I think there are two angles to look at this. Yes, there’s the attack on the weblog. But there’s also pressure on archive.today, e.g. an FBI investigation [1] and some entity using fictitious CSAM allegations [2].
Jani Patokallio who runs gyrovague.com published a blog post attempting to dox the owner of archive.today.
Jani justifies his doxing as follows "I found it curious that we know so little about this widely-used service, so I dug into it" [1]
Archive.today on the other hand is a charitable archival project offered to the public for free. The operator of Archive.today risks significant legal liability, but still offers this service for free.
It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone. The only credible reason for Jani to publish something like this is if he desires to cause physical harm to the operator of archive.today
Or are we just looking at an unhinged fan stalking their favorite online celebrity?
People were critical of the Banksy piece, but this is much nastier. At least Banksy is a huge business, archive.today does not even make money.
Jani here. What you describe as "doxxing" consisted of a) a whois lookup for archive.is and b) linking to a StackExchange post from 2020 called "Who owns archive.today" [1]. There is literally no new information about the site's owner in the post, all names have been dug up before and are clearly aliases, and the post states as much.
Huh, that's what Kiwi Farms says about the people that they talk about online too. And Cloudflare famously retaliated against them, but are retaliating against the victim in this case because Archive.today responded to the doxing in the wrong way apparently
Maybe, but I don't think that distinction matters here. Surely you're not contending that it counts as doxing every time someone collects data from multiple public sources?
I've always understood doxing to be PII, which aliases aren't, AFAIK, unless they're connected to a real person. And, to my knowledge, everyone is contending that the names in the blog post are all aliases. And, regarding aliases, I've never understood it to be doxing for someone to say "FakeNameX and FakeNameY appear to be the same user."
So, to me, the thing that makes it not look like doxing is that it simply doesn't meet the basic definition of doxing. It provides no PII.
You're both right. Combine the two and you get what doxxing originally was:
"Dox" is short for "documents", and it originally referred to compiling a multi-page document of all known personal information, using disparate public sources: name, address, phone, email, employer, family members, family address/phone etc, etc, etc. It came from troll boards and was designed to make it easy to harass targets.
The term got significantly watered down when it got out to the broader internet.
How low has the bar gotten where doxxing is literally just doing a Google search and a whois lookup about a well-used public website? The hackers of the 90s and aughts would laugh you straight out of the irc server with this comment.
If the site operator is working for the FSB, doxx away! Although the world needs a better alternative to Internet Archive, it shouldn't be an alternative that is an arm of an authoritarian government.
I hate this. Archive.today provides a useful service for people like us in developing countries; without archive.today we would not even have luxury to read and document a lot of stuff. In our countries, hard disks are expensive and internet is not fast either. We don't have the luxury to just download; and so many useful Youtube video are just made private after one phone call from Police. Why take it away from us...
All your comments are painting archive.today as an innocent victim in all this, but in addition to the DDoS, they have been caught modifying archived pages as well as sending actual threats to Patokallio [1] which in my opinion seem far worse than the "doxxing".
Just the fact alone that they modified archived pages has completely ruined their credibility, and over what? A blog post about them that (a) wasn't even an attack, it is mostly praising archive.today, and (b) doesn't reveal any true identities or information that isn't already easily accessible.
From my perspective at least, archive.today seems like the unhinged one, not Patokallio.
>It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
I would say the opposite... The DDoS is pretty obviously ridiculous, completely unacceptable, and entirely indefensible, while the blog post seems like whatever.
I honestly cannot fathom defending using your popular website as a tool to DDoS someone you have personal beef with, without the consent of the DDoSing participants.
> It's weird to see people getting fixated on the DDoS,
The weird part to me is that some people are seemingly trying to downplay a popular website abusing visitors to DDoS someone.
How does your information (two angles) change anything at all about that fact? Normally if any website was caught abusing visitors to DDoS another website there would be no debate about why this is a bad thing. What about your other angles was supposed to matter in deciding if this was a bad thing for a website to do?
Two wrongs don’t make a right. Feeling wronged by someone doesn’t give you freedom to abuse every visitor to your website to DDoS someone else.
> It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
Why even do that, then? Why not just make a public post of theirs like: "Hey, here's someone trying to doxx me, and here's the unfair and fictitious bullshit the lying government is trying to pin on me. Here's all the facts, decide for yourselves."
Why do something as childish as DDoSing someone which takes away any basic good will and decency/respect you might have had in the eyes of many?
That way, it'd also be way more clear whether attempts at censorship are motivated by them acting as a bad actor, or some sort of repression and censorship thing.
I don't really have a horse in this race, but it sounds like lashing out to one own's detriment.
