In February 2026, the English-language edition of Wikipedia made a dramatic decision: blacklist every link to the web archiving service known as archive with the .today extension, and begin the massive process of removing more than 695,000 references spread across roughly 400,000 pages. The trigger was a bizarre feud involving a DDoS attack and tampered web archives. But the deeper story is about what happens when a platform that serves hundreds of millions of readers entrusts a critical piece of its infrastructure to an anonymous, unaccountable third party—and what the rest of us can learn from that mistake before we make it ourselves.
When we talk about cybersecurity, the conversation often centers on firewalls, encryption, and phishing defenses. But some of the biggest vulnerabilities in the digital world have nothing to do with code exploits. They come from trust—specifically, from the way organizations become deeply dependent on third-party services without fully understanding who controls them, what their motivations are, or what happens when that trust is violated. Wikipedia just learned this lesson at scale, and it cost them nearly 700,000 links. The implications extend far beyond a single encyclopedia.
A Service Built on Anonymity
The archiving service at the center of this story—commonly known as archive dot today, and also accessible through domain aliases including archive dot is and archive dot ph—is a web archiving tool that captures snapshots of webpages and preserves them permanently. It built a devoted following because it excelled at capturing dynamic, JavaScript-heavy pages that other archiving services like the Internet Archive's Wayback Machine struggled with. It was also fast, producing high-quality captures that included paywalled content, which made it especially useful for Wikipedia editors who needed reliable citations to sources behind paywalls.
There was just one problem: nobody really knew who ran it. The original domain registration traced back to someone using the name "Denis Petrov" from Prague, Czech Republic, but whether that was a real person or a pseudonym remained unclear. In 2023, security blogger Jani Patokallio published an investigation on his Gyrovague blog attempting to understand the service's ownership and funding. He described it as "an opaque mystery" and concluded it was likely "a one-person labor of love, operated by a Russian of considerable talent and access to Europe." A separate private investigation in 2024 pointed to a different individual entirely, a software developer in New York. That opaqueness didn't stop Wikipedia from relying heavily on the service. By early 2026, it was referenced in more than 695,000 links across roughly 400,000 Wikipedia pages, according to data compiled by Wikipedia editors during their formal review of the service.
The anonymity of the operator was not, by itself, disqualifying. Plenty of useful internet services are run by pseudonymous individuals. But anonymity combined with sole control over a resource that hundreds of millions of people depend on—that's a different kind of risk entirely. And it's a risk that Wikipedia was about to confront head-on.
The First Warning: Blacklisted in 2013, Reinstated in 2016
Here's the part of this story that makes the current situation especially painful: Wikipedia had already been warned once. The archiving service was first blacklisted by Wikipedia in 2013 due to concerns about link spam and the way the site was being promoted on the encyclopedia. According to reporting by GIGAZINE, the service was added to Wikipedia's spam blacklist over concerns about botnet-like link spamming behavior, and Slashdot commenters with knowledge of the history noted that the site's creator had used spamming tactics and cooperated with disruptive users to force the service's adoption on Wikipedia.
That blacklist held for three years. Then, in 2016, the ban was reversed. Editors argued that the service had proven its utility and that the earlier problems appeared to have been resolved. From that point on, the archiving service became deeply embedded in Wikipedia's citation infrastructure. Usage grew steadily, and by the time the current crisis erupted in early 2026, removing it meant confronting a problem of staggering scale.
The 2016 decision to reinstate the service effectively created the conditions for today's crisis. Every year of renewed trust allowed the dependency to grow deeper. By the time the service's operator demonstrated they could not be trusted, Wikipedia was so deeply entangled that removal would affect hundreds of thousands of pages—with an estimated 15% of those links having no viable replacement.
This is the anatomy of a trust trap. The initial blacklisting in 2013 was a clear signal that the service's operator was willing to engage in manipulative behavior. Reinstating the service without fundamental changes to the operator's accountability or transparency was a calculated bet. For nearly a decade, that bet appeared to pay off. But the underlying risk never actually went away—it just compounded silently while the dependency grew deeper.
