Archive.today: Operator uses users for DDoS attack - Archive website accuses Finnish blogger of doxing him, sends DDOS in retaliation

  • 🏰 Registrations are open.
Link (official translation from original German version)
Archive

The anonymous operator of Archive.today is unknowingly using visitors to their website in a Distributed Denial of Service (DDoS) attack against a Finnish blogger. On a splash page, which is intended to keep bots away using Google reCaptcha, JavaScript is hidden that sends an HTTP request to the Gyrovague.com page every 300 milliseconds in the user's browser. The background of the attack is apparently a disliked blog post by the affected party. Behind the attacked URL is the blog of Finn Janni Patokallio, who published the results of research on Archive.today in a post in 2023. German users who use Archive.today are thus operating in a legal gray area and could be committing a criminal offense, says a specialist lawyer for IT law.

The operator of Archive.today explained to a security researcher that the DDoS attack is intended to “slightly” increase the Finn's hosting costs. He feels “doxxed” by his blog post and is reacting to it with the DDoS attack. In the official Tumblr blog of Archive.today, which was recently posted on for the first time in two years, Patokallio and his family are sharply attacked. The post makes confused connections between Patokallio, an alleged Nazi past of his grandfather, arms trafficking, and Ukraine.

Blocks against media companies
The operator of Archive.today could not be reached by heise online via the email address provided on the site. In his Tumblr blog, he writes that he has blocked offices of the publisher Condé Nast because they published “propaganda” about his service. heise online has apparently also been affected by such a block for several days. The site is no longer accessible from the company network, and emails to the operator cannot be delivered. The cause of the block for heise online is apparently a report from November 2025, which concerned investigations by US authorities against Archive.today.

This report also mentioned and linked Janni Patokallio's blog post. In it, he explains, among other things, that Archive.today operates a botnet with changing IP addresses to circumvent anti-scraping measures. Archive.today allows previous versions of a website to be accessed, but in many cases, it also bypasses paywalls of publications. Patokallio also wrote that the operator(s) are based in Russia – a thesis that is, however, controversial online.

How the affected party reacts
Janni Patokallio explained in his blog that the DDoS attack does not cost him financially, as he uses web hosting at a flat rate. In addition, ad blockers like uBlock Origin now block the DDoS requests. The attack was apparently preceded by an email from the Archive.today operator, which he initially overlooked. When he finally replied, the operator threatened him with defamatory measures.

With his action, the operator of Archive.today may also be getting users from Germany into legal trouble. DDoS attacks are punishable by law. “If one is now unwittingly involved in such an attack, it cannot be criminally relevant due to a lack of intent; however, if one recognizes both the attack and one's own contribution in the form of calling up the form and knowingly accepts that this is realized as a supporting component, then a criminal offense would exist,” IT lawyer Jens Ferner assessed the legal situation when asked by heise online. While in practice criminal prosecution is unlikely due to the effort involved. However, the media reports making the attack public are likely to make intent easier to prove.

Ferner points to another side effect: By having Archive.today unknowingly let users access the Finnish blogger's URL, their IP addresses are transmitted to him. This could be a point of attack for prosecuting copyright infringements.
 
Click to expand...
Jemn Oopi said:
In the official Tumblr blog of Archive.today, which was recently posted on for the first time in two years, Patokallio and his family are sharply attacked.
Click to expand...
https://archive-is.tumblr.com/post/806966482173083648/ | Archive
Some time back, I sat down for an interview with Legal Tribune. The subject was mainly about paywalls and about the use of public archives to get around them. Now, that interview hasn’t seen the light of day yet (maybe it still will) but I reckon there are two reasons it got shelved. And those two reasons, in my judgment, deserve to be heard by the public.

They asked me, plain and proper: “Doesn’t the work of these archives undermine the business model of German media and by extension, democracy itself, truth, justice, and the whole Teutonic order?”

Well now, the natural answer to that is another question: What undermines that business model more — a quiet archive that does not advertise its accidental remedy, or a big newspaper article that reminds precisely those who can afford subscriptions that paywalls can be avoided?

Especially when we’re talking about Germany, a country with a mighty fine library system. A system where just about anyone with a library card (which is to say, just about everyone) can already get past paywalls. Even the hard ones. Even the kind the archives can’t crack. There are even special browser tools built just to make it easier. And you can’t fix that with some grand gesture like calling it “piracy” and blocking a domain on der Bundesbrandmauer.