I'm wondering if Jani is possibly going to walk into the wrong party here and get burned. I did some public archival stuff about a decade ago and it was state sponsored and for the intelligence community. I'm not suggesting this is but it'll be very much of interest to competing intelligence services as it's an information control point. None of those are the sort of people you start pissing off by sticking your dick in it. FBI is likely just one of the actors here.
> Or are we just looking at an unhinged fan stalking their favorite online celebrity?
In this case, question is recursive. I have no idea who Jani Patokallio or gyrovague.com are, and the way Jason Drury shifts from “tried to dox” to “doxx’d” makes me wonder if this is astroturfing by Jani or Jason or a 3rd party. Who knows!
As of now the site is in-fact a C&C/botnet. Cloudflare naturally fixates on such risks, not speech (generally). The basic purpose of 1.1.1.2 is to not wind up part of botnet.
It is not "doxxing" but something weirder, "bulling" may be a better word, or as you said "stalking their favorite online celebrity".
The quality of investigation is too poor to be "doxxable", even Jani (in his reply here) accepts it, and no sensitive info is disclosured, but the blog post and its promotion here and there spread dangerous rumors like:
A bit context if you are confused why Public DNS server blocking websites. 1.1.1.2 is Malware blocking DNS server similar to AdBlock DNS server. It is not 1.1.1.1 and 1.0.0.1
Archive.today's attack on https://gyrovague.com is still on-going btw. It started just over two months ago. Some IPs get through normally but for example finnish residential IPs get stuck on endless captchas. The JS snippet that starts spamming gyrovague appears after solving the first captcha.
Some time ago, probably at least a year, likely more, I read a blog post by someone working for Google in Europe who loved using Archive.today and out of curiosity tried to determine who was running it. In the end he gave up, offered to buy the operator a beer or something like that, but if I recall correctly he went to even greater lengths in his research than the blogger discussed in this thread
eastdakota on May 4, 2019 on: Tell HN: Archive.is inaccessible via Cloudflare DNS...
[Via https://news.ycombinator.com/item?id=19828702]
We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.
Cloudflare dns has gone back and forth on whether it wants to resolve them since 2019. It’s taken that away and restored it again (intentionally? mistake?) at least four times.
The c&c/botnet designation would seem to be new though.
I reported the miscalssification, you can do it as well from the linked page.
Edit: reading some comments here seems that I was too fast, and that the story is much more complicated. Having just the Cloudflare page as a context, I assumed the news were a miscalssification. Could someone share more context on what is going on here?
Cloudflare is a clandestine intelligence operation run by a rogue nation. Just like spamhaus and many other firms that have ridiculous amounts of illegitimate and unchecked power.
It amazes me that people still use and recommend Cloudflare's DNS servers for resolution. Cloudflare DNS does not support EDNS Client Subnet. As a result, DNS queries resolved by their service are likely to return IP addresses for many CDNs that are physically farther away from you, leading to a slower internet browsing and viewing experience.
Sacrificing performance for a faster lookup time makes no sense in 2026. This is the one area where I continue to use Google DNS as it just works. Use anything but Cloudflare in this case, please.
Parent pro-tip: Next time the iPad is having Bluey episode playback issues, check to see if you're actually using Cloudflare DNS.
295 comments
Ditto for their other domains like archive.is and archive.ph
Example DoH request:
$ curl -s "https://1.1.1.2/dns-query?name=archive.is&type=A" -H "accept: application/dns-json"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"archive.is","type":1}],"Answer":[{"name":"archive.is","type":1,"TTL":60,"data":"0.0.0.0"}],"Comment":["EDE(16): Censored"]}
---
Relevant HN discussions:
https://news.ycombinator.com/item?id=46843805 "Archive.today is directing a DDoS attack against my blog"
https://news.ycombinator.com/item?id=47092006 "Wikipedia deprecates Archive.today, starts removing archive links"
https://news.ycombinator.com/item?id=46624740 "Ask HN: Weird archive.today behavior?" - Post about the script used to execute the denial-of-service attack
Wikipedia page on deprecating and replacing archive.today links:
https://en.wikipedia.org/wiki/Wikipedia:Archive.today_guidan...
I now have my dream DNS lookup web tool! https://tools.simonwillison.net/dns#d=news.ycombinator.com&t...
Also: https://dnscheck.tools/
[1]: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tri...
[2]: https://adguard-dns.io/en/blog/archive-today-adguard-dns-blo...
Jani justifies his doxing as follows "I found it curious that we know so little about this widely-used service, so I dug into it" [1]
Archive.today on the other hand is a charitable archival project offered to the public for free. The operator of Archive.today risks significant legal liability, but still offers this service for free.
[1]: https://gyrovague.com/2026/02/01/archive-today-is-directing-...
