Since the early 1990s, doxing, the practice of revealing someone’s identity online and stealing their anonymity, has been utilised as a destructive form of online retaliation. However, the toxic practice has resurfaced in recent years, with victims being doxed, blackmailed, and threatened with physical harm in the worst situations, all in exchange for cryptocurrency.
Security researcher Jacob Larsen, who was doxed about ten years ago when someone tried to extort him for a gaming account, has been keeping an eye on doxing groups, observing the methods used to uncover identities, and speaking with well-known doxing community members for the past year.
According to Larsen’s interviews, “well over six figures annually” have been made as a result of doxing actions. One technique involves feigning law enforcement requests to obtain people’s personal information.
“The primary target of doxing, particularly when it involves a physical extortion component, is for finance,” says Larsen, who leads an offensive security team at cybersecurity company CyberCX but conducted the doxing research in a personal capacity with the support of the company.
Larsen conducted interviews with “Ego” and “Reiko,” two members of the doxing community, during several online chat sessions in August and September of 2023.
Reiko served as an administrator of Doxbin, the largest public doxing website, last year in addition to being involved in other groups. Ego is thought to have been a member of the five-person doxing group known as ViLe, though neither of their offline identities is known to the public.
In June 2024, two additional members of ViLe pleaded guilty to charges of identity theft and hacking. Larsen, Ego, and Reiko mentioned that both individuals deleted their social media accounts, which made it impossible for them to be interviewed.
People can be doxed for a variety of reasons, such as inciting political violence or harassing others in online gaming. According to Bree Anderson, a digital criminologist at Deakin University in Australia who has studied the issue with colleagues, doxing can “humiliate, harm, and reduce the informational autonomy” of those who are targeted.
According to Anderson, there are two types of harms: immediate or “first-order,” like risks to one’s safety, and longer-term or “second-order,” like worry about information disclosures in the future.
The majority of Larsen’s study was on people who were doxing for financial gain. Many doxing attempts revolve around Doxbin, a website that hosts over 176,000 public and private doxes. These doxes can include names, social media accounts, Social Security numbers, residential and workplace addresses, and other similar details belonging to an individual’s family.
Larsen believes that extortion is the primary motivator for most doxing incidents on Doxbin, although there are other reasons such as seeking attention. Unless the uploaded information violates the website’s terms of service, it will not be removed.
“It is your responsibility to uphold your privacy on the internet,” Reiko said in one of the conversations with Larsen, who has published the transcripts.
Ego added, “It’s on the users to keep their online security tight, but let’s be real, no matter how careful you are, someone might still track you down.”
Impersonating police, violence as a service
It is nearly hard to be completely anonymous online, and many people don’t even try; instead, they frequently use their real names and other personal information in their online accounts and when sharing content on social media.
Some of the doxing techniques outlined in the charges against ViLe members include using shared passwords to access accounts, hacking into private and public databases, and using social engineering to carry out SIM-swapping attacks. There are also many malicious techniques in existence.
Additionally, Larsen notes that emergency data requests (EDR) can be misused. When there may be a risk to people’s safety, law enforcement officials can use EDRs to obtain the names and contact information of individuals from tech companies without a court order.
In general, these requests must originate from official government or law enforcement email addresses and are sent straight to tech platforms, frequently via specialised online portals.
“If a threat actor can intercept that process, it’s the fastest way for them to get highly accurate sensitive data on the victim. They’re stepping up and using that as their primary method for doxing victims,” Larsen explained.
In the past, this type of request has been used as a weapon against security researchers and to harass women and children.
Larsen claims to have infiltrated multiple Telegram groups during his research, where individuals were offering access to systems for creating EDRs and the government emails required to submit requests.
Using a United States Department of Justice email address and claiming to have an FBI email address, one person, according to screenshots released by Larsen, claimed to be selling access to TikTok’s law enforcement platform. Someone else asserted that they could create official email addresses for $125 per, originating from Mozambique, the Philippines, Pakistan, and Brazil.
According to Larsen, he gave law enforcement authorities the information. A representative for TikTok referred to the company’s public policies regarding emergency data requests and the procedures it follows to verify their validity, but the FBI declined to comment on fraudulent EDRs. A request for comment from the US Cybersecurity and Infrastructure Security Agency was not answered.
“Violence as a service” groups have appeared from SIM-swapping communities in recent years as well, allowing people to pay for violent acts to be carried out. Digital extortion can lead to physical extortion, Larsen says, adding that Doxbin doesn’t allow threats or discussions of violence to be posted on its platform.
“I’ve seen people get doxed and that ends up in them being bricked, getting their house shot up, getting a Molotov thrown through their windows, gang stalked, all in an attempt to extort them for money. Videos of attacks are sometimes posted online. Things get pretty wicked online, much more than people realise,” Ego said in a conversation with Larsen.
These incidents can involve people trying to extort cryptocurrency from people with large stashes—although some violence services have been used by feuding online groups.
“Unless these platforms get taken down, or more actors get punished, both in the US and abroad, it’s just going to continue to rise. Particularly as cryptocurrency becomes more adopted by more people,” Larsen said.
Few doxing protections
Although some aspects of doxing may be covered by laws about stalking, harassment, or data protection, there aren’t many legal safeguards against it worldwide.
“Laws worldwide are simply not fit to provide protection. Victims have no way to swiftly regain control of information that has been published with the intent to harass, intimidate, and/or harm them,” Amanda Manyame, digital rights adviser at Equality Now, a feminist human rights NGO said.
“The prompt takedown of doxing-related content is very important for victims, and governments need to enact laws that mandate the removal of such content within 24 hours, with Equality Now’s research stating that doxing can disproportionately impact women and girls,” Manyame added.
Doxbin releases a transparency report detailing the quantity of removal requests it receives, emulating the actions of Big Tech platforms and highlighting the difficulties in obtaining information removed.
According to Larsen, there are about 160 requests from lawyers and local and federal law enforcement agencies from 27 different countries. Most of these requests are turned down because they don’t violate Doxbin’s restrictive terms of service.
There are steps people can take to lessen some of the effects associated with doxing and other widespread online privacy abuses, even though there are few legal avenues to get data removed.
Common cybersecurity precautions, such as locking down social media accounts and refraining from posting images or personal information, turning on multi-factor authentication for as many accounts as possible, and not reusing passwords across apps and websites, can all be helpful on an individual basis, according to Larsen.
Using usernames and emails that aren’t connected to the same email address or online handle could be a good starting point for those who want to go further.