But what can kill their business model is a public debate that marches straight into every German living room and says: “You don’t actually have to pay for this”, that in fact it is not “pay for access”, but merely “donate for our democracy”, and who would subscribe to that? That kind of idea spreads faster than any archive ever could.

Now, the second reason. And while I’m at it, let me address those who might accuse me of comparing Jani Patokallio to Hunter Biden yesterday. Yes sir, there is some friction between us and the German media. But it ain’t about paywalls. It’s about their wish to scrub from the archive the articles they already took down from their own site. And that makes a man wonder: how do they pull those same articles out of libraries too when a publisher has second thoughts?

What’s curious is this: almost every one of those stories is about the misadventures of wayward scions from respectable families, boys and girls who manage to tarnish their own last names with their behavior.

The most “toxic” content for us isn’t politics at all. It’s pages of hookers (kinetic ones, not virtual) and these well-born kids splashed across the papers. Not ministers. Not presidents. Just reputations in free fall.

And maybe that shouldn’t surprise us. After all, the word reputation comes from the same old root as puta.
 
Harvey Danger said:
I wish such an important resource was in less crazy hands.
Click to expand...

sadly so much of the free and open internet is run and maintained by autists, and autsitc troons all accursed with severe mental illness it makes any stability an impossibility as functionality depends on the whims of their personality disorder, i wish more people were just normal.
 
Ars Technica: Archive.today CAPTCHA page executes DDoS; Wikipedia considers banning site (archive) (mega)

DDoS hit blog that tried to uncover Archive.today founder’s identity in 2023.

Jon Brodkin – Feb 10, 2026

Wikipedia editors are discussing whether to blacklist Archive.today because the archive site was used to direct a distributed denial of service (DDoS) attack against a blogger who wrote a post in 2023 about the mysterious website’s anonymous maintainer.

In a request for comment page [archive] [ghost] [mega], Wikipedia’s volunteer editors were presented with three options. Option A is to remove or hide all Archive.today links and add the site to the spam blacklist. Option B is to deprecate Archive.today, discouraging future link additions while keeping the existing archived links. Option C is to do nothing and maintain the status quo.

Option A in particular would be a huge change, as more than 695,000 links to Archive.today are used across 400,000 or so Wikipedia pages. Archive.today, also known as Archive.is, is a website that saves snapshots of webpages and is commonly used to bypass news paywalls.

“Archive.today uses advanced scraping methods, and is generally considered more reliable than the Internet Archive,” the Wikipedia request for comment said. “Due to concerns about botnets, linkspamming, and how the site is run, the community decided to blacklist it in 2013. In 2016, the decision was overturned, and archive.today was removed from the spam blacklist.”

Discussion among editors has been ongoing since February 7. “Wikipedia’s need for verifiable citations is absolutely not more important than the security of users,” one editor in favor of blacklisting wrote. “We need verifiable citations so that we can maintain readers’ trust, however, in order to be trustworthy our references also have to be safe to access.”

Archive would be hard to replace​

On the other side, an editor who supported Option C wrote that “Archive.today contains a vast amount of archives available nowhere else. Not on Wayback Machine, nowhere. It is the second largest archive provider across all Wikimedia sites. Removal/blockage of this site will be disruptive daily for thousands of editors and readers. It will result in a huge proliferation of {{dead link}} tags that will never be resolved.”

Several posts mentioned an ongoing FBI case that could eventually make the Archive.today links useless anyway. Some said it would be better to act now than to have Option A forced on them later without a backup plan.

One editor supported starting with Option B and eventually shifting to Option A with “the proper end goal being the WMF [Wikimedia Foundation] supporting some sort of archive system, whether their own original or directly supporting the Internet Archive’s work so it can be done more systematically.”

Some discussion centered on copyright infringement, given that Archive.today publishes copies of many copyrighted articles. “On the general problem of linking to copyright infringement: perhaps the Wikimedia Foundation can work on ways to establish legally licensed archives of major paywalled sites, in partnership with archives such as the Internet Archive,” one editor wrote. “It would be challenging given the business model of those sites, but maybe a workable compromise can be established that manages how many Wikipedia editors [have] access at a given time.”