What makes the 2026 crisis even harder to dismiss as an anomaly: the Wikipedia guidance page published in the aftermath of the blacklisting decision explicitly noted that the January 2026 DDoS was not the first time the service had performed such an attack. The 2013 blacklisting had focused on link spam and botnet-like behavior, but the operator's willingness to weaponize traffic against targets was not new. The community had reinstated the service based on its archival utility—but the operator's character, and their pattern of behavior when they felt threatened or aggrieved, had not fundamentally changed.
The DDoS: When the Archive Became a Weapon
The sequence of events that triggered the final blacklisting began on January 11, 2026, when the archiving service's operator embedded malicious JavaScript in the site's CAPTCHA page. As documented by Patokallio on his Gyrovague blog and subsequently reported by Ars Technica, Tom's Hardware, TechCrunch, and Cybernews, every visitor who encountered the CAPTCHA unknowingly had their browser execute a script that sent repeated search requests to Patokallio's blog, essentially turning the archive's visitors into unwitting participants in a distributed denial-of-service attack.
According to Cybernews reporting, the hidden script sent a request to Patokallio's blog every 300 milliseconds while a visitor's CAPTCHA page remained open. Because Wikipedia alone contained nearly 700,000 links to the service, any reader clicking one of those links could have been conscripted into the attack. Critically, the malicious code was confirmed still active on the site as of February 19, 2026—the day before the blacklisting decision was finalized—meaning the attack had been running continuously for over five weeks while the Wikipedia community deliberated. Common ad blockers such as uBlock Origin were stopping the malicious requests for users who had them installed, but the vast majority of readers had no such protection.
The motivation behind the attack traced back to Patokallio's 2023 blog post about the archive's mysterious ownership. On October 30, 2025, the FBI issued a subpoena to Ontario-based domain registrar Tucows, demanding extensive identifying information about the archive's operator as part of an undisclosed federal criminal investigation. The archive's operator posted the subpoena on X with the single word "Canary"—a reference to a warrant canary, signaling government contact. With subsequent news coverage of the FBI subpoena frequently citing Patokallio's investigation, the operator apparently decided to retaliate. As Patokallio documented, the operator first filed a GDPR complaint under what appeared to be an alias, then sent a polite email requesting the blog post be taken down, and finally escalated to the DDoS when those efforts failed.
"I'm inclined to take that at face value: it's a pretty misguided way of doing it, but they certainly caught my attention. Problem is, they also caught the attention of the broader Internet." — Jani Patokallio, Gyrovague blog, February 2026
On the archive operator's own blog, they later wrote that things had turned out "pretty well" and indicated they would scale down the DDoS—a remarkably cavalier attitude toward an attack that weaponized the browsers of thousands of unsuspecting users. As reported by Boing Boing, emails released by Patokallio also revealed threats from the operator to generate AI pornography bearing Patokallio's name and to create a fake dating app profile using his identity.
The Line That Got Crossed: Tampering With the Archive Itself
The DDoS alone might not have been enough to force Wikipedia's hand. The service was too deeply embedded, and editors were divided on whether the utility justified the risk. What sealed the decision was the discovery that the archive's operator had tampered with the archived pages themselves.
As reported by Ars Technica and Tom's Hardware, Wikipedia editors discovered that the operator had altered snapshots of a third-party blog post, replacing the name of an individual referred to as "Nora" with Jani Patokallio's name—making it appear as though Patokallio had authored comments on that page. The alterations were spotted by eagle-eyed editors during the ongoing discussion about whether to deprecate the service.
