the home of online investigations

You can support the work of Bellingcat by donating through the following link:

Massive White Supremacist Message Board Leak: How to Access and Interpret the Data

November 6, 2019

By Bellingcat Investigation Team

Update: The Internet Archive has removed the SQL leak; however, the information is freely available via a torrent file (download here) or a Magnet link (click here, or copy/paste the link into a torrent client).

Today, the entire SQL database from Iron March, a now-defunct neo-Nazi / white supremacist message board, was posted onto the Internet Archive by the user “antifa-data“. You can access this data dump on the Internet Archive, and via a torrent file found here, or through this Magnet link.

This leak contained the entirety of the site’s information, including user names, registered emails, IP addresses of users, all of the forum’s public posts, and even the private messages between members. This message board was linked with the violent neo-Nazi group Atomwaffen Division, and has been widely studied by anti-extremist groups and researchers, such as the Southern Poverty Law Center (SPLC). The SPLC has also scraped all of the public posts from the site — well over 150,000 of them — and has been researching them over the last two years.

How to access the files

There are two ways to read and access the leak. The first is through the SQL database within the torrent, which can be accessed through an SQL database viewer (for example, MySQL Workbench or DB Browser for SQLite). However, this is quite arduous for the average user.

It is much easier to read through the exported spreadsheets that are included within the torrent file. The most important spreadsheets for analysis, and the most important columns within them, are:

core_members (All users)

  • Column A indicates the member ID, which is reflected across other spreadsheets as well.
  • Column B indicates the username within the site.
  • Column D indicates the registration email used by the user.
  • Column E indicates the time that the user signed up, converted into Unix time. You can convert the timestamp into normal time here; for example, the first user sign-up was at 1315842419, or 12 September 2011 at 3:46pm (UTC).
  • Column F indicates the IP address at registration; however, this could be spoofed if the user deployed a VPN or proxy connection.
  • Columns M-O indicate the date of birth provided by the user.

core_message_posts (All private messages)

  • Column A indicates the unique message ID — every single message sent on the forum has its own ID.
  • Column B indicates the message topic (thread) — each conversation between users has its own thread, and will not always be sequential to message ID, depending on how fast the users were writing back to one another.
  • Column C indicates the time of the message, converted into Unix time. You can convert the timestamp into normal time here.
  • Column D indicates the message content. Note that there is sometimes a blank space before the message begins, making it (falsely) appear blank in a preview on Excel.
  • Column F indicates the member ID, which can be cross-referenced with Column A in core_members.
  • Column G indicates the IP address used by the user who sent the message. This can be cross-referenced with Column F in core_members.

Cross-referencing private messages (core_message_posts) and the users sending them (core_members) is quite easy, in just cross-referencing usernames and member ID numbers. Click this image, created by Jake Godin, to see how to easily cross-reference these data sets.

core_message_topics (Titles of all private messages)

  • Column A indicates the topic (thread) ID number, which can be cross-referenced with Column B in core_message_posts.
  • Column B indicates the time that the message was sent, in Unix time. You can convert the timestamp into normal time here.
  • Column C indicates the title of the private message thread.
  • Column E indicates the member ID of the person who first sent the message, which can be cross-referenced with Column A in core_members.
  • Column I indicates the member ID of the recipient of the thread, which can be cross-referenced with Column A in core_members.

core_search_index (All forum posts)

  • Column F indicates the post content.
  • Column H indicates the member ID of the poster, which can be cross-referenced with Column A in core_members.
  • Column J indicates the post time, converted into Unix time. You can convert the timestamp into normal time here.

Potential research leads

In a cursory survey of the data, there are a number of investigative paths for identifying active users of this forum for violent white supremacists. In particular, there are a number of users who identified themselves as active serving members of the military in Western countries, especially the United States.

We have started to compile potential leads for these users, which can be accessed here. We encourage journalists and investigators to follow up on some of these, and other, leads that can be found in these data sets. Additionally, users can suggestion additions or revisions to the existing data set.

