Domestic violent extremists (DVEs) in the U.S. are increasingly exposing personal information of public and private sector leaders with harmful intent. While DVE doxing historically targeted political rivals or other extremists, recent patterns show a wider range of targets, including government officials, executives, and institutional leaders. These doxing incidents often occur after these individuals or their organizations take controversial stances on topics such as geopolitical issues, diversity policies, or political views.
Increasing Risks: The Surge in DVE Doxing and Dox Protection Strategies
Insikt Group analyzed three DVE doxing cases, focusing on the attackers, their targets, and the methods used. The research revealed that those targeted by DVEs face increased risks, including harassment, stalking, protests, surveillance, physical attacks, and cyber threats. Doxed individuals and organizations also suffer significant financial and reputational damage due to negative campaigns. A sharp rise in doxing, especially against corporate leaders, was observed in 2023, with a SafeHome survey reporting that 11 million Americans have been doxed.
Factors like geopolitical events, the 2024 US election, and businesses engaging in social justice issues are expected to drive further DVE doxing efforts. Leaders who make public statements on controversial topics may become targets of DVE campaigns.
To mitigate the risks, leaders should improve cyber hygiene, use threat monitoring services like Recorded Future Intelligence Cloud, and reduce their digital footprint by removing personal information from public platforms. Regular audits and preparations for potential doxing events are crucial. If a doxing incident occurs, it’s essential to document the situation, assess the risks, address the source of the leak, and involve law enforcement if needed.
Extremist Doxing Exposures: Doxing Drivers and Techniques
Doxing involves publicly releasing personal information online to harm the individual, often with malicious intent. Originally emerging from hacker communities, it has been adopted by various groups, including extremists, political activists, and cybercriminals. These groups use open-source research or illegal methods like hacking, theft, or data breaches to gather personal information. The doxed data is typically shared on paste sites, social media, and other public platforms, spreading quickly across the web.
For Domestic Violent Extremists (DVEs), doxing serves as a tool for escalating physical and cyber threats against their targets, including harassment, surveillance, and potential attacks. Even minimal personal information, such as home addresses or phone numbers, can fuel campaigns of intimidation or violence, like “swatting” incidents, where false emergencies are reported to law enforcement. Doxing itself often signals the target as legitimate for further actions, marking it as a precursor to deeper threats.
DVEs target individuals they perceive as ideological enemies, which varies by group. For example, white supremacists might target minorities or public officials, while anti-abortion extremists focus on healthcare providers. Doxing is driven by:
- Threatening: To enable further attacks or intimidate victims and their families.
- Retaliation: Doxing those who have opposed or exposed DVE actions.
- Demonstrating Capabilities: To showcase proficiency in open-source intelligence (OSINT). and enhance credibility within DVE circles.
Doxing is attractive to DVEs due to its simplicity. By accessing basic personal information, easily found on people search sites and public records, DVEs can effectively target individuals without using complex tactics. In some regions, doxing may not even be illegal, making it a safer alternative to more direct threats that could lead to prosecution.
Once gathered, the information is often compiled into a “dox file,” which is then published on platforms that support DVE ideologies. To avoid platform bans, extremists may use dark web services, paste sites, or web archiving tools to ensure the dox remains accessible.
In recent years, DVEs, especially from groups like white supremacists and anarchists, have broadened their targets to include high-profile individuals, such as government leaders, corporate executives, and influential figures in media, education, and non-profits. This surge in doxing has raised concerns about the safety of public figures, as outlined in a 2022 National Counterterrorism Center report, which highlighted the risks of physical and virtual surveillance against public officials.
DVE Doxing Efforts and Doxes
Insikt Group analyzed three dox files shared by DVEs through platforms like Telegram, anarchist websites, and Doxbin. These files exposed personal information (PII) of 39 victims. Case #1 involved a white supremacist targeting a US citizen with differing political views. Case #2 featured an anarchist targeting a mayoral advisory council composed of business and educational leaders. Case #3 was another white supremacist attack on a business executive and their family due to an advertising campaign. To protect privacy, victim details are anonymized, and we use generic descriptions of the attackers and their motives.
We employed a modified version of the Diamond Model of Intrusion Analysis to examine the dox files. The model highlights four key aspects of doxing: the threat actor, their motivations, the methods used to gather personal information, and how the information was published. Each component of the doxing event is broken down in our analysis to understand the attackers’ tactics, techniques, and procedures (TTPs), their target selection, and how they distribute the dox.