"Honestly, I'm kind of in shock. Just to make sure I'm understanding the implications of this: we have good reason to believe that the archive operator has tampered with the content of their archives, in a manner that suggests they were trying to further their position against the person they are in dispute with???" — Wikipedia editor, as reported by Ars Technica
For an archiving service, this is the most fundamental violation of trust imaginable. The entire value proposition of a web archive rests on a single principle: that what is stored is an accurate, unmodified representation of what was originally published. Once an operator demonstrates willingness to edit archived content to serve a personal grudge, every single snapshot in the archive becomes suspect. As one Wikipedia editor stated during the discussion, documented in the formal Request for Comment (RFC 5): "If readers and editors cannot trust the links we use in our references because we knowingly continue to rely on untrustworthy third parties, it's not just the archive that cannot be trusted but Wikipedia too."
The consensus was decisive. The closing statement, published on February 20, 2026, read: "There is a strong consensus that Wikipedia should not direct its readers towards a website that hijacks users' computers to run a DDoS attack. Additionally, evidence has been presented that the operators have altered the content of archived pages, rendering it unreliable."
The Fallout: 695,000 Links and a 15% Problem
With the blacklisting decision finalized, Wikipedia editors now face the enormous task of replacing or removing more than 695,000 links. The Wikipedia guidance page for the removal effort outlines three replacement strategies: substitute the original source URL if still accessible, replace with an alternative archive such as the Wayback Machine or Ghostarchive, or change the citation to a source that doesn't require archiving, such as a print publication.
The scale of the problem is significant, but the truly concerning figure is the estimated 15% of links that have no viable replacement. These are pages that were captured by the archive but don't exist anywhere else—not on the original site (which may be dead), not in the Wayback Machine, and not in any alternative archive. For an encyclopedia that prides itself on verifiability, losing access to the sources behind 15% of those links means either finding alternative citations, accepting the loss of verifiable sourcing, or removing the cited content entirely.
Wikipedia has dealt with mass link breakage before. In 2017, The Outline reported that the transition of whitehouse.gov between presidential administrations broke links across the encyclopedia en masse. The Internet Archive's bot (InternetArchiveBot) automatically fixes dead links when possible, and editors use tools like AutoWikiBrowser for large-scale corrections. In 2018, the Internet Archive announced that it had rescued more than 9 million broken links on Wikipedia. But those were cases of natural link rot—sites going down, URLs changing, content being reorganized. This is different. This is a deliberate severance of trust with a service that was actively being used as citation infrastructure, and it's happening all at once.
The Wikimedia Foundation itself signaled the gravity of the situation. On February 10, 2026, as reported by Ars Technica, the nonprofit that operates Wikipedia stated it had "not ruled out intervening" due to "the seriousness of the security concern for people who click the links that appear across many wikis."
This Has Happened Before—Everywhere
Wikipedia's situation is dramatic, but the underlying pattern—an organization becoming dangerously dependent on a single, opaque third party, only to have that trust spectacularly betrayed—is one we've seen repeated across the technology landscape. The details change. The lesson doesn't.
The npm left-pad Incident (2016)
In March 2016, a single developer named Azer Koçulu removed all of his packages from npm, the JavaScript package manager, after a dispute with the messaging company Kik over a package name. One of those packages, left-pad, was a tiny 11-line utility that padded strings with spaces. It was also a dependency for thousands of projects, including React, Babel, and software at Facebook, Netflix, and Spotify. When it disappeared, it caused a cascade of build failures that commenters described as briefly "breaking the internet." npm ultimately took the unprecedented step of forcibly restoring the package against the developer's wishes, with CTO Laurie Voss explaining on Twitter that he "cannot see hundreds of builds failing every second and not fix it." npm subsequently changed its policies to prevent package removal if more than 24 hours had elapsed since publication and other projects depended on it.
The parallel to Wikipedia's situation is striking: a massive ecosystem built a deep dependency on a resource controlled by a single individual, with no fallback plan and no governance safeguards. When that individual acted unilaterally, the entire ecosystem was disrupted.
