Since the early 1990s, people have been using doxing as a form of malicious digital revenge—stripping away someone’s anonymity by exposing their identity online. But in recent years, this malicious activity has taken on a new life, with people being doxed and blackmailed with cryptocurrency and, in the most extreme cases, potentially facing physical violence.
Over the past year, security researcher Jacob Larsen—who was a victim of doxing about a decade ago when someone tried to blackmail him into giving away a gaming account—has been tracking doxing groups, observing the techniques used to expose people, and interviewing prominent members of the doxing community. The doxing activities have resulted in “over six figures annually” in revenue, and the methods include making fake law enforcement requests to get people’s data, according to Larsen’s interviews.
“The primary goal of doxing, especially when it involves the actual extortion component, is financial gain,” said Larsen, who heads the offensive security team at cybersecurity firm CyberCX but has conducted doxing research in a personal capacity with the company’s support.
In several online chats last August and September, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of them has been publicly identified offline, Ego is said to be a member of a five-person doxing group called ViLe, and Reiko last year served as an administrator on the largest public doxing site, Doxbin, as well as participating in other groups. (The other two members of ViLe pleaded guilty to hacking and identity theft. (Larsen said both Ego and Reiko deleted their social media accounts after speaking with him, making it impossible for WIRED to speak with them privately.)
People can be doxed for a variety of reasons—from harassment in online gamesARRIVE incite political violence. Doxing can “humiliate, harm, and diminish the informational autonomy” of targeted individuals, said Bree Anderson, a digital criminologist at Deakin University in Australia who has have researched this topic with colleagues. Anderson said there are immediate “first-order” harms, such as risks to personal safety, and longer-term “second-order” harms, including anxiety about future disclosure.
Larsen’s research focuses primarily on people who dox for profit. Doxbin is at the center of many doxing efforts, with the site hosting more than 176,000 public and private doxings that can contain names, social media details, Social Security numbers, home and work addresses, and similar details belonging to people’s family members. Larsen said he believes most doxing on Doxbin is motivated by extortion, although there may be other motives and doxing for notoriety. Once information is uploaded, Doxbin does not remove it unless it violates the site’s terms of service.
“You have a responsibility to protect your privacy on the internet,” Reiko said in one of her conversations with Larsen, who published transcript. Ego added: “It is up to users to protect their own online security, but the reality is that no matter how careful you are, someone is still tracking you.”
Impersonating police, violence as a service
Absolutely anonymous online is nearly impossible—and many people don’t try, often using their real names and personal information in online accounts and sharing information on social media. Doxing tactics to collect people’s details, some of which have been detailed in the fees against ViLe membersmay include reusing common passwords to access accounts, accessing public and private databases, and social engineering to Launch SIM swapping attacks. There are also more despicable methods.
Emergency data requests (EDRs) can also be abused, Larsen said. EDR allows law enforcement officials to request people’s names and contact information from tech companies without a court order because they believe there is a danger or risk to their lives. These requests are sent directly to tech platforms, often through specific online portals, and generally need to come from official law enforcement or government email addresses.
