403 Forbidden: Was Ice List Iced By ICE?
wiki.icelist.is attacked by Russia? Someone else?
The website wiki.icelist.is is the website that received leaked information about approximately 4,500 immigration personnel, including about 1,800 field agents and 150 supervisors.
The ICE List is an open journalistic project, created by Crust News, aimed at collecting and sharing information that can hold ICE members legally accountable.
https://wiki.icelist.is/index.php
The Daily Beast reports:
A website dedicated to naming ICE and Border Patrol employees is coming under a “prolonged and sophisticated” cyber attack after the Daily Beast revealed it planned to make public 4,500 names of federal immigration staff.
The founder of ICE List said the website was overwhelmed by malicious web traffic originating in Russia after the Beast reported that a huge cache of personal IDs had been leaked to the site by an alleged Department of Homeland Security whistleblower.
https://www.thedailybeast.com/massive-ice-list-id-leak-halted-by-cyber-attack-from-russia/
And
The timing (of the attack) coincided with ICE List founder Dominick Skinner telling the Daily Beast he would make public the first tranche of names in the dataset, which was leaked following the shooting by an ICE agent of mom Renee Nicole Good.
While Skinner told the Beast that it was only possible to “speculate” about who might have directed the attack, he revealed that a large amount of traffic on Wednesday had come from Russia, likely from a bot farm hosted there.
And
The material ICE List received on Monday includes names, work email addresses, phone numbers, job titles and roles, and résumé-style background information such as previous employment, he (Skinner) said.
I watched the progress yesterday and early today (13-14 Jan. 2025) of the error messages being returned on the wiki.icelist.is website, which meant the wiki-style database the site was maintaining on ICE agents was rendered inaccessible.
At first it was what is known as a 500 error. This error can be caused by any number of issues with a site’s server.
I said at the time there was a possibility this was a sign of a DoS — Denial of Service — attack. DoS attacks are when a perpetrator or perpetrators direct an overwhelming amount of traffic (requests) to a site until the server does offline.
But a 500 error is general and therefore inconclusive.
This is an old (black hat=bad) hacker tactic. For example, Google was brought to its knees in 2008 by a massive DoS attack.
Then the error for ice list site changed to a 503 error.
Mozilla’s documentation defines a 503 error as:
“The HTTP 503 Service Unavailable server error response status code indicates that the server is not ready to handle the request.
Common causes are that a server is down for maintenance or overloaded. During maintenance, server administrators may temporarily route all traffic to a 503 page, or this may happen automatically during software updates. In overload cases, some server-side applications will reject requests with a 503 status when resource thresholds like memory, CPU, or connection pool limits are met. Dropping incoming requests creates backpressure that prevents the server’s compute resources from being exhausted, avoiding more severe failures.”
The 503 error makes a DoS attack more plausible because it indicates something was happening to the site’s server, but is still inconclusive.
When I got up this morning, the error for the icelist site had changed to 403 and appeared to be placed there intentionally rather than automatically as with the 500 and 503 errors.
The technical definition of a 403 error is a little more difficult to understand if you’ve never built a website or dealt with control panel side of a site and its server.
From Wikipedia:
“The request was valid, but the server refuses action. This may be due to the user not having permission to a resource or needing an account of some sort, or attempting a prohibited action…”
In more straightforward language, you’re not allowed to access the web page and the ICE list wiki, even though the website’s server knows what you’re asking for.
Though not 100 percent conclusive this was a DoS attack, but I’d bet good money on it.
As it turns out, it was indeed a DoS attack, that may have originated in Russia as evidenced by the location of internet protocol addresses, as reported by the Daily Beast.
Who would be responsible for this attack other than Russia? And why would Russia conduct this specific attack? At the behest of some organization here in the United States?
Gee, let me think who or what that entity might be.
Government actors, like say the Department of Homeland Security? Extra-government DOGE-like actors, like someone working for fElon Musk? MAGA Reich hackers in another part of what passes of our government?
Would it be outside the realm of possibility people within our own government worked with Russia to create this attack? Why would Russia care about this leak?
Hard to say, and tracing the source may be impossible.
I don’t know the people who built the site, but I think I’m safe in saying this would have freaked them out. Yet another terror and intimidation tactic, this time cyberspace instead of the meat space. Nowhere near like shooting an unarmed innocent woman in the face, but this effectively prevented the wide dissemination of the ICE employee list.
In fact, the landing page was back online by at least midday 14 Jan. 2023. However, I was still unable to access the list itself as of 13:28 PT 14 Jan. 2023.
The founders of the site say they’ve moved to a new server and expect continued attacks.
However, it doesn’t mean the list no longer exists or that it won’t be back on the internet. There are other means to spread the information.
But know this: Once upon a time in the mythology of internet there was a near theological belief that if parts of the internet were attacked or somehow damaged, the internet itself would somehow reroute itself to prevent censorship.
That’s a lie. No surprise there.
Really sharp breakdown of how those error codes unfolded. The 403 shift was pretty telling since it moves from 'server overload' territory into 'deliberate access restriction' which is a diferent beast entirely. I've seen similar patterns when infrastructure gets targeted and the progression from 503 to 403 usually means someone flipped a manual switch somewhere. The Russia angle is interseting given how bot farms there operate, but tracing actual attribution is damn near impossible these days.
What stands out here is the sequence, not a single status code.
A 503 suggests overload or traffic saturation—consistent with a DoS. The shift to a 403 later is different: that’s an intentional refusal to serve a specific resource. In plain terms, the server is up, but access to that material is being actively blocked.
That matters, because it moves this from “the site was overwhelmed” to “the content became unavailable by design,” regardless of who initiated it or from where. Attribution is notoriously hard in cyber incidents, and IP geography alone isn’t proof of authorship. What is clear is the outcome: access was disrupted at a critical moment, and dissemination was slowed.
This isn’t about a glitch. It’s about how transparency can be impeded—whether by traffic, pressure, or deliberate controls—and how quickly that raises questions about who benefits when information goes dark. The technical nuances don’t absolve anyone of accountability; they underscore why scrutiny is necessary.
For people looking to turn concern into action and sustained pressure, this work continues here:
Americans Against ICE
https://americansagainstice.substack.com
Support the work directly:
https://buy.stripe.com/5kQaEX2ES9IgcINa0S43S01
Epstein Files Resistance
https://epsteinfilesresistance.substack.com