Our analysis of the DVE’s methods to obtain PII is based on Insikt Group’s OSINT investigations. We reverse-engineered the campaigns by using OSINT techniques to identify the sources DVEs accessed to gather victim information. This process allows us to understand the data used to target victims and assess the overall threat.
Dox #1: White Supremacist Doxes Political Rival in US Doxing Case
In October 2023, DVE Threat Actor #1 exposed the personal information of Victim #1, a private citizen from Tennessee, allegedly due to the victim’s criticism of certain groups. The doxing included the victim’s birthdate, phone numbers, home address, social media links, email, online account details, and a photo of their house. The threat actor likely collected this data from the victim’s social media, people search sites, OSINT tools like search[.0t[.]rocks, and Google Maps. The dox files were shared on PasteBin, its archived version, and dark web paste site dump[.]li.
DVE Adversary #1
DVE Threat Actor #1 primarily operates on Telegram, where they frequently engage with and support US-based white supremacist groups, particularly in the Southeast. This indicates a likely affiliation with active clubs in Tennessee, Kentucky, North Carolina, or Virginia. The channel hosting Dox #1 was launched in May 2023 but has been suspended and replaced with multiple versions. Beyond spreading extremist material and operational security guides, the channel has been active in doxing individuals considered enemies of the white supremacist and neo-Nazi movements.
While DVE Threat Actor #1 claims to be independent, their activities show strong ties to local active clubs and Patriot Front, a national network of such groups. They’ve reposted propaganda from Patriot Front and collaborated with its youth wing, “Patriot Youth.” Notably, in September 2023, they worked with Patriot Youth to infiltrate the American Iron Front’s Discord channels, exposing members and leaking their information.
DVE Threat Actor #1 has also been linked to the Tennessee Active Club (TAC), a group that organizes protests against LGBTQ events and has ties to Patriot Front. Based in Nashville, Tennessee, TAC’s leader, Sean Kauffman, has been involved in political campaigns, including a 2023 mayoral race where TAC members supported a candidate and threatened opponents. A video interview with the candidate, highlighting the TAC’s ideology, was posted on DVE Threat Actor #1’s Telegram channel, suggesting their active involvement in the group’s recruitment and messaging efforts.
Subject (Victim #1)
Dox #1 targeted Victim #1, a private individual from Tennessee, likely due to their opposition to a political candidate supported by DVE Threat Actor #1. While the attacker claimed the doxing was a response to the victim’s criticism of active clubs, the real motivation appears to be the victim’s outspoken disapproval of the mayoral candidate. Victim #1 had regularly criticized the candidate on social media leading up to the dox in October 2023. After the doxing, Victim #1 confirmed the incident but clarified they had only criticized the candidate, not active clubs.
Victim #1 was an atypical target for DVE Threat Actor #1, as they were neither affiliated with opposing extremist groups nor a public figure. This suggests the attack was politically motivated, and the fact that the victim did not employ operational security or cyber hygiene likely made it easier for DVE Threat Actor #1 to gather extensive personal information. The victim was unaware that their online political activities could attract such extreme attention.
Abilities
DVE Threat Actor #1 likely used four main sources to dox Victim #1: social media, people search websites, Google Maps, and the OSINT tool search[.0t[.]rocks, which aggregates data from online breaches. Victim #1’s social media account was probably the starting point, where the victim frequently expressed political views. This was used as an input for search[.0t[.]rocks, which helped collect additional personal information. Although the victim also posted about the mayoral campaign on Facebook, those details were not included in the dox, suggesting that the primary focus was the social media profile.
After reviewing the victim’s social media, DVE Threat Actor #1 likely turned to people search sites for further data, including the victim’s date of birth, phone numbers, email addresses, and home addresses. The dox file lists multiple pieces of personal information, including a full date of birth, several phone numbers, and various addresses, identifying the most recent contact details by cross-referencing with information from search[.0t[.]rocks. Additionally, an image of the victim’s house was included, probably sourced from Google Maps Street View.
DVE Threat Actor #1 also utilized search[.0t[.]rocks, which queries a vast database of data breach records, to gather more details. The tool, popular within the doxing community, allows users to search for personal information based on usernames, names, and emails. The results from this tool were integrated into the dox, confirming details like the victim’s email and date of birth, which matched a record from the 2021 Unknown Consumer data breach.
Operational Framework
Dox #1 includes two separate files, shared via multiple platforms, with links posted in October 2023 on DVE Threat Actor #1’s Telegram channel. The main dox file was accessible through three URLs: Pastebin, an archived Pastebin page via the Wayback Machine, and a .onion page on dump[.]li. The second file, containing search[.0t[.]rocks data, was only available on a .onion dump[.]li page. This variety of formats suggests that DVE Threat Actor #1 anticipated potential takedowns or enforcement actions on mainstream platforms.