It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone. The only credible reason for Jani to publish something like this is if he desires to cause physical harm to the operator of archive.today
Or are we just looking at an unhinged fan stalking their favorite online celebrity?
People were critical of the Banksy piece, but this is much nastier. At least Banksy is a huge business, archive.today does not even make money.
[1] https://webapps.stackexchange.com/questions/145817/who-owns-...
I've always understood doxing to be PII, which aliases aren't, AFAIK, unless they're connected to a real person. And, to my knowledge, everyone is contending that the names in the blog post are all aliases. And, regarding aliases, I've never understood it to be doxing for someone to say "FakeNameX and FakeNameY appear to be the same user."
So, to me, the thing that makes it not look like doxing is that it simply doesn't meet the basic definition of doxing. It provides no PII.
"Dox" is short for "documents", and it originally referred to compiling a multi-page document of all known personal information, using disparate public sources: name, address, phone, email, employer, family members, family address/phone etc, etc, etc. It came from troll boards and was designed to make it easy to harass targets.
The term got significantly watered down when it got out to the broader internet.
Even a half-assed attempt at doxing is still an attempt at doxing.
It'd be much easier to accept that you're acting in good faith had you deleted the post when it became obvious that the target doesn't appreciate it.
You could still do that, and it would very simply be the right thing to do.
Just the fact alone that they modified archived pages has completely ruined their credibility, and over what? A blog post about them that (a) wasn't even an attack, it is mostly praising archive.today, and (b) doesn't reveal any true identities or information that isn't already easily accessible.
From my perspective at least, archive.today seems like the unhinged one, not Patokallio.
[1] https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...
>It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
I would say the opposite... The DDoS is pretty obviously ridiculous, completely unacceptable, and entirely indefensible, while the blog post seems like whatever.
I honestly cannot fathom defending using your popular website as a tool to DDoS someone you have personal beef with, without the consent of the DDoSing participants.
> It's weird to see people getting fixated on the DDoS,
The weird part to me is that some people are seemingly trying to downplay a popular website abusing visitors to DDoS someone.
How does your information (two angles) change anything at all about that fact? Normally if any website was caught abusing visitors to DDoS another website there would be no debate about why this is a bad thing. What about your other angles was supposed to matter in deciding if this was a bad thing for a website to do?
Two wrongs don’t make a right. Feeling wronged by someone doesn’t give you freedom to abuse every visitor to your website to DDoS someone else.
> It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
Why even do that, then? Why not just make a public post of theirs like: "Hey, here's someone trying to doxx me, and here's the unfair and fictitious bullshit the lying government is trying to pin on me. Here's all the facts, decide for yourselves."
Why do something as childish as DDoSing someone which takes away any basic good will and decency/respect you might have had in the eyes of many?
That way, it'd also be way more clear whether attempts at censorship are motivated by them acting as a bad actor, or some sort of repression and censorship thing.
I don't really have a horse in this race, but it sounds like lashing out to one own's detriment.
> Or are we just looking at an unhinged fan stalking their favorite online celebrity?
In this case, question is recursive. I have no idea who Jani Patokallio or gyrovague.com are, and the way Jason Drury shifts from “tried to dox” to “doxx’d” makes me wonder if this is astroturfing by Jani or Jason or a 3rd party. Who knows!
The quality of investigation is too poor to be "doxxable", even Jani (in his reply here) accepts it, and no sensitive info is disclosured, but the blog post and its promotion here and there spread dangerous rumors like:
"AT is connected to Russia"
"AT is connected to Israel"
"AT is connected to Hackers"
"AT is wanted by FBI"
"AT does not like Nazis"
...
This is what Jani does.
Hell I use it to circumvent paywalls.
Here is the DDoS context https://gyrovague.com
I wish I could find it
(1) May 04 2019: "Tell HN: Archive.is inaccessible via Cloudflare DNS (1.1.1.1)" [https://news.ycombinator.com/item?id=19828317]
(2) Sep 11 2021: "Does Cloudflare's 1.1.1.1 DNS Block Archive.is? (2019) (jarv.is)" [https://news.ycombinator.com/item?id=28495204]The c&c/botnet designation would seem to be new though.
Edit: reading some comments here seems that I was too fast, and that the story is much more complicated. Having just the Cloudflare page as a context, I assumed the news were a miscalssification. Could someone share more context on what is going on here?
https://quad9.net/service/service-addresses-and-features/
It's either sockpuppets or evidence of larger op
Sacrificing performance for a faster lookup time makes no sense in 2026. This is the one area where I continue to use Google DNS as it just works. Use anything but Cloudflare in this case, please.
Parent pro-tip: Next time the iPad is having Bluey episode playback issues, check to see if you're actually using Cloudflare DNS.