US Government Efforts to Identify Anti-ICE Activists and a StopICE Service Compromise
The US Department of Homeland Security has reportedly used administrative subpoenas to pressure tech companies to disclose identifying data about anonymous accounts and individuals critical of the Trump administration, including accounts sharing information about local ICE immigration raids. The reporting highlights that administrative subpoenas—unlike judicial subpoenas—do not require a judge’s approval and can seek metadata and account-identifying details (e.g., login times, devices, and associated email addresses), raising concerns about oversight and potential chilling effects on speech.
Separately, the anti-ICE alert service StopICE reported its app and website were attacked, with users receiving texts claiming their information had been “compromised and sent to the authorities,” alongside disparaging messages about the developer. StopICE administrators and the developer disputed claims that sensitive personal data (names, addresses, GPS/location histories) was stolen, stating the service does not collect/store that information, while also noting the platform faces heavy hostile activity including frequent DDoS attempts; the service blamed a US Customs and Border Protection (CBP) agent for the attack, though that attribution was not independently confirmed in the reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
DHS subpoenas Google after retiree emails criticism
DHS sought extensive account and session information from Google shortly after an American retiree emailed criticism to DHS attorney Joseph Dernbach. Google said it pushed back on the subpoena, and federal agents later visited the retiree's home.
DHS subpoenas Meta to identify @montcowatch account
The U.S. Department of Homeland Security issued an administrative subpoena to Meta seeking identifying information about the anonymous Instagram account @montcowatch, which had posted about ICE activity. The subpoena was later withdrawn after an ACLU challenge.
StopICE says attack was neutralized and traced to alleged CBP-linked server
After the false-alert attack, StopICE said it quickly contained the incident and used bait data and fake API keys to identify attackers. The group alleged the activity was linked to a personal server associated with a CBP agent in Southern California and said it shared IP and network details with authorities.
StopICE denies user data theft and says no identifying data is stored
StopICE administrators and Sherman Austin said the service does not request or retain users' names, addresses, or GPS tracking data, aside from an optional location-sharing feature. They described claims that user data had been handed to authorities as false rumors.
StopICE app and website hit by cyberattack and false SMS campaign
StopICE reported that its app and website were attacked, causing users to receive misleading text messages claiming their information had been compromised and sent to authorities. The messages also attempted to discredit developer Sherman Austin.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
StopICE app targeted in cyberattack, blames CBP agent | SC Media
scworld.com
Open sourceHomeland Security is trying to force tech companies to hand over data about Trump critics | TechCrunch
techcrunch.com
Open sourceStopICE alerts hacked to sen texts , admins accuse CPB agent • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
U.S. Agencies Expand Efforts to Identify and Share Data on Immigration-Related Targets
Reporting indicates the U.S. Department of Homeland Security (DHS) has significantly increased its use of **administrative subpoenas**—which do not require judicial approval—to obtain identifying information for anonymous social media accounts that criticize **ICE** or post information about ICE agent locations. According to the New York Times (as cited by TechCrunch), DHS sent **hundreds** of subpoenas to major platforms including **Google, Meta, Reddit, and Discord**, and some companies reportedly complied in at least some cases; Google said it notifies users when possible and challenges subpoenas it views as **overbroad**. Separately, a court filing disclosed that the **IRS improperly overshared** immigrants’ personal data with DHS/ICE under an April 2025 IRS–DHS data-sharing arrangement intended to support certain non-tax criminal investigations under **IRC Section 6103** exceptions. After ICE requested **1.28 million** addresses, the IRS could verify **47,289** individuals, and for a subset (reported as **under 5%** of verified matches) the IRS mistakenly provided ICE with **additional address information** beyond what ICE had supplied, raising concerns that the interagency data-sharing deal increased exposure of sensitive taxpayer information.
Mar 21, 2026
StopICE App Breach and SMS Alert Abuse via Downstream Carrier API
**StopICE**, an app used to track U.S. Immigration and Customs Enforcement (ICE) activity, reported a security incident after users received SMS messages urging them to uninstall the app. StopICE administrators attributed the activity to a “personal server” allegedly associated with a **U.S. Customs and Border Protection (CBP) agent** and said the attacker abused a **downstream carrier API** to spam users rather than compromising StopICE’s core systems. Public claims on social media alleged that attackers accessed and shared user data with law enforcement, including names, credentials, phone numbers, and location data; StopICE disputed holding most of that data and said the only potentially impacted population was users who opted into a **“location assist”** feature that collected geolocation to provide neighborhood-level alerts. Separate reporting amplified allegations that **over 100,000 users’** information (including GPS coordinates) was accessed and transmitted to U.S. federal agencies (**FBI, ICE, HSI**), and criticized StopICE leadership for allegedly not notifying users promptly. The same reporting period also included claims of a related compromise affecting another ICE-tracking app, **Eyes Up**, where attackers alleged the backend database lacked authentication and that they accessed/altered stored videos; no confirmation from Eyes Up was cited. Overall, the incident highlights risks from third-party messaging/telecom integrations and the potential safety impact of exposing activist-related location data, even when only a subset of users enable location-based features.
Mar 21, 2026
DDoS Attack Takes Down ICE List Doxxing Site After Leak of DHS-Sourced Agent Data
**ICE List**, a website publishing personal details of U.S. Immigration and Customs Enforcement (ICE) officers and Border Patrol agents, was reported offline following a sustained **distributed denial-of-service (DDoS)** attack that the site’s administrator, Dominick Skinner, attributed to traffic largely originating from **Russia** and routed through proxies. Skinner said the attack’s use of proxy infrastructure made attribution difficult, but described it as unusually long-running and sophisticated; the site is reportedly hosted in the **Netherlands**, complicating potential U.S. takedown efforts. Reporting indicated the disruption followed Skinner’s stated intent to release data on nearly **4,500** immigration personnel allegedly obtained from the U.S. Department of Homeland Security via a whistleblower. The exposed dataset was described as including **names, phone numbers, email addresses, job titles**, and other identifying information, prompting criticism from DHS that the site enables **doxxing** of federal personnel; Skinner reportedly said he planned to withhold some categories of names (e.g., nurses and childcare workers) while publishing most others.
Mar 21, 2026