Archive.today: The Self-Archiving DDoS Disaster and the Mystery of the Internet’s Most Elusive Archivists

Executive Summary

In what might be the most spectacularly self-defeating information control operation the internet has witnessed, archive.today-the mysterious web archiving service that prides itself on preserving information forever-has spent the last two months trying to suppress a blog post by DDoS-attacking the author’s website. The result? The exact opposite of what they wanted.

The backstory reads like a Russian nesting doll written by someone high on absurdist fiction: a Finnish blogger published OSINT research into who runs archive.today, the operators responded with threats and legal complaints, then deployed their users’ browsers as DDoS weapons, inadvertently triggering international media coverage and FBI scrutiny that’s probably exponentially worse than the original investigation.

Welcome to the Streisand Effect in its purest, most hilariously unhinged form.

What Is Archive.Today? The Internet’s Rule-Free Wayback Machine

Before we get to the spectacular disaster, let’s understand what archive.today actually is and why it matters enough to fight so hard to keep its operators secret.

Unlike the Internet Archive’s Wayback Machine-which is a legitimate 501©(3) non-profit with a $37 million budget and proper legal safeguards-archive.today is the internet’s wild west of archiving:

The Promise: - Archive any webpage instantly - Preserve paywalled content forever - No opt-out, no takedown requests, no deletion buttons - Free, anonymous, no account required - Works with archive.is, archive.md, archive.ph, archive.foo (they have so many domain names it’s almost impressive)

The Reality: - Run by one or possibly two mysterious individuals likely based in Russia - Infrastructure supported by a botnet and logins obtained through “unclear means” - Cannot access paywalled sites legally but does anyway using mysteriously sourced credentials - Costs ~$4,000-5,000+ monthly to operate - Has somehow stayed alive for over a decade despite having a “bus factor of one”

Think of it as the service journalists use when publications try to paywall important information, what activists use when governments try to suppress news, and what everyone uses when they find an interesting article they want to keep forever. It’s genuinely useful infrastructure operating in a permanent legal gray zone.

If the internet were a city, archive.today would be that sketchy underground document copy shop in the basement that the authorities can’t quite touch (officially), and everyone from hacktivists to bankruptcy trustees depends on.

The Original Curiosity: August 2023

The trigger for everything that follows was boringly straightforward.

In August 2023, Janni Patokallio-a Finnish blogger running the site Gyrovague-published an OSINT investigation titled: “archive.today: On the trail of the mysterious guerrilla archivist of the internet.”

Patokallio did what OSINT researchers do: he poked around, connected dots, and found publicly available information about the operators. The post, getting about 10,000 views and a moderate Hacker News discussion, concluded:

• The service was likely registered by a “Denis Petrov” (probably a pseudonym)
• The operator(s) appear to have Russian connections but European presence
• Early clues point to someone or a group associated with usernames like “Masha Rabinovich” and “volth”
• The whole operation is a one-person labor of love operating from somewhere in Eastern Europe

None of this was secret detective work. Many of it had been uncovered before. The names were public. The registrations were public. The blog post was the equivalent of a detailed Wikipedia summary of publicly available information.

The post got decent traffic, Hacker News discussed it, and then… absolutely nothing happened for 2.5 years.

The FBI Knocks: November 2025

Then in late 2025, things got interesting.

On November 5, 2025, both Heise Online and ArsTechnica reported that the FBI had obtained a subpoena against Tucows, the domain registrar for archive.today. The FBI was demanding: - Address and connection data about the operator(s) - Payment information - Customer account details

A few weeks later, archive.today published a cryptic “canary” message on their X account-a reference to an old mining practice where a canary would die first when toxic gas was present. The canary was dead. The message was clear: the FBI investigation was heating up.

The court order (reportedly shared by archive.today itself) made it clear: the feds were coming for the identity of whoever ran this service.

Within days, a mysterious French “anti-abuse” organization called WAAD (Web Abuse Association Defense) began aggressively trying to pressure DNS providers and ISPs to block archive.today entirely. Whether WAAD was working with the FBI or operating independently remains unclear, but the timing was suspicious.

The pressure was mounting. The walls were closing in.

The Catastrophic Response: January 2026

Instead of going quietly, the operators of archive.today made a decision that will be studied for decades in classes on “how not to handle a PR crisis.”

They decided to DDoS the blog post out of existence.

Starting around January 11, 2026, users accessing archive.today’s CAPTCHA page (which sometimes appears as a security measure) began executing invisible JavaScript in their browsers. Every visitor to that CAPTCHA page became an unwitting participant in a distributed denial of service attack. Here’s the code they injected:

setInterval(function() {
    fetch("https://gyrovague.com/?s=" + Math.random().toString(36).substring(2, 3 + Math.random() * 8), {
        referrerPolicy: "no-referrer",
        mode: "no-cors"
    });
}, 300);

Translation: Every 300 milliseconds, make a request to Janni’s blog with a random search query to prevent caching and waste resources.

