BOOK THIS SPACE FOR AD
ARTICLE ADBlack Hat Recently published interviews with known doxxers reveal the incredible finances behind the practice and how their extortion tactics are becoming increasingly violent.
Doxxing is the term that's used to describe when an individual purposefully reveals the true identity of someone who was or would otherwise expect to be anonymous by "dropping documents" – which is where the term doxxing comes from – with information on them. It's common, has been going on for years, and is frequently used by cybercrims in various ways for financial gain.
There's a huge market for it, with the web's leading platform for sharing these doxxes – Doxbin – having around 300,000 registered users and more than 165,000 published "pastes," which is the term given to each individual publication of personal information.
That large audience and awareness is largely what makes the practice so lucrative for those who engage in it. After all, if it were a niche little underground site nobody visited, nobody would care if their identity was posted there.
According to former high-ranking members of Doxbin, the site alone generated well over six figures annually by charging victims a fee to have their data removed from the site.
That's according to a cybercriminal known as Ego – a former member of the ViLE crew who members were charged and recently pleaded guilty to being involved in breaching a DEA portal to scoop up data on individuals of interest, held by various federal databases.
Ego and Doxbin administrator "Reiko" were both interviewed last year by Jacob Larsen, threat researcher and offensive security lead at CyberCX, who published the chats for the first time this week as part of his Black Hat 2024 presentation.
Both individuals have since deleted their respective online presences. Ego went dark following the August 2023 interview, shortly after two ViLE members were arrested, while Reiko hasn't been seen since May following the alleged kidnapping of Doxbin owner "Operator."
"[Reiko] deleted everything except for his doxxing gang website Valhal.la – this gang has had new members added even in the last few months, indicating he is still around the scene," Larsen said.
"One of the new members of the Valhalla doxxing gang is IntelBroker who was a moderator and data seller on BreachForums. On the Valhalla website, it says 'something big is coming soon,' so we will just have to wait and see."
Doxxing was simply a side hustle for Ego, said Larsen, Ego at the time claimed to have just finished a degree in network engineering – a clue as to what he may be doing now.
Ego told Larsen: "I'm relatively young, I'd say. I've never experienced the typical 9-5 work routine, and honestly, I don't see that changing. My focus has been on studying networking, and I recently graduated with a degree in networking engineering. Along the way, I managed to pick up a few different network certifications. While I was studying, this has pretty much been my gig for the past year."
Unlike other more lucrative forms of financially driven cybercrime, doxxers appear to have mixed motivations. Ego is clearly driven by money but Reiko almost exclusively targeted specific individuals such as child abusers, although the financial incentives were almost certainly also a factor.
"Let us take Courtney as an example. She is a 26-year-old female who had engaged in sexual acts with 14-17-year-old boys, mentally scarring them (possibly for life)," Reiko told Larsen.
"I believe such a person should not be allowed to hide. The same goes with animal abusers and rapists. Those are the main types of people I dislike and will go out of my way to paste."
Cybercriminals are known for trying to mask their money-driven antics behind some thinly veiled idealistic or for-good political reasoning, and the same appears to be on show here. That's Larsen's view, anyway.
"I am confident that they were being genuine, as any significant claims they made I found supporting evidence from other sources," he told El Reg. "That being said, they were very strongly opinionated about certain topics such as the ethics and legality of doxxing, so whilst they have responded genuinely from their perspective, their answers were not always factually correct or true.
"The public-facing version of Doxbin is that they target animal abusers, scammers, and pedophiles, but this is just a front to justify their actions and existence. The reality is they target anyone that [they] can earn a buck from."
With both Ego and Reiko being around cybercrime for more than five years, it's perhaps why the pair seemed indifferent towards the potential harms of doxing. Ego has schizophrenia, which by his own account is beneficial to his work, while Reiko believes his work targeting criminals contributes to the greater good of society.
Regardless, it's not something they tend to shout about. Ego said he hides it from his small family, and his girlfriend "barely knows anything." It's probably for the best – the fewer people that know about the criminality the less likely they are to turn you in.
That said, doxxing isn't explicitly illegal in the majority of countries, although the state of Alabama made it illegal just this month.
Since much of the information included in the pastes is publicly available anyway, simply aggregating it isn't against the law. Ethics is another matter.
However, the way in which it's used – or misused – is often criminal. Extortion is the main follow-on activity when it comes to doxxing, and the means through which the information is acquired is often illegal too. The aforementioned breach of the DEA portal is one example of this, or as Ego attested to, using remote access trojans (RATs), social engineering, and law enforcement emergency data requests (EDRs) to supplement the publicly available data is another common, illegal practice.
"As you become more acquainted with the subject, you develop the skills to uncover information that isn't readily accessible to the public," Ego told Larsen.
The use of EDRs has been known for a few years now, but the barrier to entry is now much lower, Larsen told us.
"They're still in common use and whilst they were previously reserved for sophisticated threat actors and the cost of submitting fraudulent EDRs was prohibitive ($5k+ per request), my research uncovered threat actors selling fraudulent EDRs for as low as $500 USD for three platform requests. It's being used by all types of cyber criminals with various objectives now, the barrier to entry is much lower."
