The activist website called “ICE List” was offline after a massive DDoS attack. The crash followed a leak of 4,500 federal agent names linked to the Renee Nicole Good shooting.
The website ICE List, also known as the (ICE List Wiki), was crippled by a major cyber attack after it prepared to publish the identities of thousands of federal agents in the United States, particularly those associated with Immigration and Customs Enforcement, ICE.
The site’s founder, Netherlands-based activist Dominick Skinner, confirmed that a massive DDoS attack began flooding their servers on Tuesday evening last week.
For your information, a DDoS attack works by flooding a website with so much fake traffic that it eventually crashes. Skinner told reporters that the length and intensity of this attack suggest a deliberate, organised effort to keep the leaked information from reaching the public.
The Shooting That Sparked the Leak
According to The Daily Beast, the data at the centre of this battle was provided by a whistleblower from the Department of Homeland Security (DHS). The leak reportedly includes the names, personal phone numbers, and work histories of roughly 4,500 employees from ICE and Border Patrol.
Further probing revealed that the whistleblower was moved to act following the death of Renee Nicole Good, a 37-year-old mother of three, who was fatally shot by an ICE agent in Minneapolis on January 7, 2026.
Within hours of the shooting, activists managed to identify the agent involved as Jonathan E. Ross. Skinner noted that for the whistleblower, this tragic incident was the “last straw,” leading them to hand over a dataset full of work emails, job titles, and résumé-style background info.
Identifying the Attackers
While the site is back online, Skinner observed that much of the malicious traffic appeared to originate from a bot farm in Russia. However, it is nearly impossible to track the true source, as in the world of hacking, proxies are often used to bounce signals through different countries to hide a person’s tracks. Skinner described the attack as “sophisticated,” suggesting that the attackers are highly determined to keep the names hidden.
Skinner’s team continues to operate out of the Netherlands to stay beyond the immediate reach of US authorities. Despite the crash, they remain committed to the project with plans to move to more secure servers. They plan to publish most of the names, though they intend to omit certain staff members, such as nurses or childcare workers.
Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects. This includes the arrest of 4 individuals in the United Kingdom linked to the running of the site, including the original developer of the service.The LabHost platform, previously available on the open web, has been...
Kidflix, one of the largest paedophile platforms in the world, has been shut down in an international operation against child sexual exploitation. The investigation was supported by Europol and led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB). Over 35 countries worldwide participated in the operation. almost 1 400 suspects worldwide. So far, 79 of these individuals have been arrested...
Introduction Telegram, as previously reported by KELA, is a popular and legitimate messaging platform that has evolved in the past few years into a major platform for cybercriminal activities. Its lack of strict content moderation has made the platform cybercriminals’ playground. They use the platform for distribution of stolen data and hacking tools, publicizing their […]
Bishop Fox examines the iSoon data disclosure from an offensive security perspective and an analysis of the platform's capabilities, design, features.
A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets). Background The issue occurred as a result of insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform (Power Apps, Power Automation).
Bad actors are using a shared Phishing-as-a-Service platform called “Caffeine”.
