Explore the identities behind Archive.today using OSINT techniques and discover the web of connections that may reveal its operator.
On October 30th, the FBI issued a subpoena to domain registrar Tucows, seeking detailed account information tied to the domain Archive.today, including customer names, billing details, payment methods, network data, and associated online services. The request states that the data “relates to a federal criminal investigation,” although no specific offense has been named.
The subpoena appears to mark an effort to unmask the operator of Archive.today, also accessible through mirrors such as Archive.is, Archive.ph, and Archive.md. Since its creation in 2012, the site has been widely used as a preservation and verification tool, allowing users to capture web pages before they disappear or change.
Yet despite its visibility and influence, one question has remained unanswered since its launch: Who actually runs Archive.today?
The domain registrant for archive.today has always been redacted for privacy reasons.
However, the story really begins in the early 2010s, with WHOIS records that list a registrant name for archive.is as “Denis Petrov”, with an address in Prague, Czech Republic.
The name Denis has also been previously tied to archive.is through an email that is sent to both denis@camfex.cz and admin@archive.is.
Searching for ownership records for the camfex.cz domain also returns the name Denis Petrov: https://whois.easycounter.com/camfex.cz.
Breached data for namecheap@camfex.cz returns an address in Russia, 154 Stachek, ST Petersburg, rather than the Bilkova address in Prague seen in the public WHOIS records. This address, when searched on Google StreetView, shows that someone living in the building has requested that their property is not shown.
Another piece of information pointing to Denis is found on the Internet Archive. When visitors go to archive.today currently, there is a donate button that points to https://coindrop.to/archive. However, a previous archived version of that page from 2020 shows that same button directing to a PayPal account. This PayPal account was set up under the name Denis Petrov.
Money can still be sent to this account, which may provide further information. However, this would be considered direct contact with the individual and so we chose not to continue with this line of inquiry.
At this stage, the question becomes, is “Denis Petrov” a real person? A borrowed identity? Or a pseudonym used for registration convenience?
The phone number for Denis Petrov found in the WHOIS records is a Czech number: +420 775 168 924. Running this number through breached data sources returns the name Igor Kuznecov and the email address igor@camfex.cz, the same domain previously linked to Denis.
An Igor Kuznetsov also appears on the Czech business register with ties to Camfex:
https://rejstrik.penize.cz/igor-kuznetsov. This lists an address in Tula, M. Toreza 34/4, Russian Federation.
Additionally, Igor Kuznetsov is named as a director of a UK business, CAMFEX GROUP LTD, registered at Companies House.
The overlap between Denis and Igor, both using @camfex.cz, suggests the two identities may be connected, or possibly the same individual operating under different names.
The GitHub repository for Archive.is (https://github.com/archiveis) lists an author under the handle “Conferno.”
Searching broadly for this handle returns a Twitch streamer and a Russian developer, Alexander Conferno. There is no direct evidence linking this individual to Archive.today beyond the shared username. The same handle appears on social platforms such as https://x.com/conferno and https://dribbble.com/Conferno, though these may be unrelated accounts.
The connection remains circumstantial, but the presence of the handle on GitHub suggests that “Conferno” could have been an operational or technical alias associated with Archive.is.
The handle “MashaRabinovich” began appearing in discussions directly referencing Archive.is. For instance, in an F-Secure community thread, the user masharabinovich writes, “on my website http://archive.is/,” implying a personal connection to the platform.
In 2020, the same LinkedIn account under that name was observed logging captures of LinkedIn profiles on Archive.today mirrors, such as https://archive.vn/IPEEd and https://archive.vn/EPaEH. Both show that the logged-in user who performed the captures had the Masha Rabinovich profile photo visible.
Breached data for that deleted LinkedIn account shows it was registered under the email linkedin@camfex.cz, once again linking back to the Camfex.cz domain.
