Unmasking Archive.today: What OSINT Reveals About the Web of Identities Behind It

On October 30th, the FBI issued a subpoena to domain registrar Tucows, seeking detailed account information tied to the domain Archive.today, including customer names, billing details, payment methods, network data, and associated online services. The request states that the data “relates to a federal criminal investigation,” although no specific offense has been named.

The subpoena appears to mark an effort to unmask the operator of Archive.today, also accessible through mirrors such as Archive.is, Archive.ph, and Archive.md. Since its creation in 2012, the site has been widely used as a preservation and verification tool, allowing users to capture web pages before they disappear or change.

Yet despite its visibility and influence, one question has remained unanswered since its launch: Who actually runs Archive.today?

The Search for the Operator: A Network of Names

1. “Denis Petrov” — The Original Registrant

The domain registrant for archive.today has always been redacted for privacy reasons. 

However, the story really begins in the early 2010s, with WHOIS records that list a registrant name for archive.is as “Denis Petrov”, with an address in Prague, Czech Republic.

The name Denis has also been previously tied to archive.is through an email that is sent to both denis@camfex.cz and admin@archive.is. 

Searching for ownership records for the camfex.cz domain also returns the name Denis Petrov: https://whois.easycounter.com/camfex.cz.

Breached data for namecheap@camfex.cz returns an address in Russia, 154 Stachek, ST Petersburg, rather than the Bilkova address in Prague seen in the public WHOIS records. This address, when searched on Google StreetView, shows that someone living in the building has requested that their property is not shown.

Another piece of information pointing to Denis is found on the Internet Archive. When visitors go to archive.today currently, there is a donate button that points to https://coindrop.to/archive. However, a previous archived version of that page from 2020 shows that same button directing to a PayPal account. This PayPal account was set up under the name Denis Petrov.

Money can still be sent to this account, which may provide further information. However, this would be considered direct contact with the individual and so we chose not to continue with this line of inquiry.

At this stage, the question becomes, is “Denis Petrov” a real person? A borrowed identity? Or a pseudonym used for registration convenience?

2. “Igor Kuznecov” — The Breach Data

The phone number for Denis Petrov found in the WHOIS records is a Czech number: +420 775 168 924. Running this number through breached data sources returns the name Igor Kuznecov and the email address igor@camfex.cz, the same domain previously linked to Denis.

An Igor Kuznetsov also appears on the Czech business register with ties to Camfex:
https://rejstrik.penize.cz/igor-kuznetsov. This lists an address in Tula, M. Toreza 34/4, Russian Federation.

Additionally, Igor Kuznetsov is named as a director of a UK business, CAMFEX GROUP LTD, registered at Companies House.

The overlap between Denis and Igor, both using @camfex.cz, suggests the two identities may be connected, or possibly the same individual operating under different names.

3.  “Conferno” — The Coder

The GitHub repository for Archive.is (https://github.com/archiveis) lists an author under the handle “Conferno.”

Searching broadly for this handle returns a Twitch streamer and a Russian developer, Alexander Conferno. There is no direct evidence linking this individual to Archive.today beyond the shared username. The same handle appears on social platforms such as https://x.com/conferno and https://dribbble.com/Conferno, though these may be unrelated accounts.

The connection remains circumstantial, but the presence of the handle on GitHub suggests that “Conferno” could have been an operational or technical alias associated with Archive.is.

4. “Masha Rabinovich” — The Front-End Persona

The handle “MashaRabinovich” began appearing in discussions directly referencing Archive.is. For instance, in an F-Secure community thread, the user masharabinovich writes, “on my website http://archive.is/,” implying a personal connection to the platform.

In 2020, the same LinkedIn account under that name was observed logging captures of LinkedIn profiles on Archive.today mirrors, such as https://archive.vn/IPEEd and https://archive.vn/EPaEH. Both show that the logged-in user who performed the captures had the Masha Rabinovich profile photo visible.

Breached data for that deleted LinkedIn account shows it was registered under the email linkedin@camfex.cz, once again linking back to the Camfex.cz domain.

This shared mail infrastructure strongly suggests that Masha, Denis, and Igor were all operating within the same environment, possibly as the same person, or as collaborators sharing a single mail server.

A YouTube account named Masha Rabinovich (https://www.youtube.com/@4723984621) contains a single video demonstrating how to use Archive.is, further reinforcing the connection between this identity and the archiving platform.

A YouTube account under the name Masha Rabinovich, https://www.youtube.com/@4723984621, also contains a single video, which explores how to use archive.is. 

Theories of Structure: One Operator or a Collective?

Ownership of Archive.today and its mirror sites could fall under two main hypotheses:

1. The Single Operator Theory — that Denis, Masha, Igor, and Conferno are all aliases of the same person, each serving a distinct operational function:

1. 1. Denis as the domain registrant and public-facing name.

   2. Igor as a supporting or alternate identity tied to business and hosting.

   3. Masha as a user-facing or content-capture persona.

   4. Conferno as a developer or code distribution handle.

1. The Collective Hypothesis — that Archive.today is maintained by a small, tight-knit team of developers who share the same email domain and infrastructure, each adopting different online identities for compartmentalized roles.

Both remain plausible. What is clear is that every alias connects through the same core ecosystem, most notably, the @camfex.cz domain.

Across years of public records, that domain appears repeatedly, suggesting that whoever controlled the Camfex.cz mail server was likely involved in or closely linked to the Archive.today project.

The FBI Enters the Picture

The October 2025 FBI subpoena represents the first verifiable move by U.S. authorities to pierce that anonymity. By targeting Tucows, the registrar for several Archive.today domains, investigators are seeking billing addresses, payment information, and session data that could connect the online infrastructure to a physical location or identifiable person.

The FBI’s ongoing investigation may eventually provide definitive answers. Until then, all that exists is the public record is a network of domains, business registrations, and handles.