Adding to the criminality of it all, there is also, of course, a thriving underground network of violent criminals willing to physically harm and intimidate victims into paying extortion demands.
Violence as a Service
When we hear about hiring goons online it harks back to the early dark web myths of being able to hire assassins and the like. However, there is a very real market available to violent criminals that's being exploited by doxxers to physically intimidate and sometimes assault victims until they give into extortion demands.
Larsen said he believes the services on offer to doxxers now are genuine, unlike those bogus assassin-for-hire schemes, for example. There are individuals who are well known in the cybercrime underworld who offer escrow services and proof of work that suggests the violence-as-a-service market is real.
"I've seen people get doxxed and that ended up in them being bricked, getting their house shot up, getting a molotov thrown through their windows, gang stalked, all in an attempt to extort them for money," said Ego.
"Then there's those who take it a step further and break into the residence, torturing these individuals with anything from cutting their fingers off to killing them, all to take the cryptocurrencies they behold. Things get pretty wicked online, much more than people realize.
"There have been instances where young teenagers were subjected to days of torture before being discarded in a ditch. These acts were usually driven by the motive to acquire cryptocurrency. It's wild to think about, but I suppose if I were face-to-face with someone holding $40 million in crypto, I might be tempted to take similar actions."
There was, of course, the high profile case in June where the 24-year-old international crypto-robbing gang leader Remy St Felix was convicted after carrying out a vicious attack on an elderly couple in North Carolina.
St Felix, who himself was far from saintly, was part of a three-person crew that zip-tied the couple as they drained the husband's Coinbase account of more than $150,000. The criminal complaint alleged that St Felix threatened to cut off the husband's toes and genitals, before also threatening to shoot him and rape the elderly wife.
Larsen also obtained footage, not from Ego, of what Ego claimed was his former gang, ViLE, or someone they hired, approaching a victim's home and shouting "ViLE has come to get ya!" He also shared a screenshot of what appears to be a menu of sorts, listing the prices for different types of intimidation on offer.
Having someone "jumped" was available to targets in the UK, EU, and US for $170, and the prices increased with the severity of the crime. Want your target stabbed? $12,000, please. Or a kidnapping for you, sir? That will be $24,500.
The site with which Ego and Reiko were both affiliated, Doxbin, has a longstanding prohibition of direct threats of violence but despite claiming this is adhered to strictly, Reiko showed his colors and his clear willingness to bend the rules in various cases, said the infoseccer.
Larsen noted that many pastes include messages that encourage the victim to kill themselves or rile the wider doxxing community into harming them further – messages that are left unmoderated by site admins like Reiko.
Reiko said: "I wouldn't consider this a threat of violence… As for the suicide stuff. I wouldn't say it's a threat of violence at all. Technically, nobody is being threatened.
"An example of this is in my paste on Courtney where I stated the following: 'Oh! And as a final note to Courtney. Stop threatening people with your suicide. Nobody would truly miss you if you decide to do it. Not your mother, your sister, your friends, your relatives, or anyone remotely close to you. Please go through with it.'
"This is not a threat of violence as nobody has been threatened. As for similar statements, there's a huge difference between 'I'm going to murder you' and 'you should kill yourself'."
De-doxxifying
Unless you live in Alabama or any other region where doxxing is specifically outlawed, there aren't many legal levers that can be pulled to reverse a public identification of an individual who has worked to remain anonymous online.
Doxbin removed its feature allowing victims to pay for their data to be wiped from the site, and Larsen noted that the site publishes a transparency report that it says lists all the government takedown requests it receives.
Of the 141 requests made, only 43.4 percent of them have resulted in the removal of data, however.
"It's clear that Doxbin uses the transparency report to masquerade as running a legitimate website that complies with government requests," said Larsen. "However, they are operating in a legal gray area due to gaps in US policy.
"They've carefully constructed their terms of service to exploit these gaps and avoid legal liability. Due to these gaps, policy changes are required to better protect victims, by persecuting doxing platforms and perpetrators."
The US Department of Homeland Security suggests enabling privacy settings on social media, using complex passwords, multi-factor authentication, and limiting the amount of personal information you share online to avoid being doxxed.
Five months after takedown, LockBit is a shadow of its former self Notorious cyber gang UNC3944 attacks vSphere and Azure to run VMs inside victims' infrastructure 4chan and other web sewers scraped up into Google's mega-library for training ML Twitter data dump: 200m+ account database now free to downloadEgo recommends using unique email addresses/usernames as well as passwords on all accounts. VPN use is a good shout, as is avoiding putting your full name anywhere online or posting pictures of friends and family.
Larsen recommended that avoiding SMS-based two-factor authentication is a great way to avoid the worst consequences of doxxing. Should an attacker use an emergency data request to acquire a victim's email address and phone number, they'll try to SIM swap them and take over an email account (and others) this way.
Blurring one's home on Google Maps and fitting external security cameras may help deter potential intruders or physical attackers, too. ®