address anymore. Providers like Cloudflare and Squarespace put thousands of unrelated sites behind a single shared address and tell them apart using information inside the encrypted connection, not the IP. So when an ISP blocks that one shared IP, every site sitting behind it goes dark at once, whether or not it had anything to do with football.
It is like locking the front door of an apartment building because one tenant broke a rule. Everyone else is locked out too, and they never find out why.
The scale
Between January 1 and June 1, 2026, OONI tested 9.2 million of the internet's most popular domains from inside Spain and watched which ones became unreachable during match windows. The headline figures:
The detail that should worry anyone running a site: it took almost nothing to cause this. In some single one-hour windows, OONI found that blocking as few as 4 to 20 IP addresses was enough to knock more than 400,000 unrelated domains offline at once. The damage did not track the number of IPs blocked. It tracked how modern hosting works.
Why Cloudflare took the worst of it
Cloudflare sits in front of a huge share of the web, so blocking its IPs is the bluntest instrument possible. 501,305 of the affected domains, 90.4% of the total, sat behind it, and they came down from just 2,218 blocked IPs, about a third of all the addresses blocked. A single Squarespace IP took down 18,592 sites on its own.
Amazon came off comparatively lightly: 11,647 domains across 4,286 blocked IPs, far more diffuse, because more of its customers get their own dedicated address. Same enforcement, very different blast radius, decided entirely by how each provider assigns IPs.
Who got caught in the net
The blocked addresses were not all pirate streams. OONI's data flags plainly legitimate sites sitting on them: Amnesty International, UNICEF, and UNHCR chapters, Greenpeace, Harvard and the Stanford Law Review, Linux Mint, the HashiCorp Terraform registry that countless deployments pull from, and consumer sites like Goodreads. None of them had anything to do with broadcasting football. They just happened to share an address with something that did.
A court said the harm was not proven. Now it is measured.
The blocks trace back to a December 2024 ruling by a commercial court in Barcelona, won by LaLiga and Telefonica. When Cloudflare and the security association RootedCON challenged it in March 2025, the court dismissed them, on the grounds that no harm to third parties had been proven, identified, or quantified. OONI's report is, in effect, the quantification the court said did not exist: 554,507 domains, named organizations, exact hours.
It is worth noting who won that order. Telefonica is also the most reliable enforcer of it. It holds LaLiga broadcast rights through Movistar, it runs one of the blocking networks, and it is partly state-owned. The company deciding what to block also sells the thing the blocking is meant to protect.
The EU's own office warned about this in 2023
None of this was unforeseeable. In 2023, the European Union Intellectual Property Office published a paper on fighting live-event piracy that said, almost exactly, what would go wrong. IP blocking, it warned, risks overblocking when the targeted service shares an address with legitimate ones, and the fix is to check what else is on an IP and exclude ranges known to be shared hosting. That is precisely the step that was skipped when Cloudflare's shared IPs were blocked.
The part that worries us more: TLS interception
Blocking an IP stops you reaching a site. OONI found something a step past that, and it calls it a TLS man-in-the-middle. On the mobile network Digi, some connections were met with an injected self-signed certificate, the signature of a machine sitting inside the encrypted connection rather than just refusing it. OONI measured this affecting 10,759 domains across 7,334 IPs.
If that holds up, it is a different category of problem. IP blocking is about availability: you cannot reach the site. Interfering with TLS is about privacy and integrity: something is now positioned to inspect or alter traffic that users and browsers were told was private end to end.
It is spreading past the ISPs
The enforcement is not staying at the network layer either. In February 2026, LaLiga reportedly obtained court orders requiring the VPN providers NordVPN and Proton VPN to block access from Spain to 16 streaming sites. The orders were granted without a hearing, and both companies said they were never formally notified. Contested or not, the direction is clear: from blocking infrastructure to leaning on the privacy tools people reach for to get around blocks in the first place.
Why a build studio cares
We ship on exactly this infrastructure. Cloudflare in front, managed hosting behind, shared IPs the whole way down. It is fast, cheap, and sensible, right up until a block aimed at someone else three tenants over takes your product offline, and there is nothing you can do about it from the application layer.
It is a good reminder that "it works on our servers" is not the whole story. Where your users are, and what their ISP or government is doing that week, is part of your system too, the same blind spot we flagged for AI builders serving India in our post on the DPDP Act. For anything serving the EU, this is worth knowing before it is a support ticket you cannot explain.
Next step: read OONI's full report for the methodology and the raw numbers. If you run a product that serves Spain or the wider EU and want to understand whether a block like this could catch you, write to us at hello@gattyworks.com.