The XZ Utils Backdoor (2024)
In March 2024, Microsoft developer Andres Freund accidentally discovered a sophisticated backdoor in XZ Utils, a compression library used across virtually all Linux distributions. The backdoor had been planted by a developer operating under the pseudonym "Jia Tan," who had spent approximately three years building trust with the project's sole maintainer, Lasse Collin. Using apparent sock puppet accounts to pressure Collin about slow development progress, the attacker gradually assumed co-maintainer status and then inserted malicious code that would have given them remote access to any system running SSH with the compromised library. Alex Stamos, chief trust officer at cybersecurity firm SentinelOne, called it potentially "the most widespread and effective backdoor ever planted in any software product," noting it could have provided a master key to hundreds of millions of computers worldwide.
The XZ Utils case echoes the archive situation in a chilling way. A lone, pseudonymous operator of a critical piece of infrastructure exploited the trust of the community that depended on them. The CSO Online report on the incident captured the broader concern well: many open-source tools "suffer from a shortage of volunteers and often have a single maintainer," making them "more susceptible to trusting and accepting work from new people who show an interest in helping those projects."
SolarWinds Orion (2020)
The SolarWinds supply chain attack, disclosed in December 2020, represents perhaps the most consequential example of third-party trust exploitation in cybersecurity history. Russian state-sponsored actors compromised SolarWinds' Orion IT monitoring platform, inserting a backdoor called Sunburst into routine software updates that were signed with SolarWinds' genuine security certificates. More than 18,000 government and private organizations downloaded the compromised updates, including nine U.S. federal agencies and approximately 100 private-sector companies that disclosed follow-on compromises, according to the Office of the Director of National Intelligence. Customers trusted the updates because they came from a verified vendor through an established update channel.
The SolarWinds attack didn't involve a rogue individual—it involved a nation-state compromising a trusted vendor. But the underlying vulnerability is identical to Wikipedia's problem: deep, unscrutinized trust in a third-party service that had privileged access to critical systems.
The Polyfill.io CDN Takeover (2024)
In June 2024, security researchers at Sansec disclosed a supply chain attack affecting more than 100,000 websites through the Polyfill.io content delivery network. Polyfill.io had been a trusted, widely used open-source service that helped older browsers support modern JavaScript features. In February 2024, a Chinese company called Funnull acquired the Polyfill.io domain and its GitHub account. Within months, the CDN began injecting malicious JavaScript code into every website that loaded scripts from cdn.polyfill.io, redirecting mobile users to scam and gambling sites using a fake Google Analytics domain. Affected sites included major platforms like JSTOR, Intuit, and the World Economic Forum. Andrew Betts, the original creator of the Polyfill project, had warned users to stop using the service immediately after the acquisition, but many organizations failed to act. Google blocked ads for affected e-commerce sites, and Cloudflare and Fastly set up emergency mirror services to intercept the compromised requests.
The Polyfill.io attack is perhaps the closest analog to Wikipedia's archive situation. A trusted third-party service changed hands, and the new operator used that trusted position to inject malicious content into a massive downstream ecosystem. The websites affected had done nothing wrong—they had simply embedded a script from a domain that, until the ownership change, was perfectly legitimate. Just as Wikipedia editors had no reason to suspect archived snapshots were being tampered with, website operators had no reason to suspect the JavaScript polyfill they'd been loading for years had been weaponized.
The Event-Stream Hijack (2018)
In November 2018, the JavaScript community discovered that event-stream—a popular npm package averaging roughly two million downloads per week—had been compromised through a calculated social engineering campaign. A developer operating under the pseudonym "right9ctrl" approached the package's original maintainer, Dominic Tarr, and offered to help maintain the project. Tarr, who had moved on and no longer had time for the package, handed over publishing rights. The new maintainer then introduced a malicious dependency called flatmap-stream, which contained encrypted code designed to steal Bitcoin wallet credentials from the Copay wallet application. The attack was highly targeted: the malicious payload would only decrypt and activate when it detected the specific npm package description used by Copay. It went undetected for over two months until a developer noticed a suspicious deprecation warning triggered by the attacker's use of an outdated cryptographic function.