Malicious code in CAPTCHA page​

The DDoS attack being discussed by Wikipedia editors was targeted at the Gyrovague blog written by Jani Patokallio. Last month, “the maintainers of Archive.today injected malicious code in order to perform a distributed denial of service attack against a person they were in dispute with,” the Wikipedia request for comment says. “Every time a user encounters the CAPTCHA page, their Internet connection is used to attack a certain individual’s blog.”

The trustworthiness of Archive.today was discussed in light of evidence that the site’s founder threatened to create “a new category of AI porn” in retaliation against the blogger. The AI porn threat was mentioned by several editors.

“I echo others [that Option] A is looking like something we’ll have to do eventually, anyways, and at least this way we have a chance to do it on our terms,” one editor wrote. “I hate to break it to you, but even if the FBI thing goes nowhere, a website whose operator apparently threatens to create AI porn in retaliation against enemies, using their names, isn’t a trustworthy mirror, and isn’t going to remain one.”

One editor reported being “miserable” about supporting Option A, “but we cannot permit websites to rope our readers into being part of DDoS attacks.” Moreover, “The fact is that most of the archive.today links on Wikipedia are not an attempt to save URLs that have now gone dead that the Internet Archive cannot handle, but efforts to bypass paywalls, which is convenient, but illegal. It’s strange that we accept links to archive.today for this purpose but don’t accept the same for Anna’s Archive or Sci-Hub,” the editor wrote.

Patokallio told us in an email today, “it’s true that there simply are no alternatives to archive.today for many sources that archive.org does not/cannot cover,” and that he hopes the Wikipedia request for comment “leads to the Wikimedia Foundation creating one as suggested by multiple commenters in the thread.”

We emailed the Archive.today’s webmaster address today about the Wikipedia discussion and will update this article if we get a response.

The Wikimedia Foundation, the nonprofit that hosts Wikipedia, chimed in on the discussion today. “Our view is that the value to verifiability that the site provides must be weighed against the security risks and violation of the trust of the people who click these links,” wrote Eric Mill, head of the foundation’s product safety and integrity group. “We (WMF) encourage the English Wikipedia community to carefully weigh the situation before making a decision on this unusual case.”

Noting that “Archive.today’s owner has not been deterred from continuing the ongoing DDoS,” Mill wrote that “the same actions that make archive.today unsafe may also reduce its usefulness for verifying content on Wikipedia. If the owners are willing to abuse their position to further their goals through malicious code, then it also raises questions about the integrity of the archive it hosts.”

It’s possible the Wikimedia Foundation will act even if the volunteer editors decide to maintain the status quo. “We know that WMF intervention is a big deal, but we also have not ruled it out, given the seriousness of the security concern for people who click the links that appear across many wikis,” Mill wrote.

Blogger tried to uncover founder’s identity​

The Wikipedia request for comments acknowledged that whether to blacklist would be a difficult decision. There are “significant concerns for readers’ safety, as well as the long-term stability and integrity of the service,” but “a significant amount of people also think that mass-removing links to Archive.today may harm verifiability, and that the service is harder to censor than certain other archiving sites,” it said.

An update to the request for comments yesterday indicated that the attack temporarily stopped, but the malicious code had been reactivated. “Please do not visit the archive without blocking network requests to gyrovague.com to avoid being part of the attack!” it said.

The code’s first public mention was apparently in a Hacker News thread on January 14, and Patokallio wrote about the DDoS in a February 1 blog post. “Every 300 milliseconds, as long as the CAPTCHA page is open, this makes a request to the search function of my blog using a random string, ensuring the response cannot be cached and thus consumes resources,” he wrote. The Javascript code in the Archive.today CAPTCHA page is as follows:

JavaScript: 
setInterval(function() {
            fetch("https://gyrovague.com/?s=" + Math.random().toString(36).substring(2, 3 + Math.random() * 8), {
                referrerPolicy: "no-referrer",
                mode: "no-cors"
            });
        }, 300);

In August 2023, Patokallio wrote a post attempting to uncover the identity of Archive.today founder “Denis Petrov,” which seems to be an alias. Patokallio wasn’t able to figure out who the founder is but cobbled together various tidbits from Internet searches, including a Stack Exchange post that mentioned another potential alias, “Masha Rabinovich.”

Patokallio seemed to be driven by curiosity and was impressed by Archive.today’s work. “It’s a testament to their persistence that [they’ve] managed to keep this up for over 10 years, and I for one will be buying Denis/Masha/whoever a well deserved cup of coffee,” Patokallio’s 2023 post said. In his post this month, Patokallio said his 2023 blog “gathered some 10,000 views and a bit [of] discussion on Hacker News, but didn’t exactly set the blogosphere on fire. And indeed, absolutely nothing happened for the next two years and a bit.”

FBI case revives interest in 2023 blog​

But in October 2025, the FBI sent a subpoena to domain registrar Tucows seeking “subscriber information on [the] customer behind archive.today” in connection with “a federal criminal investigation being conducted by the FBI.” We wrote about the subpoena, and our story included a link to Patokallio’s 2023 blog post in a sentence that said, “There are several indications that the [Archive.today] founder is from Russia.”

In an email to Ars, Patokallio told us that the DDoS attack “appears to be because you kindly mentioned my blog in your Nov 8, 2025 story.” Patokallio added that he is “as mystified by this as you probably are.” Articles about the subpoena by The Verge and Heise Online also linked to Patokallio’s 2023 blog post.

On January 8, 2026, Patokallio’s hosting company, Automattic, notified him that it received a GDPR [General Data Protection Regulation] complaint from a “Nora Puchreiner” alleging that the 2023 post “contains extensive personal data… presented in a narrative that is defamatory in tone and context.” Patokallio said that after he submitted a rebuttal, “Automattic sided with me and left the post up.”

Patokallio said he also “received a politely worded email from archive.today’s webmaster asking me to take down the post for a few months” on January 10. The email was classified as spam by Gmail, and he didn’t see it until five days later, he said. In the meantime, the DDoS started.

Patokallio said he replied to the webmaster’s email on January 15 and again on January 20 but didn’t hear back. He tried a third time on January 25, saying he would not take down the blog post but offered to “change some wording that you feel is being misrepresented.”

Emails threatened AI porn and other scams​

Patokallio posted what he called a lightly redacted copy of the resulting email thread. The first email from the Archive.today webmaster said, “I do not mind the post, but the issue is: journos from mainstream media (Heise, Verge, etc) cherry-pick just a couple of words from your blog, and then construct very different narratives having your post the only citable source; then they cite each other and produce a shitty result to present for a wide audience.”

In a later email, “Nora Puchreiner” wrote, “I do not care on your blog and its content. I just need the links from Heise and other media to be 404.” One message threatened to investigate “your Nazi grandfather” and “vibecode a gyrovague.gay dating app.” Another threatened to create a public association between Patokallio’s name and AI porn.

A Tumblr blog post apparently written by the Archive.today founder seems to generally confirm the emails’ veracity, but says the original version threatened to create “a patokallio.gay dating app,” not “a gyrovague.gay dating app.” The Tumblr blog has several other recent posts criticizing Patokallio and accusing him of hiding his real name. However, the Gyrovague blog shows Patokallio’s name in a sidebar and discloses that he works for Google in Sydney, Australia, while stating that the blog posts contain only his personal views.

In one email, Patokallio included a link to Wikipedia’s page on the Streisand effect, a name for situations in which people seeking to suppress access to information instead draw more public attention to the information they want hidden. The Archive.today site maintainer apparently viewed this as a threat.

“And threatening me with Streisand… having such a noble and rare name, which in retaliation could be used for the name of a scam project or become a byword for a new category of AI porn… are you serious?” the email said. Patokallio responded, “No, you’re Streisanding yourself: the DDOS has already drawn more attention to my blog post than it had gotten in the last two years, with zero action on my side.”

A subsequent reply in the email thread contained the “Nazi grandfather” and “gay dating app” threats. Patokallio wrote that after these emails, it didn’t seem worthwhile to continue the discussion. “At this point it was pretty clear the conversation had run its course, so here we are,” Patokallio wrote in his February 1 blog post. “And for the record, my long-dead grandfather served in an anti-aircraft unit of the Finnish Army during WW2, defending against the attacks of the Soviet Union. Perhaps this is enough to qualify as a ‘Nazi’ in Russia these days.”

