Doxxing is a cyber attack that is aimed at discovering the real identity of a person and publishing their private information online. The attacker can use a single clue and then follow the trail, adding up pieces of information and unraveling the victim's true identity and private details.
The rise of social media acts as a massive help for these kinds of attacks, providing plenty of information for the attacker, who uses it to shame or harass their victims publicly.
The word itself comes from the early '90s practice of revenge hacking when attackers would drop malicious information about their rivals, calling it "dropping dox."
Is doxxing illegal?
It depends. Doxxing isn't illegal if the exposed information is part of the public record. Arrest records, traffic violations, marriage, and divorce records all fall into the public record. Publishing this information online without your consent is unethical, but it's not a crime from a legal standpoint.
However, doxxing becomes illegal when the information is off the public record like a bank account number, birth certificate, and the like. Publishing this information is unlawful and is treated as an invasion of privacy.
In all cases, you should look into your state law. Much of the conduct that could be classified as doxxing may fall under cyberstalking, extortion, harassment. The doxxer could face charges if he or she obtained the data through illegal means, for example, by hacking into a protected database.
How can doxxers find your information?
Doxxers usually rely on online sources to connect the dots. Usually, it means using several legal and illegal sources to get a full profile of the target. Here are the go-to sources that doxxers use to collect intel.
Your personal data is a valuable commodity. Data brokers make a living by collecting and selling your data. They usually acquire it from other businesses. For example, if you register on a free VPN, your browsing logs may end up in someone's data center, which will then be sold to data brokers to cover operating expenses. For marketers, it's much more cost-effective to just buy your data instead of running multiple surveys.
Data brokers usually sell the information in bulk – they aren't really interested in individuals. However, doxxers can cross-reference large volumes of data. This means that they can accumulate a large amount of information on different people. The main difficulty is that this information isn't publicly available and would require paying.
If you own a website or a blog, you have to provide your personal information. It's then stored in a public database known as WHOIS. The doxxer then goes directly to the WHOIS website or a domain sales broker, asks for your information, and gets it. Now he or she can use your private data like your home address, phone number, or email against you.
You can ask your domain broker to obscure such information, usually, for an extra cost. Most users, however, just use throwaway emails with fake telephone numbers. However, if you created a domain a long time ago, this might still be a hole that a doxxer could exploit.
When it's challenging to obtain the data from public sources, hacking is one of the ways a doxxer could get a hold of your data. It's enough to write one trustworthy-looking message or email to get most users to click on something - a link, an attachment, etc. Using intrusive code, phishing, and distributing malware work to doxxer's advantage. Here are some examples:
IP logging. This method works by sending a malicious link that, once clicked, launches an intrusive script. This script then reveals the user's real IP address.
Packet sniffing. Public Wi-Fi hotspots are vulnerable to hacking attempts. An attacker could intercept your connection by making you connect to a fake free Wi-Fi hotspot to see real-time data on what you're doing online. If you're using an unencrypted (HTTP) connection, this puts your sensitive data, such as login details and passwords, at risk.
Social media stalking
Since the majority of internet users also have social media accounts, a doxxer can easily use these to get a lot of information. When cross-referencing many linked profiles, it's possible to create a really detailed personal profile. Most of this information is publicly available and easy to find by simply searching for a person's name. If you have posted photos with location tags, the attacker could even quickly pinpoint your home and workplace addresses.
Do keep in mind that when you're using social media platforms as authentication to log into other platforms, you're giving these platforms permission to view your data. This could let them bypass the blocks imposed by your privacy settings and reveal your private information even with adequate profile privacy settings.
What are the types of doxxing
In all cases, doxxing reveals private and/or sensitive information about individuals. However, the intent and methods could be very different. Here are a few examples.
Gossip journalists publish all sorts of intimate details about celebrities every day. Celebrity doxxing takes it to the extreme by targeting high-profile names and publicly posting their home address, payment card info, nude photos, etc.
Jennifer Lawrence, Kim Kardashian, Hillary Clinton have all been victims of this type of doxxing. Often, this tarnishes not only their reputation but also attracts crowds of fans and stalkers. Doxxers can use it as a weapon in election campaigns, for example, during Hillary Clinton's email controversy.
Doxxing can be a method for internet vigilantism. However, due to poor research and limited resources available, vigilantes may wrongly link innocent people with situations that they had nothing to do with.
This type of attack targets the wrong individual, putting their reputation, employment, or even life at risk. For example, there are approximately 38,000 John Smiths in the US. If a doxxer targets one of them, there's a pretty huge chance that she or he attacks the wrong person.
When a doxxer finds out the victim's address or a phone number, they may use this information to make a hoax call to emergency services to bring about armed forces to the victim's door. This is known as swatting, and there are cases where this proved fatal for the victim.
False reports to emergency services is a criminal offense punishable with fines or imprisonment. It puts the victim under a tremendous amount of stress and puts his life at risk due to the possibility of things going wrong.
Doxxing can intentionally turn people against the victim. Usually, this means revealing your target's personal details and provoking the community to harm him or her. Various forms of social engineering are on the list of methods. The motives behind this may include hatred towards a specific group of people, often due to their race, religion, or sexual orientation.
In essence, it's cyberbullying to the highest degree. Online hate groups in communities like 8chan, fueled by a toxic culture that encourages people to act out their violent fantasies, actively engage in targeted doxxing practices.
Famous doxxing cases
Michael Brutsch spent many years as violentacrez, creating various misogyny and pedophilia oriented subreddits with sexualized photos of underage women. For many years, he successfully kept his own identity a secret. However, once Gawker journalist connected Brutsch to violentacrez, he effectively doxxed him. Because of this, Brutsch ended up losing his job and endured severe public shaming.
Kyle Quinn faulty doxxing
A professor from Arkansas was wrongly accused of participating in the Charlottesville neo-nazi march. Thousands of people shared his image across all social media platforms. The doxxer even contacted his employees and asked them to demand his firing. The University of Kansas later verified that the person in the photo isn't assistant professor Quinn.
How can I avoid getting doxxed?
There are no guarantees that it won't ever happen. However, there are several things that you can do to minimize the odds:
- Be mindful of what you share online. Is it vital for you to share every single thing that happened in your life on social media? Always have in mind a modified version of the Miranda warning on everything that you post online: You have the right to remain silent. Anything you post can be used against you when doxxing.
- Tweak your privacy settings. Make your posts on social media private, so they're not visible to strangers.
- Consider using passwordless authentication. Using two-factor authentication and biometric data increases the chances of avoiding doxxing.
- Use a VPN. Signing up with a VPN provider adds an extra barrier that makes it harder for the doxxer to pinpoint your real location.
- Don't click on links from unknown senders. Doxxers often use phishing to get you into clicking on malicious links and asking you to provide your personal information.
- Never share this information. Sharing Your Social Security number, driver's license, and any information regarding bank accounts is off-limits, especially if it's on insecure chatting platforms like Discord.
There can't be too much effort to protect yourself online. Here are 15 privacy tips to check out.
What should I do if I've been doxxed?
If you've found out that you've been doxxed, here's what you should do to minimize the damage:
- Report the attack. The doxxer will probably publish your information on social media, so you should immediately contact customer support and report the posts for doxxing.
- Contact law enforcement. If you're receiving threats, contact your local police department.
- Document proof. Take screenshots or download webpage copies that display your personal data. This will help the further investigation.
- Protect your bank accounts. If doxxers have published your credit card numbers, immediately report this to your financial institution to freeze the account.