DDoS Attack Takes Down ICE List Doxxing Site After Leak of DHS-Sourced Agent Data
ICE List, a website publishing personal details of U.S. Immigration and Customs Enforcement (ICE) officers and Border Patrol agents, was reported offline following a sustained distributed denial-of-service (DDoS) attack that the site’s administrator, Dominick Skinner, attributed to traffic largely originating from Russia and routed through proxies. Skinner said the attack’s use of proxy infrastructure made attribution difficult, but described it as unusually long-running and sophisticated; the site is reportedly hosted in the Netherlands, complicating potential U.S. takedown efforts.
Reporting indicated the disruption followed Skinner’s stated intent to release data on nearly 4,500 immigration personnel allegedly obtained from the U.S. Department of Homeland Security via a whistleblower. The exposed dataset was described as including names, phone numbers, email addresses, job titles, and other identifying information, prompting criticism from DHS that the site enables doxxing of federal personnel; Skinner reportedly said he planned to withhold some categories of names (e.g., nurses and childcare workers) while publishing most others.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Administrator reports suspected Russian-origin traffic during outage
During the disruption, Skinner said many attacking IP addresses appeared to originate from Russia, though he noted they were routed through proxies and attribution remained uncertain. He described the volume and duration of the traffic as suggesting a sophisticated operation.
ICE List releases data on nearly 4,500 immigration workers
ICE List administrator Dominick Skinner said he published personal data on nearly 4,500 ICE and Border Patrol employees allegedly obtained from the U.S. Department of Homeland Security after the shooting of Renee Good. The dataset reportedly included names, phone numbers, email addresses, and job titles, with plans to publish most names while excluding nurses and childcare workers.
DDoS attack knocks ICE List offline
On Tuesday evening, the ICE List website was reportedly hit by a distributed denial-of-service attack that disrupted access to the site. Skinner said the attack followed media reporting about his plans to release personal information on thousands of employees.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Government Efforts to Identify Anti-ICE Activists and a StopICE Service Compromise
The US Department of Homeland Security has reportedly used **administrative subpoenas** to pressure tech companies to disclose identifying data about anonymous accounts and individuals critical of the Trump administration, including accounts sharing information about local **ICE immigration raids**. The reporting highlights that administrative subpoenas—unlike judicial subpoenas—do not require a judge’s approval and can seek metadata and account-identifying details (e.g., login times, devices, and associated email addresses), raising concerns about oversight and potential chilling effects on speech. Separately, the anti-ICE alert service **StopICE** reported its app and website were attacked, with users receiving texts claiming their information had been “compromised and sent to the authorities,” alongside disparaging messages about the developer. StopICE administrators and the developer disputed claims that sensitive personal data (names, addresses, GPS/location histories) was stolen, stating the service does not collect/store that information, while also noting the platform faces heavy hostile activity including frequent **DDoS** attempts; the service blamed a **US Customs and Border Protection (CBP)** agent for the attack, though that attribution was not independently confirmed in the reporting.
Mar 21, 2026
Leak of Personal and Work Details of ICE and Border Patrol Employees
Personal and work-related details of roughly **4,500** US **ICE** and **Border Patrol** employees were allegedly leaked online and shared with *ICE List*, a site describing itself as an “accountability” project. Reporting indicates the exposed data includes names, work email addresses, phone numbers, job roles, and some résumé-style information; early reviews cited in coverage suggest about **80%** of those listed may still be employed by **DHS**. Multiple accounts attribute the disclosure to a **DHS whistleblower** and describe it as a major exposure of federal staff data, with estimates including roughly **1,800–2,000** frontline agents and about **150** supervisors among those affected. The alleged leak followed intense public backlash after the fatal shooting of **Renee Nicole Good** in Minneapolis, in which **ICE agent Jonathan Ross** has been widely identified as the shooter. Separate reporting describes broader legal and political fallout around DHS/ICE operations and scrutiny of Ross’ conduct, including court testimony and disputes over subpoenas seeking identifying information about social media users posting about ICE activity; however, those items are adjacent context rather than direct reporting on the staff-data leak itself.
Mar 21, 2026
Hacktivists Claim DHS Breach and Leak ICE Contractor Records via DDoSecrets
A self-described hacktivist group calling itself **“Department of Peace”** claimed it breached **U.S. Department of Homeland Security (DHS)** systems and exfiltrated internal records tied to **Immigration and Customs Enforcement (ICE)** contracting. The group published the material via the transparency collective **Distributed Denial of Secrets (DDoSecrets)**, and reporting indicates the dataset contains **6,600+ contractor-related records** listing thousands of companies associated with federal immigration enforcement contracts, including major vendors such as **Microsoft**, **Oracle**, **Palantir**, **Raytheon**, and **Anduril**. The alleged source of the leaked records was described as DHS’s **Office of Industry Partnership**, a unit involved in procuring technology from the private sector. As of the reporting cited, **DHS had not publicly confirmed** the intrusion or validated the authenticity and provenance of the released data, leaving the breach claim unverified while the documents circulate publicly via the DDoSecrets-hosted release.
Mar 21, 2026