The event-stream incident is a textbook example of trust exploitation through maintainer succession—the same vector used in the XZ Utils attack six years later. Tarr later acknowledged the situation plainly: "If it's not mass surveillance I probably don't care. Mass surveillance is something I care about, mass mass stealing bitcoin from people is something I don't care about." When asked why he transferred control to an unknown contributor, he said he had "no way of mass-transferring ownership" and "didn't realize the package was so heavily relied upon." The entire incident traced back to a single, overextended maintainer of a widely depended-upon package handing control to someone who appeared helpful. The parallel to Wikipedia's archive dependency is clear: a community built critical infrastructure on top of a resource whose governance was opaque and whose operator's intentions were unknowable.
The Codecov Bash Uploader Compromise (2021)
In April 2021, code coverage testing company Codecov disclosed that attackers had been modifying its Bash Uploader script since January 31 of that year—an alteration that went undetected for more than two months. The attackers exploited a flaw in Codecov's Docker image creation process to extract credentials, then used those credentials to insert a single line of code into the Bash Uploader that exfiltrated customer environment variables—including API keys, tokens, and credentials—to an attacker-controlled server. Codecov had over 29,000 enterprise customers, including GoDaddy, Atlassian, The Washington Post, and Procter & Gamble. Federal investigators later determined that the stolen credentials were used to breach hundreds of downstream customer networks. The compromise was only discovered because a single customer performed a SHA-256 hash check and noticed a discrepancy between the hash on GitHub and the one calculated from the downloaded script.
The Codecov attack demonstrates how a single compromised tool in a development pipeline can cascade across thousands of organizations—precisely because those organizations trusted that tool implicitly. Like Wikipedia's archive links, the Bash Uploader was infrastructure that teams used daily without verification. It was embedded in automated CI/CD pipelines that ran without human oversight, and nobody thought to check whether the script they were downloading was the same script they had used yesterday. CISA issued an alert about the compromise, and Codecov's post-mortem acknowledged the core lesson: "Curl pipe to bash, while incredibly convenient, is rife with security issues."
The Common Thread
In every one of these cases, the pattern is the same. A service or component becomes deeply embedded in an ecosystem. The dependency grows quietly over time. The entity controlling that dependency operates with insufficient transparency, accountability, or governance. And when that entity acts maliciously, is compromised, or simply changes hands, the damage radiates outward in ways that nobody planned for. Left-pad showed what happens when a single developer walks away. Event-stream and XZ Utils showed what happens when trust in a maintainer is weaponized through social engineering. SolarWinds showed what happens when a nation-state compromises a trusted vendor. Codecov showed how a single tampered script can cascade across thousands of organizations. Polyfill.io showed how an ownership transfer can convert a benign CDN into a malware distribution network overnight. Wikipedia's archive situation is the information-integrity version of all of these attacks at once. The "code" that was compromised wasn't a software library—it was the citation infrastructure that underpins the credibility of the world's largest encyclopedia.
Key Takeaways: Building for Trust at Scale
- A past violation of trust is a signal, not an anomaly. The archive service was blacklisted once before in 2013 for spamming behavior. When the ban was lifted in 2016, the underlying risk—an anonymous, unaccountable operator—hadn't changed. Organizations should treat prior trust violations as permanent risk indicators that require ongoing monitoring, not problems that were solved.
- Dependency growth must be tracked and governed. Between 2016 and 2026, Wikipedia's reliance on the archive grew from zero to nearly 700,000 links. At no point was there a formal assessment of what would happen if the service had to be abandoned. Any third-party dependency that grows to scale should trigger a risk assessment: what happens if this goes away tomorrow?
- Anonymity plus sole control equals unquantifiable risk. There is nothing inherently wrong with pseudonymous operators. But when a pseudonymous individual has sole, unchecked control over a resource that critical infrastructure depends on, there is no mechanism for accountability, no governance, and no recourse when things go wrong. The XZ Utils attack demonstrated this with software. Wikipedia's situation demonstrates it with information integrity.
- Ownership transfers are critical risk events. The Polyfill.io attack happened not because the original service was malicious, but because the domain changed hands. Betts, the original creator, warned the community immediately, but tens of thousands of sites failed to act. Wikipedia's archive situation is the inverse: the ownership never changed, but the original operator's behavior deteriorated. Both scenarios teach the same lesson: the identity and intentions of whoever controls a dependency are as important as the technical quality of the service itself. Any change in ownership—or any signal that an existing owner's behavior is shifting—should trigger an immediate review.
- Diversification is not optional. Wikipedia's editors are now scrambling to replace links with alternatives from the Wayback Machine, Ghostarchive, and other services. Had the encyclopedia maintained a policy of always archiving across multiple services simultaneously, the current crisis would be a minor inconvenience instead of a massive remediation effort. The same principle applies to any software supply chain: if a single dependency failure can take down your infrastructure, you don't have a dependency—you have a single point of failure.
- Verification must be automated and continuous. The Codecov compromise went undetected for over two months because nobody was checking the integrity of the script being downloaded. It was caught only because one customer performed a SHA-256 hash comparison. Wikipedia's archive tampering was caught only because editors happened to notice altered names during an unrelated discussion. In both cases, automated integrity checks—hash verification, content comparison, behavioral monitoring—would have caught the compromise far sooner. Trust must be verified continuously, not assumed in perpetuity.
- Social engineering targets the weakest link in the chain. The event-stream and XZ Utils attacks both succeeded because a single overextended maintainer handed control to someone who appeared to be helping. These weren't technical exploits; they were human exploits. The lesson for any dependency—whether it's a software package or a web archive—is that the governance model matters as much as the technology. Who has commit access? Who can modify the output? What happens if that person's motivations change?
- Build your own when the stakes are high enough. Patokallio, in his statement to Ars Technica after the blacklisting, expressed hope that "this inspires the Wikimedia Foundation to look into creating its own archival service." The Wikimedia Foundation reportedly receives approximately $165 million per year in fundraising. Investing a fraction of that in self-hosted archival infrastructure would eliminate the dependency entirely. When the cost of a third-party failure is catastrophic, the cost of building your own solution starts to look like a bargain. The legal and academic communities have already recognized this—Harvard Library's Perma.cc was created specifically because courts and journals could not afford to have their citations depend on services they did not control.
Wikipedia's 695,000-link problem is not just a Wikipedia problem. It's a warning to every organization, platform, and community that builds on top of services they don't control and can't fully vet. The archive service at the center of this story provided genuine value for years. It was fast, technically capable, and filled a real gap in the web archiving ecosystem. None of that mattered when the person behind it decided to weaponize their users' browsers and falsify their own archives to settle a personal grudge. The same was true of Polyfill.io before its acquisition, event-stream before its hijacking, and Codecov before its compromise. Every one of these services was technically excellent and widely trusted right up until the moment it wasn't.
The deeper lesson here isn't about any one service or any one attack. It's about the structural fragility that emerges when ecosystems grow faster than their governance. Wikipedia didn't plan to become dependent on an anonymous, unaccountable archiving service. It happened incrementally—one editor at a time, one citation at a time—over the course of a decade. The same incremental dependency-building is happening right now in thousands of organizations that embed third-party scripts, rely on single-maintainer open-source packages, and trust vendor update channels without verification. The question isn't whether the next trust failure will happen. It's whether you'll have already mapped your dependencies, diversified your critical infrastructure, and built the verification systems that let you catch it before it metastasizes. Trust, once broken, poisons everything it touched. And the deeper the dependency, the more painful the extraction. Build accordingly.
Sources: Ars Technica, Tom's Hardware, TechCrunch, Cybernews, Boing Boing, GIGAZINE, Slashdot, The Outline, Wikipedia RFC 5 discussion, Wikipedia Archive.today guidance page, Gyrovague blog by Jani Patokallio, Internet Archive Blog, Nsane Forums, CSO Online, CISA.gov, npm/Wikipedia documentation, 404 Media, Gizmodo, Sansec, Sonatype, Qualys, Snyk, GitGuardian, Rapid7, SecurityWeek, BleepingComputer, CyberArk, The Register, The New Stack.