So the mysterious person behind archive.today is very likely to be "Masha Rabinovich."
-
The HN thread discovering this covert attempt was posted by no other than "rabinovich", a user which shares the name of the POI: https://news.ycombinator.com/item?id=46624740
Furthermore, the Masharabinovich Wikipedia account has reactivated for the first time in 10 years to purge their talk page: https://en.wikipedia.org/wiki/Special:Contributions/Masharabinovich
Now, we still don't know if this Masha Rabinovich is an alias, but the evidence that this person is indeed the creator of archive.is is too great to ignore, and clearly Jani touched a nerve 🧵
But what's really interesting is the motivations.
1. Why now, after 2 years?
2. Why run a DDoS, and yet defend Jani in the comments?: https://news.ycombinator.com/item?id=46629823
3. Why register for a forum using your "name" to draw attention to a DDoS being ran by *your own site*?This seems like a ploy for attention. Perhaps the FBI has finally found him and Masha wants to go out on his own terms?: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tries-to-unmask-mysterious-founder-of-archive-today/
Perhaps Masha is a fake name and the real name leaked so he wants to publicize Masha? 🧵
-
But what's really interesting is the motivations.
1. Why now, after 2 years?
2. Why run a DDoS, and yet defend Jani in the comments?: https://news.ycombinator.com/item?id=46629823
3. Why register for a forum using your "name" to draw attention to a DDoS being ran by *your own site*?This seems like a ploy for attention. Perhaps the FBI has finally found him and Masha wants to go out on his own terms?: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tries-to-unmask-mysterious-founder-of-archive-today/
Perhaps Masha is a fake name and the real name leaked so he wants to publicize Masha? 🧵
I also just wish to stress that by visiting archive.today or related web properties your device is being used as a participent in a DDoS attack against Jani. archive.today is not safe to use. 🧵
-
I also just wish to stress that by visiting archive.today or related web properties your device is being used as a participent in a DDoS attack against Jani. archive.today is not safe to use. 🧵
@eb crap that sucks, it's so useful
-
I also just wish to stress that by visiting archive.today or related web properties your device is being used as a participent in a DDoS attack against Jani. archive.today is not safe to use. 🧵
interestingly the code used in the DDoS has changed between today and yesterday:
Old:
𝚏𝚎𝚝𝚌𝚑("𝚑𝚝𝚝𝚙𝚜://𝚐𝚢𝚛𝚘𝚟𝚊𝚐𝚞𝚎.𝚌𝚘𝚖/?𝚜=" + 𝙼𝚊𝚝𝚑.𝚛𝚘𝚞𝚗𝚍(𝚗𝚎𝚠 𝙳𝚊𝚝𝚎().𝚐𝚎𝚝𝚃𝚒𝚖𝚎() % 𝟷𝟶𝟶𝟶𝟶𝟶𝟶𝟶), {
𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚛𝙿𝚘𝚕𝚒𝚌𝚢: "𝚗𝚘-𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚛",
𝚖𝚘𝚍𝚎: "𝚗𝚘-𝚌𝚘𝚛𝚜"
});Today:
𝚏𝚎𝚝𝚌𝚑("𝚑𝚝𝚝𝚙𝚜://𝚐𝚢𝚛𝚘𝚟𝚊𝚐𝚞𝚎.𝚌𝚘𝚖/?𝚜=" + 𝙼𝚊𝚝𝚑.𝚛𝚊𝚗𝚍𝚘𝚖().𝚝𝚘𝚂𝚝𝚛𝚒𝚗𝚐(𝟹𝟼).𝚜𝚞𝚋𝚜𝚝𝚛𝚒𝚗𝚐(𝟸, 𝟹 + 𝙼𝚊𝚝𝚑.𝚏𝚕𝚘𝚘𝚛(𝙼𝚊𝚝𝚑.𝚛𝚊𝚗𝚍𝚘𝚖() * 𝟾)), {
𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚛𝙿𝚘𝚕𝚒𝚌𝚢: "𝚗𝚘-𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚛",