While the outcome at Wikipedia is not yet settled, Patokallio wrote that the DDoS attack didn’t cause him any real harm. The Archive.today maintainer apparently intended to make Patokallio’s hosting costs more expensive, but “I have a flat fee plan, meaning this has cost me exactly zero dollars,” he wrote.

This article was updated with a statement from the Wikimedia Foundation and further comment from Patokallio.


https://arstechnica.com/civis/threa...-after-site-maintainer-ddosed-a-blog.1511586/ (archive) (ghost) (mega)

https://arstechnica.com/civis/threa...-site-maintainer-ddosed-a-blog.1511586/page-2 (archive) (ghost) (mega)

Comments hidden by downvotes:

ars-hidden-comments-L.webp
 
Finnish blogger....did Keffals still resides in Finland? I know it's just only a coincidence but talk about a coincidence or as some said a "cohencidence".
 
Super-Chevy454 said:
Finnish blogger....did Keffals still resides in Finland? I know it's just only a coincidence but talk about a coincidence or as some said a "cohencidence".
Click to expand...
You were thinking of Ire Land.

Let's face it, the Archive.today operator is acting unstable and needs to deescalate, before real damage is done.
 
Why is something this useful only run by an absolutely Herculean autist? This is not the first batshit crazy thing this idiot has done.
 
Ars Technica: Wikipedia blacklists Archive.today, starts removing 695,000 archive links (archive) (mega)

If DDoSing a blog wasn’t bad enough, archive site also tampered with web snapshots.

Jon Brodkin – Feb 20, 2026

The English-language edition of Wikipedia is blacklisting Archive.today after the controversial archive site was used to direct a distributed denial of service (DDoS) attack against a blog.

In the course of discussing whether Archive.today should be deprecated because of the DDoS, Wikipedia editors discovered that the archive site altered snapshots of webpages to insert the name of the blogger who was targeted by the DDoS. The alterations were apparently fueled by a grudge against the blogger over a post that described how the Archive.today maintainer hid their identity behind several aliases.

“There is consensus to immediately deprecate archive.today, and, as soon as practicable, add it to the spam blacklist (or create an edit filter that blocks adding new links), and remove all links to it,” stated an update today on Wikipedia’s Archive.today discussion. “There is a strong consensus that Wikipedia should not direct its readers towards a website that hijacks users’ computers to run a DDoS attack (see WP:ELNO#3). Additionally, evidence has been presented that archive.today’s operators have altered the content of archived pages, rendering it unreliable.”

More than 695,000 links to Archive.today are distributed across 400,000 or so Wikipedia pages. The archive site, which is facing an investigation in which the FBI is trying to uncover the identity of its founder, is commonly used to bypass news paywalls.

“Those in favor of maintaining the status quo rested their arguments primarily on the utility of archive.today for verifiability,” said today’s Wikipedia update. “However, an analysis of existing links has shown that most of its uses can be replaced. Several editors started to work out implementation details during this RfC [request for comment] and the community should figure out how to efficiently remove links to archive.today.”

Editors urged to remove links​

Guidance published as a result of the decision asked editors to help remove and replace links to the following domain names used by the archive site: archive.today, archive.is, archive.ph, archive.fo, archive.li, archive.md, and archive.vn. The guidance says editors can remove Archive.today links when the original source is still online and has identical content; replace the archive link so it points to a different archive site, like the Internet Archive, Ghostarchive, or Megalodon; or “change the original source to something that doesn’t need an archive (e.g., a source that was printed on paper), or for which a link to an archive is only a matter of convenience.”

The Wikipedia guidance points out that the Internet Archive and its website, Archive.org, are “uninvolved with and entirely separate from archive.today.” The Internet Archive is a nonprofit based in the US.

As we previously reported, malicious code in Archive.today’s CAPTCHA page was used to direct a DDoS against the Gyrovague blog written by a man named Jani Patokallio. The Archive.today maintainer demanded that Patokallio take down a 2023 blog post that discussed the archive site founder’s possible identity. Patokallio wasn’t able to determine who runs Archive.today but mentioned apparent aliases such as “Denis Petrov” and “Masha Rabinovich,” and described evidence that the site is operated by someone from Russia.

When we last wrote about this topic, the Archive.today maintainer told Ars Technica that it would not provide any comment on the Wikipedia discussion unless we removed references to Patokallio’s blog, which we did not do.