This shared mail infrastructure strongly suggests that Masha, Denis, and Igor were all operating within the same environment, possibly as the same person, or as collaborators sharing a single mail server.
A YouTube account named Masha Rabinovich (https://www.youtube.com/@4723984621) contains a single video demonstrating how to use Archive.is, further reinforcing the connection between this identity and the archiving platform.
A YouTube account under the name Masha Rabinovich, https://www.youtube.com/@4723984621, also contains a single video, which explores how to use archive.is.
Ownership of Archive.today and its mirror sites could fall under two main hypotheses:
Denis as the domain registrant and public-facing name.
Igor as a supporting or alternate identity tied to business and hosting.
Masha as a user-facing or content-capture persona.
Conferno as a developer or code distribution handle.
Both remain plausible. What is clear is that every alias connects through the same core ecosystem, most notably, the @camfex.cz domain.
Across years of public records, that domain appears repeatedly, suggesting that whoever controlled the Camfex.cz mail server was likely involved in or closely linked to the Archive.today project.
The October 2025 FBI subpoena represents the first verifiable move by U.S. authorities to pierce that anonymity. By targeting Tucows, the registrar for several Archive.today domains, investigators are seeking billing addresses, payment information, and session data that could connect the online infrastructure to a physical location or identifiable person.
The FBI’s ongoing investigation may eventually provide definitive answers. Until then, all that exists is the public record is a network of domains, business registrations, and handles.
Companies House's new identity verification improves data reliability but still leaves gaps for OSINT investigators without public access to unique...
Discover how UK planning permission data enhances OSINT investigations, the challenges investigators face searching for it, and the solution with...
Learn how OSINT and public data sources in the UK can help locate missing individuals for various investigative purposes.
Igor
igor@camfex.cz --> https://www.quora.com/profile/Igor-Kuznetsov/
Nora
You Forgot norapuchreiner@cofed.com who run the support team
who have webmaster.ms
----- 2 headers mails from this mail and also from webmaster@archive.today:
Return-Path:
X-Original-To: anonymised@domain.com
Delivered-To: anonymised@domain.com
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit
rsa-sha256 signature) header.d=webmaster-ms.20230601.gappssmtp.com
header.a=rsa-sha256
Authentication-Results: mail.protonmail.ch; dmarc=none (p=none dis=none)
header.from=archive.today
Authentication-Results: mail.protonmail.ch; spf=pass smtp.mailfrom=webmaster.ms
Authentication-Results: mail.protonmail.ch; arc=none smtp.remote-ip=209.85.216.50
Authentication-Results: mail.protonmail.ch; dkim=pass (2048-bit key)
header.d=webmaster-ms.20230601.gappssmtp.com
header.i=@webmaster-ms.20230601.gappssmtp.com header.b="n0gxnLWL"
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No
client certificate requested) by mailin035.protonmail.ch (Postfix) with ESMTPS id
