Wired: Inside the Dark World of Doxing for Profit

Aug 19
SINCE THE EARLY 1990s, people have used doxing as a toxic way to strike digital revenge—stripping away someone’s anonymity by unmasking their identity online. But in recent years, the poisonous practice has taken on new life, with people being doxed and extorted for cryptocurrency and, in the most extreme cases, potentially facing physical violence.

For the past year, security researcher Jacob Larsen—who was a victim of doxing around a decade ago when someone tried to extort him for a gaming account—has been monitoring doxing groups, observing the techniques used to unmask people, and interviewing prominent members of the doxing community. Doxing actions have led to incomes of “well over six figures annually,” and methods include making fake law enforcement requests to get people’s data, according to Larsen’s interviews.

“The primary target of doxing, particularly when it involves a physical extortion component, is for finance,” says Larsen, who leads an offensive security team at cybersecurity company CyberCX but conducted the doxing research in a personal capacity with the support of the company.

Over several online chat sessions last August and September, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of their offline identities is publicly known, Ego is believed to have been a member of the five-person doxing group known as ViLe, and Reiko last year acted as an administrator of the biggest public doxing website, Doxbin, as well as being involved in other groups. (Two other ViLe members pleaded guilty to hacking and identity theft in June.) Larsen says both Ego and Reiko deleted their social media accounts since speaking with him, making it impossible for WIRED to speak with them independently.
People can be doxed for a full range of reasons—from harassment in online gaming, to inciting political violence. Doxing can “humiliate, harm, and reduce the informational autonomy” of targeted individuals, says Bree Anderson, a digital criminologist at Deakin University in Australia who has researched the subject with colleagues. There are direct “first-order” harms, such as risks to personal safety, and longer-term “second-order harms,” including anxiety around future disclosures of information, Anderson says.

Larsen’s research mostly focused on those doxing for profit. Doxbin is central to many doxing efforts, with the website hosting more than 176,000 public and private doxes, which can contain names, social media details, Social Security numbers, home addresses, places of work, and similar details belonging to people’s family members. Larsen says he believes most of the doxing on Doxbin is driven by extortion activities, although there can be other motivations and doxing for notoriety. Once information is uploaded, Doxbin will not remove it unless it breaks the website’s terms of service.

“It is your responsibility to uphold your privacy on the internet,” Reiko said in one of the conversations with Larsen, who has published the transcripts. Ego added: “It’s on the users to keep their online security tight, but let’s be real, no matter how careful you are, someone might still track you down.”

Impersonating Police, Violence as a Service
Being entirely anonymous online is almost impossible—and many people don’t try, often using their real names and personal details in online accounts and sharing information on social media. Doxing tactics to gather people’s details, some of which were detailed in charges against ViLe members, can include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are also more nefarious methods.

Emergency data requests (EDR) can also be abused, Larsen says. EDRs allow law enforcement officials to ask tech companies for people’s names and contact details without any court orders as they believe there may be danger or risks to people’s lives. These requests are made directly to tech platforms, often through specific online portals, and broadly need to come from official law enforcement or government email addresses.

“If a threat actor can intercept that process, it’s the fastest way for them to get highly accurate sensitive data on the victim,” Larsen explains. “They’re really stepping up and using that as their primary method for doxing victims.” This kind of request has previously been used to harass women and children, as well as weaponized against security researchers.

During his research, Larsen says he infiltrated various Telegram groups where people were selling access to systems to make EDRs and government emails needed to make requests. One individual, according to screenshots shared by Larsen, claimed to be selling access to TikTok’s law enforcement platform using a US Department of Justice email address, and claimed they had an FBI email address too. Another claimed they would make government emails addresses from Mozambique, the Philippines, Pakistan, and Brazil for $125 each.

Larsen says he reported the details to law enforcement agencies. The FBI declined to comment about false EDRs to WIRED, while a TikTok spokesperson pointed toward its public policies on emergency data requests and the ways it tries to ensure they are valid. The US Cybersecurity and Infrastructure Security Agency did not respond to a request for comment.

“Violence as a service” groups have appeared from SIM swapping communities in recent years as well, allowing people to pay for violent acts to be carried out. Digital extortion can lead to physical extortion, Larsen says, adding that Doxbin doesn’t allow threats or discussions of violence to be posted on its platform. “I’ve seen people get doxed and that ends up in them being bricked, getting their house shot up, getting a Molotov thrown through their windows, gang stalked, all in an attempt to extort them for money,” Ego said in a conversation with Larsen. Videos of attacks are sometimes posted online. “Things get pretty wicked online, much more than people realize,” Ego said.

These incidents can involve people trying to extort cryptocurrency from people with large stashes—although some violence services have been used by feuding online groups. “Unless these platforms get taken down, or more actors get punished, both in the US and abroad, it's just going to continue to rise,” Larsen says. “Particularly as cryptocurrency becomes more adopted by more people.”

Few Doxing Protections
Globally, few legal protections against doxing exist—although elements may fall under stalking, harassment, or data protection legislation. “Laws worldwide are simply not fit to provide protection,” says Amanda Manyame, digital rights adviser at Equality Now, a feminist human rights NGO. “Victims have no way to swiftly regain control of information that has been published with the intent to harass, intimidate, and/or harm them.”

“The prompt takedown of doxing-related content is very important for victims, and governments need to enact laws that mandate the removal of such content within 24 hours,” Manyame says, with Equality Now’s research stating that doxing can “disproportionately” impact women and girls.
Indicating the challenges of getting information removed, Doxbin publishes a transparency report—mimicking the practices of Big Tech platforms—listing the number of removal requests it receives. Around 160 requests from lawyers and local and national law enforcement bodies are listed from 27 countries, Larsen says, with the majority being denied as they don’t break Doxbin’s limited terms of service.

While legal routes to getting data removed are slim, there are steps people can take to limit some of the impacts linked to doxing and wider online privacy abuses. At an individual level, Larsen says, common cybersecurity measures can help, including not reusing passwords across apps and websites, locking down social media accounts and not posting photos and personal information, and turning on multifactor authentication for as many accounts as possible. For people wanting to go further, using usernames and emails not linked to the same email address or online handle is a potential first step.

Emergency data requests (EDR) can also be abused, Larsen says. EDRs allow law enforcement officials to ask tech companies for people’s names and contact details without any court orders as they believe there may be danger or risks to people’s lives. These requests are made directly to tech platforms, often through specific online portals, and broadly need to come from official law enforcement or government email addresses.