Archive.today maintainer sent threats​

Patokallio told Ars today that he is pleased by the Wikipedia community’s decision. “I’m glad the Wikipedia community has come to a clear consensus, and I hope this inspires the Wikimedia Foundation to look into creating its own archival service,” he told us.

In emails sent to Patokallio after the DDoS began, “Nora” from Archive.today threatened to create a public association between Patokallio’s name and AI porn and to create a gay dating app with Patokallio’s name. These threats were discussed by Wikipedia editors in their deliberations over whether to blacklist Archive.today, and then editors noticed that Patokallio’s name had been inserted into some Archive.today captures of webpages.

“Honestly, I’m kind of in shock,” one editor wrote. “Just to make sure I’m understanding the implications of this: we have good reason to believe that the archive.today operator has tampered with the content of their archives, in a manner that suggests they were trying to further their position against the person they are in dispute with???”

“If this is true it essentially forces our hand, archive.today would have to go,” another editor replied. “The argument for allowing it has been verifiability, but that of course rests upon the fact the archives are accurate, and the counter to people saying the website cannot be trusted for that has been that there is no record of archived websites themselves being tampered with. If that is no longer the case then the stated reason for the website being reliable for accurate snapshots of sources would no longer be valid.”

Blog capture tampered with​

One example discussed by Wikipedia editors involved Jani Patokallio’s name being inserted into an Archive.today capture of a blog post that was mentioned by Patokallio in his February 2026 write-up of the DDoS incident. This blog is related to the “Nora” alias used by the Archive.today maintainer, which now appears to be the name of an actual person.

“It appears increasingly likely that the identity of ‘Nora’ has been appropriated from an actual person, whose only connection to archive.today was a request to take down some content,” Patokallio wrote in an update to his blog today. “As a courtesy, I have redacted their last name from this post.”

Evidence presented in the Wikipedia discussion showed that Archive.today replaced Nora’s name with Patokallio’s name in the aforementioned blog post. The Archive.today capture has since been reverted to what appears to be the original version. In other cases, Archive.today captures included a “Comment as: Jani Patokallio” string on captures that previously had a “Comment as: Nora [last name redacted]” string.

Even if the snapshot alterations hadn’t helped convince Wikipedia’s volunteer editors to deprecate Archive.today, the Wikimedia Foundation itself might have stepped in. In its comments on the DDoS, the nonprofit that operates Wikipedia said on February 10 that it had not ruled out intervening due to “the seriousness of the security concern for people who click the links that appear across many wikis.”
 
Well goddamn looks like we need to find a new dude to host an archive that isn’t batshit.

Ghost is okay but I always preferred archive.today man now I am bummed.
 
Last edited:
Blewberry Nausea said:
Well goddamn loooks like we need to find a new dude to host an archive that isn’t batshit.

Ghost is okay but I always preferred archive.today man now I am bummed.
Click to expand...
Archive.today isn't dead just yet. I probably archived 150 things with it today.

We will always need more of these services though. And no, Null will not host one.
Pennypacker said:
If the operator was tampering with snapshots, then what is the fucking point? Crazy
Click to expand...
Looks like he only did it to the one blog. It's a massive credibility problem, but practically speaking, 99.9999999% of its contents are as useful as they ever were.
 
On his blog (now apparently moved from Tumblr to a Russian LiveJournal clone), the archive.today operator explicitly cites Kiwi Farms as having better archival practices than Wikipedia.
About Wikipedia, I promised to write when the referendum there ended so as not to influence it:
  1. Kiwi Farms set up an on-premise mirror of all archive.xx links from their forum (the volume is comparable). Wikimedia… never even had such an idea. That's all you need to know about linkrot, contingency plans, and who to blame when links disappear.
  2. The value of the archive for Wikipedia was not in this, but in the ability to offload copyright issues. This is not about paywalls. This is, for example, about copyright trolls writing claims to stock photos, about articles deleted or changed for political reasons but pursued under the guise of copyright, etc. It is precisely these links that become dead, then got replaced with archive.xx, and we become the sink for all the attacks, legal and illegal. The need for fast-flux hosting, pseudonyms, and other pirate attributes stems largely from this. Do we really need this kind of “social burden”? Build your own toilet thing, you have millions.
Link
Archive
@Null
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom