Wikipedia:Long-term abuse/Wikinger: Difference between revisions

Please report all ongoing incidents of abuse to AIV or ANI, and SRG.

Wikinger (talk · contribs · block log · arb · rfcu · ssp · SPI ^confirmed _suspected)
Comprehensive edits analysis

Persistent spreading of misinformation about Greek alphabet topics across multiple language Wikipedias. Persistent sockpuppetry, including good-hand/bad-hand schemes, edit-warring against his own socks; verbal abuse, fake death threats and outing attacks against administrators, joe jobs and impersonation of other vandals, use of open proxies. Wikinger’s account was globally locked on 24 March 2015 due to cross-wiki abuse.

He is banned by the Wikimedia Foundation and may not edit any Wikimedia project. All accounts/IPs should be globally locked/blocked on sight.

Targeted areas, pages, themes

Persistent obsessive tinkering with pages relating to the Greek alphabet and its minor additional characters (Greek alphabet, Template:Greek alphabet sidebar, Ϝ, Ϛ, Ͱ, Ϙ, Ϻ, Ϡ, Ϸ), on en-wiki and multiple other projects. All Wikipedias that have equivalents of the above articles have been affected.

Habitual behavior

• Abusive behaviour
  • persistent edit-warring through dynamic IPs, usually his own Polish IPs and open proxies in rapid sequence
  • sock tricks: e.g. making his desired change through one IP, then reverting it back or adding vandalism through another strawman IP, hoping that an established user will revert back to his first edit
  • creates impersonation accounts named after unrelated established users (e.g. User:Blablaaa1, User:ΚεκρωΨ, User:Ϛτυχ, User:Stvx, [1], User:Njgos, User:Jeff$paceman)
  • uses impersonator accounts of unrelated users and then reveals them to be his socks, trying to fool administrators to block the original impersonation victim as his sock too (known victims of these tactics: User:Aminullah, User:Marco9673)
  • mimicks other banned or blocked users with sock accounts or IPs pretending to be theirs [2]
  • creates strawman sockpuppets and revert-wars against them or raises extensive complaints against them with administrators. Abuses his own socks or lets them adopt strawman positions in order to “prove” they can’t be him. (e.g. here)
  • attacks other users with verbal insults, attempted outing attacks, and fake death threats (mostly directed against FPaS)
  • several abusive alter ego personalities: “Wikinger”/”Penguin Eater” using nazi-themed and sexual abuse, “Aminullah” pretending to be a fundamentalist Islamist or Chechen separatist making terrorist death threats
  • Messing with other editors’ postings on talk pages: falsifying, aping or mimicking other editors’ edits
  • Tinkering with the block and sockpuppet tags on the user and talk pages of his own abandoned socks
  • On the German Wikipedia, Wikinger called others “dog”.
• Imitates behavior of other LTAs:
• Content edits: persistently pushes a number of idiosyncratic notions about obscure Greek characters, based on an idée fixe of achieving maximum systematicity and uniformity, with complete disregard to factual correctness. Examples:
  • insists on the (ahistorical and nonsensical) made-up spelling of “Ͳαμπι” for “σαμπι”
  • insists that Ͱ, Ϻ, Ϸ had numerical values
  • insists that Ϸ had a letter name and phonetic value in Greek
  • insists that “Greek Yot” was a letter of the Greek alphabet
  • insists that “Heta” has a name and sound value in Modern Greek
  • insists that “Sampi”, “Stigma” or “Disigma” are ancient Greek letter names
  • tries to unify naming and presentation schemes for Greek characters across all Wikipedias, based on mistaken notions of analogy between them, often using one Wikipedia as an alleged source for justifying his edits on another (e.g. [3])
  • creates articles about these characters in languages he doesn’t know, by blindly copy-pasting text from other articles without regard to factual correctness (e.g. [4])

Cases

Other notes

• All Greek alphabet pages on enwiki are currently semiprotected indefinitely because of him. Disruption on other wikis continues.
• I’ve been extremely patient on my talk page, but now I receive unexpected insults (allcaps in edit summaries) from him (including references to known terrorist), after I asked him why he does not use an account and was very polite. He tried to convinced me that he was a newcomer. I know he is lying about his location (two IPs used on my talk page and on his recent edits on Wikimedia Commons (c:Special:Contributions/49.156.44.114, c:Special:Contributions/115.178.49.101, c:Special:Contributions/103.199.139.1, c:Special:Contributions/61.91.202.210). See also other grouped edits in the same Commons template by c:Special:Contributions/103.147.163.130, c:Special:Contributions/49.156.44.114, c:Special:Contributions/37.191.93.105, c:Special:Contributions/ΣΠϘΡ, c:Special:Contributions/157.15.63.192, c:Special:Contributions/103.171.245.170. Can an IP verifier confirm this? I’ve been alerted by Tuvalkin but did not notice initially his link to this page. Thanks.

  That same user continues adding new random IPs harvested from open proxies most probably from unmanaged small sites or stolen by harvested by malwares and found in lists in the black net. I’ve ordered him multiple times to stop this, he continues random edits on Greek-related pages, then reverted using another IP (using impersonation). I’ve told I’m not an admin to manage his requests and my talk page is not the place for anonymous users to complain or to receive imperative orders. He continues (c:Special:Contributions/193.47.189.33, c:Special:Contributions/103.153.136.9).

