Archive.today: Operator uses users for DDoS attack

The anonymous operator of Archive.today is unknowingly using visitors to their website in a Distributed Denial of Service (DDoS) attack against a Finnish blogger. On a splash page, which is intended to keep bots away using Google reCaptcha, JavaScript is hidden that sends an HTTP request to the Gyrovague.com page every 300 milliseconds in the user's browser. The background of the attack is apparently a disliked blog post by the affected party. Behind the attacked URL is the blog of Finn Janni Patokallio, who published the results of research on Archive.today in a post in 2023. German users who use Archive.today are thus operating in a legal gray area and could be committing a criminal offense, says a specialist lawyer for IT law.

The operator of Archive.today explained to a security researcher that the DDoS attack is intended to “slightly” increase the Finn's hosting costs. He feels “doxxed” by his blog post and is reacting to it with the DDoS attack. In the official Tumblr blog of Archive.today, which was recently posted on for the first time in two years, Patokallio and his family are sharply attacked. The post makes confused connections between Patokallio, an alleged Nazi past of his grandfather, arms trafficking, and Ukraine.

Blocks against media companies

The operator of Archive.today could not be reached by heise online via the email address provided on the site. In his Tumblr blog, he writes that he has blocked offices of the publisher Condé Nast because they published “propaganda” about his service. heise online has apparently also been affected by such a block for several days. The site is no longer accessible from the company network, and emails to the operator cannot be delivered. The cause of the block for heise online is apparently a report from November 2025, which concerned investigations by US authorities against Archive.today.

This report also mentioned and linked Janni Patokallio's blog post. In it, he explains, among other things, that Archive.today operates a botnet with changing IP addresses to circumvent anti-scraping measures. Archive.today allows previous versions of a website to be accessed, but in many cases, it also bypasses paywalls of publications. Patokallio also wrote that the operator(s) are based in Russia – a thesis that is, however, controversial online.

How the affected party reacts

Janni Patokallio explained in his blog that the DDoS attack does not cost him financially, as he uses web hosting at a flat rate. In addition, ad blockers like uBlock Origin now block the DDoS requests. The attack was apparently preceded by an email from the Archive.today operator, which he initially overlooked. When he finally replied, the operator threatened him with defamatory measures.

With his action, the operator of Archive.today may also be getting users from Germany into legal trouble. DDoS attacks are punishable by law. “If one is now unwittingly involved in such an attack, it cannot be criminally relevant due to a lack of intent; however, if one recognizes both the attack and one's own contribution in the form of calling up the form and knowingly accepts that this is realized as a supporting component, then a criminal offense would exist,” IT lawyer Jens Ferner assessed the legal situation when asked by heise online. While in practice criminal prosecution is unlikely due to the effort involved. However, the media reports making the attack public are likely to make intent easier to prove.

Ferner points to another side effect: By having Archive.today unknowingly let users access the Finnish blogger's URL, their IP addresses are transmitted to him. This could be a point of attack for prosecuting copyright infringements.

(mki)