Since the early 1990s, people have turned to doxing as a toxic form of digital revenge: stripping someone of their anonymity by unmasking their online identity. But in recent years, this toxic practice has taken on new life: people have been extorted for cryptocurrency and, in the most extreme cases, faced with physical violence.
Over the past year, security researcher Jacob Larsen — who was a victim of doxing about a decade ago when someone tried to extort him for a gaming account — has been monitoring doxing groups, observing the techniques used to unmask people and interviewing prominent members of the doxing community. Doxing actions have generated revenues of “well over six figures annually,” and methods include making false requests to law enforcement to obtain people’s data, according to Larsen’s interviews.
“The primary goal of doxing, particularly when it involves a physical extortion component, is financing,” says Larsen, who leads an offensive security team at cybersecurity firm CyberCX but conducted the doxing research in a personal capacity with support from the firm.
In several online chat sessions in August and September of last year, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of their offline identities is publicly known, Ego is believed to have been a member of the five-person doxing group known as ViLe, and Reiko last year acted as an administrator for the largest public doxing website, Doxbin, in addition to being involved in other groups. (Two other ViLe members He pleaded guilty to computer hacking and identity theft. (in June.) Larsen says both Ego and Reiko have deleted their social media accounts since speaking to him, making it impossible for WIRED to speak to them independently.
People can be doxed for a wide range of reasons, from harassment in online games to inciting political violence. Doxing can “humiliate, harm and reduce the informational autonomy” of the people affected, says Bree Anderson, a digital criminologist at Deakin University in Australia who has investigated the topic with colleagues. There are direct “first-order” harms, such as risks to personal safety, and longer-term “second-order” harms, including anxiety about future disclosures of information, Anderson says.
Larsen’s investigation focused primarily on those who dox for profit. Doxbin is central to many doxing initiatives, as the website hosts over 176,000 public and private doxes, which can contain names, social media details, Social Security numbers, home addresses, places of work, and similar details belonging to people’s family members. Larsen says he believes most doxing on Doxbin is driven by extortion activities, although there may be other motivations and doxing for notoriety. Once information is uploaded, Doxbin will not remove it unless it violates the website’s terms of service.
“It is your responsibility to defend your privacy on the Internet,” Reiko said in one of the conversations with Larsen, who has published the transcriptsEgo added: “It is up to users to keep their online security tight, but let’s face it, no matter how careful they are, someone could track them.”
Replacing the police, violence as a service
Being completely anonymous online is nearly impossible, and many people don’t try, often using their real names and personal details on online accounts and sharing information on social media. Doxing tactics to collect people’s data, some of which was detailed orders against members of ViLeThese can include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are also more nefarious methods.
Emergency data requests (EDRs) can also be subject to abuse, Larsen says. EDR Allowing law enforcement officials to request people’s names and contact information from tech companies without warrants if they believe there may be danger or risk to people’s lives. These requests are made directly to tech platforms, often through dedicated online portals, and generally must come from official law enforcement or government email addresses.