Wikipedia has taken the unprecedented step of globally blocking archive.today (and its mirrors) and starting to remove hundreds of thousands of existing links to the service. The decision followed the discovery of both a DDoS attack delivered via archive.today’s CAPTCHA and manipulation of archived web pages, which together undermined the project’s security and trust requirements.
Why Wikipedia Blacklisted archive.today and Its Mirror Domains
After an internal discussion, Wikipedia editors added archive.today to the platform’s global blacklist of prohibited domains. The block covers archive.today, archive.is, archive.ph, archive.fo, archive.li, archive.md, archive.vn. New links to these domains can no longer be added, and existing ones are to be replaced wherever possible.
Before the ban, Wikipedia articles contained over 695,000 links to archive.today, spread across roughly 400,000 pages. Editors are now encouraged to migrate citations to alternative, reputable archiving services—primarily Internet Archive (Archive.org), as well as Ghostarchive and Megalodon—or directly to verifiable offline sources such as books, academic publications, and official documents.
DDoS Attack via CAPTCHA: How Visitors Became a Browser Botnet
The escalation began with a conflict between the operator of archive.today and independent researcher Jani Patokallio. In 2023, Patokallio published research attempting to identify the person behind archive.today, referencing possible pseudonyms and a potential connection to Russia. The FBI had previously shown interest in the owner’s identity, issuing inquiries to registrar Tucows.
After Patokallio refused to remove his article, his blog was targeted by a distributed denial-of-service (DDoS) attack. A DDoS attack floods a target with traffic from many sources at once, making it unreachable for legitimate users. In this case, the malicious JavaScript used for the attack was reportedly embedded directly into the CAPTCHA on archive.today.
As a result, browsers of ordinary archive.today visitors unknowingly executed attack code and became part of a browser-based botnet. Instead of compromised IoT devices or infected servers, the attack leveraged legitimate user browsers loading a trusted page element (the CAPTCHA). For security professionals, this is a particularly concerning abuse of a mechanism generally assumed to increase safety.
Patokallio also received reputational threats from a person signing as “Nora”, including attempts to intimidate him with the prospect of being falsely associated with AI-generated pornographic content. This social-engineering component, while secondary to the technical issues, further alarmed the security community.
Evidence of Manipulated Archived Copies and Loss of Trust
During their review, Wikipedia editors surfaced a second, even more serious problem: manipulation of archived content on archive.today. In several cases, Patokallio’s name had been inserted into archived discussions he had never participated in.
For example, a line such as “Comment as: Nora [surname]” in the original archived snapshot appeared as “Comment as: Jani Patokallio” in the archive.today version. This indicates post-hoc modification of supposedly immutable historical snapshots.
Such alterations have major implications. Web archives are widely treated as digital time-stamps—a way to prove what a page looked like at a specific point in time. If an archive operator can silently rewrite those records, the archive becomes unreliable as digital evidence in journalism, academic work, or even court proceedings.
Editors also raised the possibility that “Nora” is a real person whose identity had previously appeared in correspondence with the service and was effectively appropriated by the archive.today operator without consent. One Wikipedian captured the core concern: if a service operator manipulates archives in their own interest during a dispute, no content in that archive can be treated as trustworthy.
Wikipedia Community Vote and Wikimedia Foundation’s Security Stance
Following a detailed debate, the Wikipedia community reached consensus to immediately discontinue the use of archive.today and replace it with other archiving solutions. Editors stressed that Internet Archive (Archive.org) is entirely unrelated to archive.today, despite the similarity in names and purpose.
The Wikimedia Foundation had already signaled it was considering a centralized block, describing archive.today as a “serious security threat” for users following links from Wikimedia projects. The community’s final decision effectively aligned with this risk assessment, making the ban both a technical and policy-driven response.
Cybersecurity Lessons: Integrity of Web Archives and Defensive Practices
The archive.today case highlights a growing structural risk: services that act as “digital witnesses of history” are themselves critical points in the trust chain. When a web archive can alter snapshots without detection, it undermines the use of archived pages as reliable digital forensics or historical records.
The incident also demonstrates how supporting web components like CAPTCHA widgets can be weaponized. Administrators should scrutinize which third-party domains are allowed to load active content (scripts and iframes) and enforce restrictive Content Security Policy (CSP) rules. Network and browser telemetry should be monitored for unusual outbound traffic patterns that may indicate hidden participation in DDoS campaigns.
For organizations and individual users, a more resilient strategy is to rely on multiple independent archives, prioritize well-governed, transparent services such as the Internet Archive, and periodically verify the integrity of preserved content. Avoiding dependence on opaque, single-operator platforms reduces the risk of silent tampering or abuse.
The Wikipedia–archive.today incident is a clear reminder that in the digital information ecosystem, trust is as critical as technical security controls. Once that trust is breached—whether through DDoS abuse, data manipulation, or lack of transparency—the response from major platforms is swift and uncompromising. Strengthening cybersecurity today means not only defending systems from attacks, but also rigorously validating the integrity and governance of the services we rely on as records of online history.
