The ICE List website, also referred to as the ICE List Wiki, has become incapacitated due to a significant cyber attack, occurring just as it aimed to disclose the identities of numerous federal agents in the United States, particularly those linked to Immigration and Customs Enforcement (ICE).
Dominick Skinner, the founder and an activist based in the Netherlands, confirmed that the website was subjected to a substantial Distributed Denial of Service (DDoS) attack that began overwhelming their servers last Tuesday evening. A DDoS attack operates by inundating a website with a flood of illegitimate traffic, resulting in a system crash. Skinner remarked that the scale and purpose of this attack indicate a concerted and organized effort to suppress the release of sensitive information.
The Incident That Triggered the Leak
Reports from The Daily Beast indicate that the leaked data stemmed from a whistleblower within the Department of Homeland Security (DHS). This leak purportedly contains detailed information, including names, personal phone numbers, and employment histories of approximately 4,500 ICE and Border Patrol employees.
Investigations revealed that the whistleblower’s decision was motivated by the tragic death of Renee Nicole Good, a 37-year-old mother of three, who was fatally shot by an ICE agent in Minneapolis on January 7, 2026. Following the incident, activists quickly identified the responsible agent, Jonathan E. Ross. Skinner noted that for the whistleblower, the shooting represented a “last straw,” prompting the release of extensive datasets comprising work emails, job titles, and background information.
Tracing the Attackers
While ICE List has restored operations, Skinner reported that much of the malicious traffic appeared to originate from a botnet in Russia. Tracking the actual source presents challenges, as hackers typically employ proxies to obscure their identities and circumvent detection. This sophisticated attack underlines the attackers’ strong determination to keep such information concealed from public scrutiny.
Skinner’s team continues to run operations from the Netherlands to evade immediate U.S. jurisdiction. Despite the recent disruption, they remain committed to their mission, intending to migrate to more secure server infrastructure. They plan to publish most of the leaked names, although they will protect the identities of specific staff members, such as healthcare workers.
This attack exemplifies potential MITRE ATT&CK tactics, specifically initial access and disruption of service, while demonstrating the sophisticated methods employed by adversaries in the cybersecurity landscape. As the conflict between information disclosure and suppression continues, it serves as a critical reminder for business owners to remain vigilant about cybersecurity risks and the importance of safeguarding sensitive data.