𝚖𝚘𝚍𝚎: "𝚗𝚘-𝚌𝚘𝚛𝚜"
}); -
interestingly the code used in the DDoS has changed between today and yesterday:
Old:
𝚏𝚎𝚝𝚌𝚑("𝚑𝚝𝚝𝚙𝚜://𝚐𝚢𝚛𝚘𝚟𝚊𝚐𝚞𝚎.𝚌𝚘𝚖/?𝚜=" + 𝙼𝚊𝚝𝚑.𝚛𝚘𝚞𝚗𝚍(𝚗𝚎𝚠 𝙳𝚊𝚝𝚎().𝚐𝚎𝚝𝚃𝚒𝚖𝚎() % 𝟷𝟶𝟶𝟶𝟶𝟶𝟶𝟶), {
𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚛𝙿𝚘𝚕𝚒𝚌𝚢: "𝚗𝚘-𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚛",
𝚖𝚘𝚍𝚎: "𝚗𝚘-𝚌𝚘𝚛𝚜"
});Today:
𝚏𝚎𝚝𝚌𝚑("𝚑𝚝𝚝𝚙𝚜://𝚐𝚢𝚛𝚘𝚟𝚊𝚐𝚞𝚎.𝚌𝚘𝚖/?𝚜=" + 𝙼𝚊𝚝𝚑.𝚛𝚊𝚗𝚍𝚘𝚖().𝚝𝚘𝚂𝚝𝚛𝚒𝚗𝚐(𝟹𝟼).𝚜𝚞𝚋𝚜𝚝𝚛𝚒𝚗𝚐(𝟸, 𝟹 + 𝙼𝚊𝚝𝚑.𝚏𝚕𝚘𝚘𝚛(𝙼𝚊𝚝𝚑.𝚛𝚊𝚗𝚍𝚘𝚖() * 𝟾)), {
𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚛𝙿𝚘𝚕𝚒𝚌𝚢: "𝚗𝚘-𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚛",
𝚖𝚘𝚍𝚎: "𝚗𝚘-𝚌𝚘𝚛𝚜"
});@eb *sigh* I use archive.today quite a bit. Don't have time right now to find someone else that will do what I need, so at least for the time being I'm going to blackhole gyrovague.com on all my devices to prevent it from doing any damage on my account.
It's interesting that the DDoS code is (apparently) only on the CAPTCHA page, since archive.today doesn't always display its CAPTCHA page. Why didn't they put it on every page? Hmm. -
@eb *sigh* I use archive.today quite a bit. Don't have time right now to find someone else that will do what I need, so at least for the time being I'm going to blackhole gyrovague.com on all my devices to prevent it from doing any damage on my account.
It's interesting that the DDoS code is (apparently) only on the CAPTCHA page, since archive.today doesn't always display its CAPTCHA page. Why didn't they put it on every page? Hmm.@jik my best guess is that the captcha page just isn't something people think to inspect. it is a very brief page the user will only ever encounter on a journey, a page that they strive to move through as efficiently as possible. Furthermore it *looks* like a cloudflare captcha so users are very familiar with it (it is not a cloudflare page).
-
@jik my best guess is that the captcha page just isn't something people think to inspect. it is a very brief page the user will only ever encounter on a journey, a page that they strive to move through as efficiently as possible. Furthermore it *looks* like a cloudflare captcha so users are very familiar with it (it is not a cloudflare page).
-
-
I also just wish to stress that by visiting archive.today or related web properties your device is being used as a participent in a DDoS attack against Jani. archive.today is not safe to use. 🧵
Are you saying that the landing page I've been redirected to for the past 5 years on the archive.today network has actually been a DDOS tool the whole time?
Or is it just discreetly packaged alongside Google reCAPTCHA?
-
@jik my best guess is that the captcha page just isn't something people think to inspect. it is a very brief page the user will only ever encounter on a journey, a page that they strive to move through as efficiently as possible. Furthermore it *looks* like a cloudflare captcha so users are very familiar with it (it is not a cloudflare page).