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.


  1. J Rentaghost

    Here’s a python script (using the pandas library) which takes the CSV files of the iron march database and spits out a rough-and-ready static HTML representation of the whole forum, including public posts, private messages, and member info, organized by forum/topic and by member.

    There’s no search function (although you could easily use OS or text editor built-in search on the directory) but it makes it easy to look at any given member’s activity in context and get an idea of what the forum looked like as a whole.

    As explained in the comments at the top of the script, you will need to obtain some CSV files that weren’t exported in the torrent that is going round. These could be obtained from the SQL file in the torrent, but an easier way is to use the DB at as explained in the script.

    • jomili

      Agreed – also the two using the .edu domain, is that worth pursuing?

      Not as computer savvy as some others on this thread but I want to get involved somehow.

      • J-Bux

        I did a query for member account with .edu accounts.

        SELECT *
        FROM core_members
        WHERE email LIKE ‘’
        ORDER BY email;

        Only returned two users.

        One from Elon, and one from sunysuffolk.

    • Yako

      Grrr! Those damn christians! What about rabbis in synagogues? Or imams in mosques? They do an insane amount of shady stuff, yet you likely don’t care. Moron.

  2. Tom

    If you’re curious what kind of passwords Nazis like to use:

    join the password hash and salt (separated with a colon)
    Example: passwordhash:salt
    And run through hashcat on mode 2811

    • Michelle T.

      Currently have one of my workstations doing that as we speak – 2X Radeon R7 280X and a Xeon Phi 5110P 🙂

    • bystander

      Thanks for the tip, Tom. For anyone else looking into this, there are two types of passwords in the data:
      (1) bcrypt $2*$, Blowfish (Unix) which Invision Power implemented for IPB bulletin boards with v4 in 2012, and
      (2) the proprietary protocol Invision used for IPB prior to version 4.
      With most cracking software such as hashcat, you want mode 2811 for the older passwords (you’ll recognize them by their very short salts) and mode 3200 for the newer ones. Protip: a good dictionary cracks the old ones silly fast. Happy hacking!

  3. MadCatter

    There is a typo in the readme for converting the sql lite to CSV’s.
    The readme states that you need to use python, but what you need to use is python3

  4. Solomon

    People who like graphs, here is the recent spike of activity thanks to India discovering Mastodon in the context of the last 6 months of A gigantic data leak from a white supremacist message board was posted onto the Internet Archive today. #

  5. Martin Bohun Hormann

    Very likely a forgery.
    How do you want to verify the info is actually genuine?
    How hard is to setup some message board / DB, fill it with “hate speech” posts?
    Why? For example to justify funding to “combat hate/fascism/whatever online”,
    or to smear some people they don’t like, etc.

    • Walter Kumiega

      Yes, there is a vast conspiracy to create an artificial neo-nazi movement. Or one could look at the mountain of evidence and come to the conclusion that the neo-nazi movement is very real with very real victims.

      • concerned citizen

        Presumably people just registered with throwaway email addresses and the like. A big pile of data here, but not of much practical use.

      • Oyster

        Actually there is a vast conspiracy to create an artificial white nationalist movement. It is run by the Russian GRU and their Hungarian intel friends posing as “white nationalists” and Trump/Putin/Orban right wing supporters – the people who got Trump elected.

        For years they’ve been recruiting people online, especially on conservative and religious websites, because they need volunteers. They also court/infiltrate the military. Of course some are real Nazi types, but most of them are just propagandists trying to split Western society along fracture lines.

  6. RatioRegat

    Have you guys noticed any leads that point to german-speaking individuals or organisations? If so, i could look into it.

  7. Forlorn

    Hopefully bellingcat have consulted with legal experts concerning potential liability before providing tools and encouraging it’s readers to do this.


Leave a Reply

  • (will not be published)

You can support the work of Bellingcat by donating through the following link: