Cloudflare gave a strong indication that its IPO roadshow is going well, when on Wednesday it increased its pricing range on Wednesday to $12 to $14 per share — up from $10 to $12 per share.
This should value the company at between $3.5 billion and $4.1 billion at the time of its IPO, exceeding its last private valuation of $3.25 billion. The company is expected to go public later this week, possibly as soon as Thursday.
But then the company also raised eyebrows by filing an amended S-1 form, its IPO prospectus, in which it admitted it may have violated US law. It sold its services to entities blacklisted by US government including terrorists, narcotics traffickers and sanctioned governments, it said in the filing.
Specifically, Cloudflare said (emphasis ours):
"We identified that our products were used by, or for the benefit of, certain individuals and entities included in OFAC's Specially Designated Nationals and Blocked Persons List (the SDN List), including entities identified in OFAC's counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions. A small number of these parties made payments to us in connection with their use of our platform."
It also disclosed it may have broken US laws governing exporting encryption hardware.
Cloudflare offers a service that helps website operators keep their sites up and running even if hackers attempt to bring the website down, or if parts of the internet go down. The company says its network spans 194 cities in over 90 countries and connect with major internet providers and big corporate networks alike.
It may have installed encryption hardware in some of these overseas places in violation of the law, it explained:
"In 2019, we learned that we may have failed to comply with certain U.S. export-related filing and reporting requirements and may have submitted incorrect information to the U.S. government in connection with certain hardware exports."
Cloudflare has faced criticism for years over how it helped protect some of the darkest corners of the internet. Its has also been praised when it has kicked such entities off its network.
For instance, Cloudflare said its platform was used by 8chan, the online forum which "served as an inspiration" for the deadline mass shootings in El Paso, Texas and Christchurch, New Zealand. In April, after the El Paso shooting. The company announced that 8chan was no longer a customer, describing the forum as a "cesspool of hate."
In 2017, it faced a similar publicity storm when it admitted its network had been used by The Daily Stormer, the neo-Nazi white supremacist website, which became infamous for its role in the 2017 protests in Charlottesville, Virginia. Cloudflare later terminated the group's account.
The company says it disclosed the information about the blacklisted entities using its site to the appropriate government agency in May, 2019.
While Cloudflare promises it is doing all it can to prevent its service being used illegally, it says this remains a risk (emphasis ours):
"Although we have implemented, and are working to implement additional controls and screening tools designed to prevent similar activity from occurring in the future, there is no guarantee that we will not inadvertently provide our products to additional individuals, entities, or governments prohibited by U.S. sanctions in the future. "
Cloudflare did not immediately respond to a request for comment.