  New death-threatening messages by him on user talk pages (even if this was reverted by him, this was done multiple times, now using additional sockpuppets).

  Reported (by other Polish users) to be apparently using Neostrada (Orange Polska) and Play (Iliad Polska) (two Polish subsidiaries of two major French ISPs) as his current ISPs, but there are other VPNs/proxies used from Mumbai, India and probably other locations.

  Now acting with another sockpuppet as IP only c:Special:Contributions/138.84.114.109 (this time via a VPN hosted in the Philippines) on Commons, possibly elsewhere (14:08, 6 October 2025 (UTC)); this follows 2409:4040:e03:c8a9::c94b:4a05 with the same fake data and inventions, and he could still create new accounts, impersonating himself, editing/reverting himself (c:User:Tadik Szczepanek is already confirmed and blocked, but there are others: c:User:Jeż2013, c:User:Jeż2016, c:User:Jeż2019…), just for confusing people. He is obsessed at adding unsourced predictions about Unicode, and does not understand the long encoding process that requires first the approval by two international technical committees. He removes those statements, and just pollutes Commons and Wikidata with fake data, just to complicate the maintenance task and the effective sourcing we need from reliable sources (and he is confused by the Unicode Roadmap, which has never been stable, but just there to track the ongoing encoding proposals, frequently with multiple conflicting encodings in different blocks, or with different encoding model; the roadmap is just there to allow more experts to be involved and help fixing the proposals until they are finally approved for a final public review; we must not make any prediction), but he also recently added again fake data about Unicode 16.0 (which is completely finalized) and some other previous versions. Also uses now stolen network resources abused from servers hosted by CloudFlare (a very large worldwide CDN) to spam user pages and tell others how to not signal him to Wikimedia admins in the most efficient way. The abuse of CloudFlare resources is a case for legal action by law enforcement to be initiated by CloudFlare to protect his network and reputation.[reply]

  Note that Wikinger can attack Wikimedia users via multiple Wikimedia sites (due to SUL and the central Wikimedia notification system), including for now: bar.wikipedia.org, csb.wikipedia.org, de.wikipedia.org, en.wikipedia.org, eo.wikipedia.org, login.wikimedia.org, meta.wikimedia.org, pl.wikipedia.org, pl.wikimedia.org, szl.wikipedia.org (so this includes small Wikipedias as well, even if his chosen victim user has not contributed anything on those wikis; other wikis not listed here may be affected as well). Something should be done to restrict the amount (and frequency) of Wikimedia notifications coming from the same user (especially new unconfirmed user accounts or IP users), so that we can manage the situation (there are too many notifications for a very short period of time), those unread received notifications should not cumulate excessively by default (except for some advanced users or admins that have other tools to monitor and manage them).

Confirmed and suspected accounts

• cross-wiki socks (2010):
  • SMITHEGREC
  • SMITHECAV
  • Blablaaa1 (impersonator of unrelated user:Blablaaa)
  • Marco3769 (impersonator of probably unrelated Marco9673)
  • ريال
  • ㍐
  • Kaiserreich
  • TAIntedCHInese
  • Judyta85
  • Aminvllah (impersonator of probably unrelated user:Aminullah)
  • Ad&d-ROLF Bitner (see [7] for link between this account and Wikinger)
  • Piagil
  • Godzina V i Kingów
  • Tadik Szczepanek (already blocked), and his own probable impersonators (Jeż2013, Jeż2016, Jeż2019…)
  • Mirosław BMI: restarts in less than 24 hours; still evading the global ban.
  • Energylandia Obsługa: restarts again in less than 24 hours (more than 20 spams received, includnig fake “thank you notifications”), after his previous account was globally blocked; he is still evading the global ban; this new account has already globally blocked today by admins (monitoring by affected talk pages where his spam was already reverted 3 times by WP.EN admins). Wikinger takes revenges against anyone that have signaled him, and is constantly warring and threatening the community. He wants to compltely defeat the notification system as a way to increase his impact, in order to discourage us from using Wikimedia. Thanks anyway to Wikimedia adlmins for their work, but I don’t see any end soon, without starting a legal action against him (possibly joined with other network that he has abused as well, notably CloudFlare where he apparently controls some private VPS, or where he may abusively harness the weaknesses of other third-party websites and web services that have already been attacked and compromized by other malwares; he visibly can use advanced Internet tools to connect from anywhere in the world and has access for now to an unlimited number of compromized IP adresses, proxies or commercial VPNs; what he does should be illegal in the US and in Europe, subject to severe fines, possibly jail, and to seizure of all hardwares and facilities that he controls, after some police investigation). Don’t underestimate his technical capabilities, he is visibly trained in advanced SecOps (and may be he works for a company in that sector, or can access some of them; he is probably using the “dark internet” to discover new ways to connect to the Internet, but I think he has left enough traces there that he could be easily tracked and identified by law inforcement agencies or cooperating police services in Europe).

Blocks, bans and protections on other projects