Your data. Your choice.

If you select «Essential cookies only», we’ll use cookies and similar technologies to collect information about your device and how you use our website. We need this information to allow you to log in securely and use basic functions such as the shopping cart.

By accepting all cookies, you’re allowing us to use this data to show you personalised offers, improve our website, and display targeted adverts on our website and on other websites or apps. Some data may also be shared with third parties and advertising partners as part of this process.

Legal noticePrivacy notice
Background information
475

Paywall bypassing site archive.today on the brink following DDoS furore

Martin Jud
12/2/2026
Translation: Katherine Martin
Pictures: Martin Jud

Archive.today has been archiving websites for years. It’s uncompromising, anonymous and brilliant on a technical level. Although the service is widely regarded as a paywall bypassing tool, its operator’s now using it to misuse visitors’ browsers for DDoS requests.

It started off as harmless. With a link, a click and a paywalled article appearing on screen – cleverly archived and fully readable – as if it were the most normal thing in the world. You’d be forgiven for confusing it with archive.org’s Wayback Machine, which actually respects opt-outs and deletes entries on request. But by contrast, archive.today doesn’t allow such opt-outs – or at least not according to the most recent information available on the site. The service has been storing websites consistently and on a large scale since 2012, with an unknown individual keeping the archive running.

That person’s anonymity remained unscathed for over a decade. Then, word of an FBI subpoena got out. A warning post broke the silence. And in January 2026, it became apparent the operator wasn’t just archiving. They were also using their site’s infrastructure for attacks, with visitors’ browsers being «unknowingly» swept up in them.

A one-person project with trails leading all over

Archive.today seems like a tool from a different era. A link goes in and a complete article comes out – paywall be damned. The service launched in 2012 at archive.is, registered to an individual named «Denis Petrov». It’s a name that defies official verification. The search for clues leads towards domains of unclear origin, Russian forums, German turns of phrase, Berlin IP addresses and an OSINT trace to a NixOS contributor with the handle «volth» – none of which can be verified. Developer and writer Jani Patokallio describes these clues in his 2023 analysis of archive.today, the most detailed attempt to date to technically trace the operator.

The one thing we know for sure? There’s no team, non-profit or company behind archive.today. It’s a one-person project. One fronted by somebody who’s been archiving content for over a decade – and who’s recently become embroiled in a conflict with a website operator and the media.

The machine in the background

Archive.today is impressive on a technical level. Patokallio explains that the operator uses Hadoop, Accumulo and HDFS – big data tools usually deployed by companies, not one-person projects. The archive uses two European data centres, with triple redundancy for text and double redundancy for images. By 2012, it had saved 10 terabytes, with the figure increasing to as much as a petabyte in 2021.

The most important part happens during scraping. Since 2021, archive.today has reportedly been using a distributed system consisting of numerous automated Chrome instances that load websites like regular browser requests. The difference is, they do so every second, from constantly changing networks. They switch between IP addresses, call up pages automatically and bypass client-side paywalls. Patokallio describes it as a botnet, but archive.today’s operator denies this. At the end of the day, however, it’s a distributed system that behaves like a botnet – and, just like a botnet, it can become a «problem» for website operators.

The question of money

The website’s expensive to run. Storage space of this size costs money, as do servers and bandwidth. According to Patokallio, archive.today’s operator claimed in 2023 that donations and advertising covered less than 20 per cent of their costs. He quotes them as saying they «could no longer top up» their PayPal account, suggesting they’re operating from a country that’s been cut off from international transactions. As a result, they’re only left with services such as Liberapay and BuyMeACoffee. Patokallio suspects the operator has another source of income, but they’re keeping schtum about it.