The attack was technically elegant in its incompetence: - It used archive.today’s own user base as a botnet - It ensured maximum visibility (DDoS attacks create server logs, which attract attention) - It was easily discoverable by examining network traffic - It demonstrated guilt while claiming innocence

The Escalation: Threats, GDPR Abuse, and the Breakdown

While the DDoS was happening, the operators-communicating through various personas-simultaneously launched a multi-pronged attack on the blog post itself:

Phase 1: GDPR Complaint (January 8, 2026) A person claiming to be “Nora Puchreiner” filed a GDPR complaint with WordPress.com/Automattic, alleging the blog post contained defamatory personal data. The complaint was notably vague and lacked actionable specifics.

Janni used AI (Gemini) to draft a rebuttal citing journalistic exemption, public interest, and good faith research. Automattic agreed and left the post up. Score: Blogger 1, Archive.today 0.

Phase 2: Polite Email (January 10) An email from archive.today’s webmaster politely requested the post be taken down for “a few months” while the heat died down. Janni was traveling and the email got marked as spam. He didn’t see it for five days.

Phase 3: The Unraveling (Late January) As the DDoS attack continued and the political heat intensified, the emails from “Nora” became… unhinged.

Here’s an actual quote from the official webmaster’s email to Janni:

“And threatening me with Streisand… having such a noble and rare name, which in retaliation could be used for the name of a scam project or become a byword for a new category of AI porn… are you serious?”

The sentence spirals from incomprehension into threats about AI-generated deepfake porn of Janni using a play on the surname “Streisand” (which is what we call the effect of attempting to censor information causing it to spread more). This is what I can only describe as “emotional damage over email.”

The emails continued:

“If you want to pretend this never happened – delete your old article and post the new one you have promised. And I will not write ‘an OSINT investigation’ on your Nazi grandfather, will not vibecode a gyrovague.gay dating app, etc.”

For context: Janni’s grandfather served in an anti-aircraft unit of Finland defending against Soviet invasion during WW2. The invocation of “Nazi” for this appears to be either profound historical ignorance or sophisticated intimidation. Either way, it didn’t work.

At this point, Janni published the post about the DDoS attack itself, which is where our story gets interesting.

The Cast of Characters: A Mystery Wrapped in Enigma Inside a VPN

One of the strangest elements of this saga is the carousel of characters involved, all using different names and platforms:

“Nora Puchreiner”

• Sent the GDPR complaint
• Replied to Janni’s emails with increasingly unhinged messages
• Appears on Russian LiveJournal under the same name discussing archive.today operations
• Shows up on Hacker News from 2023 on the original archive.today post
• Also posts on Krebs on Security under the same name, sometimes claiming scammers are Ukrainian instead of Russian, creating conflicts with other aliases

“rabinovich” (Likely “Masha Rabinovich”)

• Posted the original “Ask HN: Weird archive.today behavior?” question that first publicly mentioned the DDoS
• Also posts on Hacker News promoting Ghostarchive, a competing archive service
• Name associated with early archive.today enthusiasts found by researchers
• Wikipedia history shows interest in Russian/Belarusian documentation

“volth” (Possibly “masha/Denis” under another alias)

• GitHub account that contributed to NixOS (which archive.today uses)
• Profile picture somewhat similar to “Masha Rabinovich”
• Fluent Russian speaker
• Account has since disappeared

“Richard Président” from WAAD

• Runs the suspicious French “anti-abuse” organization trying to get archive.today blocked
• Helpfully offered to assist Janni with counter-complaints
• Transparently mentioned this could be tied to “identity verification”
• Likely the same person operating various other accounts

The pattern is remarkable: Multiple personalities, overlapping timelines, occasional conflicts between personas, and a level of operational security that breaks down whenever emotions get involved.

FBI Investigation Implications

As of November 2025, the FBI got a court order to subpoena Tucows for identifying information. The subpoena being shared publicly as a “canary” suggests the operators either:

A) Made a calculated decision to go public with the surveillance effort, or B) The FBI already knew enough to issue the subpoena, suggesting informants or previous breaches

Either way, the legal jeopardy appears to be increasing. A Russian national operating a service that circumvents copyright protections, uses botnets for scraping, and obtains login credentials through mysterious means now has federal attention. This isn’t a routine issue-the FBI subpoena suggests potential criminal charges beyond civil IP violations.

Why DDoS-Attack Your Critics? The “Attract Attention” Defense

When confronted with the DDoS attack in Mastodon threads, one of the operators allegedly explained the motivation through a third party:

“The purpose of the DDoS was to attract attention and increase their hosting bill”

This explanation is either:

1. Extraordinarily naive (thinking a DDoS would kill a blog about them), or
2. Deliberately dishonest (actual goal was to suppress the post, but denying it anyway)

For context: Janni’s WordPress.com hosting plan has a flat fee. The DDoS cost him exactly $0. Meanwhile, the attack cost archive.today’s infrastructure time and eventually forced them to maintain another infrastructure project (the dns-blocklists on GitHub) that now includes gyrovague.com, preventing some users from even seeing the DDoS script thanks to ad blockers.