4XCHkT48rSz9vNQS for ; Mon, 23 Sep 2024 22:30:25 +0000 (UTC)
Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-2d87196ec9fso3298939a91.1
for ; Mon, 23 Sep 2024 15:30:25 -0700 (PDT)
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=webmaster-ms.20230601.gappssmtp.com; s=20230601; t=1727130623; x=1727735423;
darn=domain.com;
h=content-transfer-encoding:to:subject:message-id:date:from:reply-to
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=gAHduGKVuCEEN1/K/Eu2ZOj+mLpNDOV8bQ2DjqySIaA=;
b=n0gxnLWLV39ikNqqNmy2l//T9PVk8MHamUZYyU5qZR4KLoZl9ki+Yk4PX1aUix7bkb
OzJ419uj5Z2xuXR7JaZpPm8GIe9UJAexsUbcUli1pUbqlUSRj/9g2IvqcESIS0O4Y9Eu
xyH82T2BzxPPCKmZOfJM8lTrQ14MpPD1mzPbulM2l9r6JpPskqiSkqW6GbOckoIFsex9
GeAPT+GXTN4N8Uqc6rEQfQhPvYCbf4RWiNyUJVD3TOHaN4iWeJBscyFDl+4wI3aZ1xx/
yZfzpxSwYDa6z5OEH0f79a51EWIW163eawF4Tlzh03OiQWxUFuaemYwrBh7lsGBr5u1U
OnXg==
X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1727130623; x=1727735423;
h=content-transfer-encoding:to:subject:message-id:date:from:reply-to
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=gAHduGKVuCEEN1/K/Eu2ZOj+mLpNDOV8bQ2DjqySIaA=;
b=ewwYvUqGqEx/VWM9wLve0W/aF9Z0/Tv92axAMD9/ZShRlLGTNpq2RPWJ5CILz3anir
dr1VmbBKfuG1LqIyEBroaMwk+8dxxQs4zpJ4zUmDH+Z2RmkxXcF2nO1l9iwG7KuBxJmc
UvwdZxnyFLg0Rkxe9r6OY8wvOHdZ9+73BGkT+sxhagrk1rEfoe2ytOPgUA58IkzDWj9c
jtuGl+Cgk4zHScd7Y4TQuRH7Nau27qPN10y0d5CAE5MwrCjfZv49PzSSzI5e0czYpp5k
T9BiFh2NmEDfMft6XWxXbIt7XCGZYsT+JUY8ZoM7oPh6q1zyJ6ZzgqPVAG3qutIifcBT
UuxA==
From: webmaster
Reply-To: webmaster@archive.today
To: anonymised@domain.com
Date: Mon, 23 Sep 2024 22:29:45 +0000
Message-Id:
Subject: Re: XXXXXXXX
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
-----
Return-Path:
X-Original-To: anonymised@domain.com
Delivered-To: anonymised@domain.com
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
by mailin055.protonmail.ch (Postfix) with ESMTPS id 4WwKvT515dz1Kc
for ; Fri, 30 Aug 2024 14:16:21 +0000 (UTC)
Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2020b730049so17036235ad.3
for ; Fri, 30 Aug 2024 07:16:21 -0700 (PDT)
Authentication-Results: mail.protonmail.ch; dmarc=none (p=none dis=none)
header.from=cofed.com
Authentication-Results: mail.protonmail.ch; spf=pass smtp.mailfrom=webmaster.ms
Authentication-Results: mail.protonmail.ch; arc=none smtp.remote-ip=209.85.214.178
Authentication-Results: mail.protonmail.ch; dkim=none
X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1725027379; x=1725632179;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=N6rDvVl9dSkhlnJ0FtDzweQIRt6B23NipQ+EoYhwDOE=;
b=HDIlew81GusYgcIgFB5jWoA7WWeAwSTRdQsko3nf7oDCQXnuFBIZshQgj0pEOgFPrx
71PBn5yn74nIWAMm9O1HUgtWliKFUXJbGIYzVQIXzugRubuDv2YmhuKwhNv5vh3lL09Y
nZN3h/diIJGCpoZ87RHNL5wBuvVQXKU50Kj9iJAxM9svr3nVo1yiwV6SJfXWXIB7e22/
FaYOv0O7g74D4DmHsITug8uTEzJiRGK8bdC/58R6QIePdFXYj+GSI6EeHJ2pOp3OAJG2
wegkd+JEumayuvHmh1Nmm15tiFQL7YO5eJuDS4i+T+Goz5PVURk2zflRMokMmXY6PjST
Qdyg==
From: Nora Puchreiner
To: anonymised@domain.com
Date: Fri, 30 Aug 2024 14:15:41 +0000
Message-Id:
Subject: Re: XXXXXXXX
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
try to contact :
SA Angela E. Tassone
FBI - New York
26 Federal Plaza
New York, NY 10278
Office: (212) 384-8453
Aetassone@fbi.gov
to have more information from theti9er@gmail.com