The turning point: the FBI takes an interest in the operator

In late October 2025, after a long period of silence, a single, now deleted post appeared on the archive.today operator’s official X account. Ironically, it’s still available on archive.today as archived content. The operator rarely uses their profile, with previous posts appearing to be tied to specific events. On this occasion, they wrote, referring to the proverbial canary in the coalmine:

````«canary: https://pdflink.to/1e0e0ecd/»```

The link leads to a court order (archived here) obtained by FBI investigators. It instructs Canadian internet services company Tucows to hand over comprehensive data about the customer behind archive.today, including address and connection data, payment information and technical identifiers.

It’s unclear why the operator shared the link. Canary posts are traditionally used when people who’re subject to investigations are either unable or unwilling to speak openly about them. It can’t be confirmed whether that’s the case with archive.today. The only thing we’re clear on is that the operator sees the proceedings as a threat; their anonymity’s in jeopardy.

The operator addresses the conflict openly

On 28 January 2026, the operator published a Tumblr post referencing the German media, paywalls, the «Teutonic order» and «hookers». They also referred to the Hunter Biden case to illustrate the way publishing private or embarrassing content may be used to publicly discredit people. In addition, the post bemoans requests to delete content, explaining that the most dangerous stuff pertains to personal scandals rather than the political.

In a subsequent Tumblr post, the operator claimed their interview with the Legal Tribune was «shelved» and gave potential reasons why. Portraying themselves as someone whose point of view hadn’t been heard, the operator stated archive.today wasn’t putting the German media’s business model at risk. Instead, they argued, the media were doing so themselves by continuously reporting on the fact that its paywalls can be bypassed. They also pointed out that Germany’s library system was superior to any paywall, and that anyone attributing the problem to archives hadn’t understood the principle behind them.

In the same post, they shifted the debate into the personal arena, claiming the archived articles that German media outlets were most keen to delete were ones they’d already removed themselves. Stories about wealthy families, damaged reputations and «wayward scions». The language was becoming increasingly confrontational.

At the same time these posts were published, the operator began blocking specific media companies, including Condé Nast and Heise. In both of those instances, their company networks and mail servers were blocked from accessing archive.today.

The 2026 escalation: e-mails, identities, threats

As well as making public statements, the operator’s been contacting their critics directly. On 8 January 2026, Patokallio received a request under the European General Data Protection Regulation, submitted by a «Nora Puchreiner». Two days later, he received a personal e-mail directly from archive.today’s operator requesting that his 2023 article about the site be taken down «for a few months».

When Patokallio responded, the tone changed. The subsequent messages he received were again penned by «Nora Puchreiner». At the same time, a user named «rabinovich» popped up on Hacker News, an alias observers associate with archive.today. In France, an organisation named WAAD came to the fore, offering «help» and bringing identity checks to the table.

Patokallio later described this sequence of events in detail in a blog post on 1 February 2026. It reconstructs the timeline, quoting from messages he’d received and documenting how the conflict came to a head.

A Tumblr post published on 4 February demonstrated how personal the conflict had become. The operator attacked Patokallio directly, making outlandish claims about his family connections, accusing him of having political and financial motivation and describing him as someone who «doxes for clicks». The attack said more about how the conflict had escalated than it did about Patokallio. Words were getting harsher, positions more contradictory and the operator’s communication seemed to be spinning more and more out of control.

Within just a few days, a picture emerged of a webmaster whose communication was becoming increasingly intense, with changing senders, varying roles, contradictory statements and an increasingly confrontational tone.

The DDoS: targeted, technical, personal

Around 11 January 2026, archive.today began involving its visitors in an attack. From what we can see right now, that attack appears to be over. A captcha page integrated on the website automatically executed a JavaScript snippet when loading. As a result, browsers repeatedly sent requests to Patokallio’s website gyrovague.com without the users noticing. Each request was provided with a random parameter so that it wouldn’t be served from the cache. An interval of 300 milliseconds was defined in the script.

This is a textbook DDoS mechanism. Rather than a website being overloaded in one fell swoop, it’s hit with a flood of small requests that build up into a wave. Instead of coming from bots, this particular wave was generated by real people whose browsers reinforced it, unbeknownst to them.

After analysing the code in the HTML of the captcha page directly, Patokallio described how precisely the attack was targeted at his blog. He notes the code was implemented deliberately. In several European countries, this creates a legal grey area. Theoretically, a user could be classed as involved in the attack as soon as they become aware their browser’s been part of one. Mind you, it’s considered unlikely that an actual prosecution will take place.

Soon after these revelations, a user published e-mail correspondence with archive.today’s operator on the Mastodon instance infosec.exchange. In it, the operator justified the attack by claiming Patokallio’s website «doxxes» him. They added, «We don’t want to DDoS them to death, just attract attention and increase their hosting bill.»

Patokallio himself explained the attack didn’t impact him financially, as his hosting’s charged at a flat rate and adblockers such as uBlock Origin now block potential requests anyway.

47 people like this article

User Avatar
User Avatar
Martin Jud
Senior Editor
martin.jud@digitecgalaxus.ch

I find my muse in everything. When I don’t, I draw inspiration from daydreaming. After all, if you dream, you don’t sleep through life.

Background information

Interesting facts about products, behind-the-scenes looks at manufacturers and deep-dives on interesting people.

Show all

These articles might also interest you

  • Background information

    End of the line for child abuse deepfakes? The Grok crisis and its impact

    by Florian Bodoky

  • Background information

    7 questions you have about DeepSeek (and the answers)

    by Samuel Buchmann

  • Background information

    How an anti-porn campaign is also threatening safe-for-work games on Steam

    by Debora Pape

5 comments

Avatar
later