DVE Threat Actor #1 has shifted its focus to dark web hosting after facing content removal on surface web sites and Telegram. In September 2023, they announced on Telegram that their main channel had been removed and they planned to move further activity to more secure platforms. This shift likely aims to enhance their credibility among other DVEs, as operating on the dark web signals expertise in cyber and operational security.
In previous doxing campaigns, DVE Threat Actor #1 has also utilized other dark web infrastructures, such as Zerobin and Stronghold Paste, to host dox files. Notably, a 2023 dox of an antifascist activist was published via a .onion Zerobin page, and other links were shared through .zip files hosted on FileDump.
Dox #2: Anarchist Doxes Mayoral Advisory Board via Doxx Website
In September 2023, DVE Threat Actor #2 exposed the personal information of 34 executives and leaders from major companies and educational institutions, all members of an advisory council for the mayor of Atlanta, Georgia. The group claimed their motive was to target these individuals for their alleged ties to corrupt corporate interests influencing the local government. The dox included full home addresses for 30 victims and partial addresses for four others, likely sourced from county assessor sites. This information was published on a “counter-information” website used by AVEs to share doxing materials and claim responsibility for actions.
DVE Adversary #2
DVE Threat Actor #2 is likely an individual, not a formal organization, with ties to anarchist movements in the greater Atlanta area. Their use of a unique pen name, the focus on certain targets, and their hosting of communications on an anarchist-affiliated website suggest they are based in Atlanta.
This actor is almost certainly involved in the ongoing anarchist opposition to the Atlanta Public Safety Training Center (APSTC), or “Cop City.” The “Stop Cop City” and “Defend the Atlanta Forest” protests, which began in 2021, have escalated into violent clashes with law enforcement. In response to these protests, over 60 activists were charged with domestic terrorism offenses in August 2023. DVE Threat Actor #2’s doxing of 34 individuals, members of an advisory council for the APSTC, appears to be a retaliatory act after the Atlanta Municipal Clerk’s office posted personal information of referendum signatories opposing the project in September 2023.
Since June 2023, DVE Threat Actor #2 has targeted over 100 victims, including government officials and business leaders connected to the APSTC project. These doxes, compiled into PDFs, include personal details such as addresses of city council members and local officials in Atlanta.
Subject (Victims #2-35)
Dox #2 targeted 34 executives and leaders from major companies and universities, all members of an advisory committee to Atlanta’s mayor. DVE Threat Actor #2 doxed these individuals due to their perceived influence on the mayor, hoping to pressure them into convincing the mayor to halt the APSTC project.
Victims #2-35 included C-suite executives from various industries and presidents of six universities. Of these, 21 were based in Atlanta, 10 elsewhere in Georgia, and 3 out of state. However, the accuracy of the addresses provided for those outside Georgia was lower, suggesting the threat actor primarily used county assessor data to gather the victims’ information.
Abilities
DVE Threat Actor #2 likely used county assessor websites, particularly the Fulton County Board of Assessors, to gather data on Victims #2-35. They probably began by searching property data and then supplemented this with people search websites and other open sources. For victims without a Fulton County address, the threat actor likely relied more on secondary sources. This is evident from several patterns:
- Addresses for Fulton County residents, excluding university presidents, match the format used by the county assessor.
- Most addresses for non-Fulton County Georgia residents align with people search website formats.
- Non-Georgia residents’ addresses are vague, often referring to broad locations like “a major metropolitan area.”
The dox file only included names, titles, companies, and residence data for the victims. To assess the threat actor’s methods, we investigated a sample of 10 victims, with a mix of Fulton County residents, other Georgia residents, and one non-Georgia resident.
For the six Fulton County victims, the data in the dox file precisely matched the county assessor’s records, including exact address formatting. However, for four of these victims, reverse address searches on people search websites yielded no results, suggesting they had removed their personal information from these platforms.
For the non-Fulton County victims, two addresses matched county assessor data, while one victim’s address matched a people search website. For the out-of-state victim, the dox file listed a vague address, similar to other non-Georgia victims’ information, indicating reliance on secondary sources for this data.
Operational Framework
Dox #2 was first published in September 2023 on an anarchist counter-information platform hosted on Noblogs, which focuses on anarchist protests, claims of responsibility, attack guides, and AVE activities, particularly in Atlanta. The post was likely removed after Noblogs administrators received a complaint regarding the doxing violation. In response, the administrators launched a new site on BlackBlogs, a platform that does not restrict doxing. This site specifically states its purpose is to share content that would breach Noblogs’ terms of service.