The attack achieved the opposite of every stated goal.

The Streisand Effect Amplified

The moment archive.today tried to suppress the information, they triggered the exact phenomenon the name derives from: attempting to censor something causes exponential increase in attention.

Timeline of escalation: - Original blog post (Aug 2023): 10,000 views, mild HN discussion - FBI subpoena (Nov 2025): International media coverage (Heise, ArsTechnica) - DDoS attack (Jan 2026): Viral HN discussion, Reddit threads, security researcher attention - Unhinged emails (Jan 2026): The archive.today post itself became newsworthy, generating even more coverage - This very article: Adding to the corpus of documentation

The operators effectively weaponized themselves against their own operational security.

What Patokallio Learned (And Didn’t Know)

The key takeaway from Janni’s investigation is that archive.today remains fundamentally mysterious. The post identified probable aliases and showed likely Russian connections, but conclusively proved nothing. Major questions remain unanswered:

• Are the operators actually Russian? Multiple lines of evidence point that direction (Russian in Cyrillic posts, payment issues post-2022, cross-border difficulties), but the FBI investigation might reveal New York connections (?).
• Is this one person or a team? Likely one person based on the “bus factor” comments, but the multiple personas suggest either one person with excellent compartmentalization or a small group.
• What’s the income source? Donations and ads cover 20% of costs. The rest remains mysterious. Sketchy? Probably. Illegal? Unclear.
• Why did they finally snap in 2026? The FBI scrutiny was probably the real trigger, not the blog post from 2 years ago.

Technical Elegance, Strategic Incompetence

Here’s what strikes me most about this saga: The technical infrastructure of archive.today is genuinely impressive. They’re running Apache Hadoop, Accumulo, and HDFS across multiple European datacenters with sophisticated botnet rotation to defeat anti-scraping measures. The scaling is massive: 500+ million pages, 1,000+ terabytes of data, all maintained by what appears to be a single operator.

And yet, that same sophisticated operator made the strategic decision to: - Publicly threaten a blogger - DDoS a blog with their own users’ browsers - Send increasingly unhinged emails - Coordinate through obvious aliases - Telegraph the FBI investigation with a “canary” message

It’s like watching someone build a Fabergé egg, then use it to bludgeon someone in front of witnesses.

The Regulatory Vacuum

What’s missing from this entire situation is any actual legal framework around archiving, internet preservation, or the rights/responsibilities of archive services.

The FBI investigation suggests criminal intent around something, but what, exactly? Copyright circumvention? Facilitating fraud? Money laundering? The statute isn’t clear. Until we have statutory guidance on what archive services can/cannot do, we’re operating in a regulatory void where both the operators and their critics are making decisions based on guesswork and precedent.

Conclusion: The Archivists Archived

The delicious irony is that archive.today-a service dedicated to preservation and preventing erasure-attempted to suppress information through the most effective 21st-century censorship tool available: infrastructure attacks.

They failed, obviously. Everything is documented. The DDoS code is preserved in network logs. The threatening emails are archived (probably on archive.today itself). Multiple researchers have documented the operation. And now the FBI likely has more operational details than Patokallio ever dreamed of.

The operators of archive.today have accidentally created the most comprehensive archive of their own incompetence.

For Janni Patokallio, the lesson is clear: publishing factual, well-researched OSINT gets you <!–less than 10K views. Publishing about being DDoS’d for publishing OSINT? That makes international headlines.

For archive.today users, perhaps the question worth asking is: do you really want to trust your data to infrastructure run by people who make decisions like these?

And for the FBI? The subpoena was just the beginning. The operators just provided a roadmap of their emotional triggers, which is intelligence gold.

References

1. Patokallio, J. (2023). archive.today: On the trail of the mysterious guerrilla archivist of the internet. Gyrovague. https://gyrovague.com/2023/08/05/archive-today-on-the-trail-of-the-mysterious-guerrilla-archivist-of-the-internet/

2. Patokallio, J. (2026). archive.today is directing a DDOS attack against my blog. Gyrovague. https://gyrovague.com/2026/02/01/archive-today-is-directing-a-ddos-attack-against-my-blog/

3. Kirchner, M. (2025). Archive.today: FBI Demands Data from Provider Tucows. Heise Online. https://www.heise.de/en/news/Archive-today-FBI-Demands-Data-from-Provider-Tucows-11066346.html

4. Brewster, T. (2025). FBI Subpoena Tries to Unmask Mysterious Founder of Archive.today. ArsTechnica. https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tries-to-unmask-mysterious-founder-of-archive-today/

5. AdGuard DNS. (2025). Web Abuse Association Defense and Archive.Today. AdGuard Blog. https://adguard-dns.io/en/blog/archive-today-adguard-dns-block-demand.html

6. Hacker News. (2026). Ask HN: Weird archive.today behavior?. https://news.ycombinator.com/item?id=46624740

7. GitHub. (2026). dns-blocklists. Retrieved from https://github.com/hagezi/dns-blocklists/commit/bbf70ec500bf36d887a93f672215d07d2e968e90