Since the early 1990s, people have used doxxing – revealing someone’s identity online and taking away their anonymity – as a harmful way to exact digital revenge. But in recent years, this harmful practice has taken on new life as people are doxxed and extorted for cryptocurrency, and in the most extreme cases, may even face physical violence.
Security researcher Jacob Larsen was a victim of identity theft about 10 years ago when someone compromised his gaming account. Over the past year, he has been monitoring identity theft groups, observing the methods used to unmask people’s identities, and interviewing prominent members of the identity theft community. In an interview, Larsen said identity theft can earn him “well over six figures a year,” and that methods include making fake law enforcement requests to obtain people’s data.
“The primary target of doxxing is financially motivated, especially if there’s a physical extortion element involved,” said Larsen, who leads the offensive security team at cybersecurity firm Cyber ​​CX and has personally studied doxxing with the company’s help.
In online chats last August and September, Larsen interviewed two members of the disclosure community, known as “Ego” and “Reiko.” Neither’s offline identities have been made public, but Ego is believed to have been a member of the five-person disclosure group “ViLe,” and Reiko served as administrator of Doxbin, the largest public disclosure site, last year, as well as being involved in other groups. (Two other members of ViLe pleaded guilty to hacking and identity theft in June.) Larsen says that both Ego and Reiko have deleted their social media accounts since speaking with him, making it impossible for WIRED to speak with them individually.
People doxx for a variety of reasons, from harassment in online games to inciting political violence. Doxxing can “humiliate, harm, and reduce the information autonomy of the targeted individual,” says Bree Anderson, a digital criminologist at Deakin University in Australia who has studied the issue with her colleagues. There are direct “primary” harms, such as risks to personal safety, and longer-term “secondary” harms, such as fears about future disclosures, Anderson said.
Larsen’s research focuses primarily on doxxers with commercial motives. Doxbin is at the center of many doxxings, with the website hosting more than 176,000 public and private pieces of personal information, including names of family members, social media details, Social Security numbers, home addresses and places of employment. Larsen believes the majority of doxxings on Doxbin are motivated by blackmail, but said there may be other motives and reputational doxxing. Once information is uploaded, Doxbin does not remove it unless it violates the website’s terms of use.
“It’s your responsibility to maintain your privacy on the internet,” Leiko said in her conversation with Larsen, who released a transcript of the conversation. “It’s your responsibility to be strict about your online security, but let’s be realistic – no matter how careful you are, someone can still track you,” Ego added.
Impersonating police and offering violence as a service
It’s nearly impossible to remain completely anonymous online, and many people don’t attempt it, instead using their real names and personal information in their online accounts and sharing information on social media. Doxxing tactics to gather people’s details, detailed in the charges against ViLe members, include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are even more sinister methods.
Larsen noted that emergency data requests (EDRs) can also be misused. EDRs allow law enforcement agencies to request people’s names and contact details from technology companies without a court order if they believe there is a danger or risk to people’s lives. Such requests are often made directly to technology platforms through specific online portals and generally must be sent from an official law enforcement or government email address.