@eb while that is a good guess, and may be part of the reason, the owner told me they only put it on the CAPTCHA page because:
We do not want to ddos them to death, just attract attention and increase their hosting bill
Read that as you will.
-
But what's really interesting is the motivations.
1. Why now, after 2 years?
2. Why run a DDoS, and yet defend Jani in the comments?: https://news.ycombinator.com/item?id=46629823
3. Why register for a forum using your "name" to draw attention to a DDoS being ran by *your own site*?This seems like a ploy for attention. Perhaps the FBI has finally found him and Masha wants to go out on his own terms?: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tries-to-unmask-mysterious-founder-of-archive-today/
Perhaps Masha is a fake name and the real name leaked so he wants to publicize Masha? 🧵
@eb I can't answer #2 and #3, but I emailed the owner and asked why they waiting 3 years, and they gave the fairly strange response that since the person/people mentioned in the article recently became EU citizens, the blog post now violated GDPR.
Even taking that at face value, it doesn't really explain why they chose to launch a DDoS attack.https://infosec.exchange/@iampytest1/115905994565109535
Just out of curiosity, do you know Jani Patokallio?
-
Are you saying that the landing page I've been redirected to for the past 5 years on the archive.today network has actually been a DDOS tool the whole time?
Or is it just discreetly packaged alongside Google reCAPTCHA?
@liquidparasyte No, it hasn't been that way for the last 5 years.
The blog post which seemingly sparked this came out 3 years ago, and the malicious code was only added a few days ago.And also, reCAPTCHA is not the source of the malicious code. There is just a small script at the bottom of the page, added by the owner and separate from reCAPTCHA, which performs the DDoS.
-
@eb while that is a good guess, and may be part of the reason, the owner told me they only put it on the CAPTCHA page because:
We do not want to ddos them to death, just attract attention and increase their hosting bill
Read that as you will.
@iampytest1 you're in contact with the admin of archive.today? can you put me in contact with them?
-
@eb I can't answer #2 and #3, but I emailed the owner and asked why they waiting 3 years, and they gave the fairly strange response that since the person/people mentioned in the article recently became EU citizens, the blog post now violated GDPR.
Even taking that at face value, it doesn't really explain why they chose to launch a DDoS attack.https://infosec.exchange/@iampytest1/115905994565109535
Just out of curiosity, do you know Jani Patokallio?
@iampytest1 I have had email correspondence with Jani but I do not know them personally.
-
@iampytest1 you're in contact with the admin of archive.today? can you put me in contact with them?
@eb I just emailed webmaster@archive.ph, which is the email listed on their website, and they responded using norapuchreiner@cofed.com.
-
@eb I just emailed webmaster@archive.ph, which is the email listed on their website, and they responded using norapuchreiner@cofed.com.
@iampytest1 Thanks.
-
@iampytest1 Thanks.
@eb Their email responses were all pretty much 1/2 sentence(s) long.
I posted verbatim quotes here: https://infosec.exchange/@iampytest1/115905846553756281
But if you are curious, I can post/share the full exchange.They did respond very quickly, sometimes within a minute.
-
I also just wish to stress that by visiting archive.today or related web properties your device is being used as a participent in a DDoS attack against Jani. archive.today is not safe to use. 🧵
@eb I am out of the loop on all this gyrovague doxxing and archive.today, who are these people and what is going on?
-
@eb I am out of the loop on all this gyrovague doxxing and archive.today, who are these people and what is going on?
@semitones the administrators of archive.today are using the visitor’s browser to spam requests to gyrovague, who they accuse of doxxing them, while simultaneously doxxing themselves in the process
-
@semitones the administrators of archive.today are using the visitor’s browser to spam requests to gyrovague, who they accuse of doxxing them, while simultaneously doxxing themselves in the process
@eb I am not sure what gyrovague is, but ublock origin blocks it as part of HaGeZi - multi ultimate mini blocklist. Not sure why.
Also not sure what gyrovague said but since the website is blocked and ddg is not helpful I'm still in the dark unfortunately...