All doxes, including the September 2023 dox of Victims #2-35, were reposted on BlackBlogs. Additionally, Dox #2 has spread across other anarchist platforms, amassing over 2,100 views on one prominent site since its release.
Dox #3: White Supremacist Doxes Executive and Family Due to Advertising Campaign
In April 2023, DVE Threat Actor #3 exposed the personal information of Victim #36, a senior executive of a prominent US company, and three of their family members (Victims #37-39). The dox included derogatory language targeting Jewish and transgender individuals, with the stated reason for the attack being the company’s advertising campaign. The file contained Victim #36’s and their family’s addresses and phone numbers, likely sourced from people search websites.
DVE Adversary #3
DVE Threat Actor #3 is a frequent user of the doxing site Doxbin, having posted 188 dox files since March 2023. This actor targets journalists, celebrities, public figures, law enforcement, federal officials, and members of the Jewish community. Information in DVE Threat Actor #3’s dox of Victim #36 and others suggests alignment with the Goyim Defense League (GDL), a South Florida-based extremist group known for antisemitic campaigns. In April 2023, GDL founder Jon Minadeo shared a video of Victim #36 with offensive language, which was later mirrored in DVE Threat Actor #3’s dox file on Doxbin.
Unlike other DVE actors, DVE Threat Actor #3’s targets are not always aligned with DVE group interests. While some victims, like Victim #36, were likely chosen for ideological reasons, others appear to be targeted due to personal grievances, with the actor even referring to doxing as a “hobby” in online posts.
Subject (Victims #36-39)
Dox #3 targeted Victim #36, a senior executive at a major US company, and their family (Victims #37-39). In April 2023, the executive’s company launched a controversial advertising campaign, leading to calls for a boycott. Much of the backlash focused on Victim #36, believed to be responsible for the campaign. DVEs, along with political activists and influencers, were among the critics, with Victim #36 receiving death threats alongside doxing attempts.
White supremacist groups, including HandsomeTruth and the GDL, likely targeted Victim #36 under the assumption that they were Jewish, as evidenced by the use of triple parentheses around the name in both posts. These symbols are commonly used by such groups to indicate Jewish identity, and both posts included antisemitic slurs.
In addition to Victim #36, DVE Threat Actor #3 also doxed other members of the company. In April 2023, another executive and their family were doxed, and in June 2023, five more executives and their families were targeted. The dox files included personal details, likely sourced from people search websites, and pointed to Victim #36 as the campaign’s primary architect.
Abilities
DVE Threat Actor #3 is a persistent doxer but lacks advanced technical skills, as indicated by their dox files and admissions. The information in these files is primarily sourced from people search websites, and in a July 2023 dox, the actor claimed that the process was simple and didn’t require much expertise. Other users on Doxbin have confirmed they could independently retrieve the same data with basic searches.
The dox on Victim #36 includes personal details like full name, addresses, and phone numbers, as well as similar information for three family members. Insikt Group checked people search websites using the data from the dox, but several searches for Victim #36 yielded no results, suggesting the victim or their company may have requested the removal of their data. Some partial records for Victim #36 were found, but these likely weren’t the source.
However, the family members’ details (Victims #37-39) remain accessible on several websites. These records show the family members as associates, but no direct links to Victim #36 were found, indicating the victim likely focused on removing their own information but missed the family’s. Family members are often doxed to increase pressure on the primary target, with attackers potentially monitoring their activities to locate the target’s routine or vulnerabilities.
Operational Framework
Dox #3 was exclusively posted on Doxbin’s main clear net site and has not been found on other platforms or attributed to DVE Threat Actor #3 through further searches. It is the most viewed post on Doxbin, with over 1,400 views. Unlike its predecessor, the original Doxbin, which operated under a .onion domain until 2014, this current version functions openly on the clear net.
Doxbin was registered in 2010 by NiceNIC International Group Co. and is hosted by BPW, a Russian company. It also operates other clear net domains and a Telegram channel. Due to frequent takedowns by hosting providers, Doxbin has likely been hosted on other domains, including .onion TLDs. The platform has been used for doxing, swatting, and coordinating physical threats. The US Department of Justice links former Doxbin administrators to DVE groups, such as the neo-Nazi Atomwaffen Division, which used Doxbin between 2018 and 2019 for illegal activities, including swatting over 130 locations.
Countermeasures in Doxing Response
High-profile public and private sector leaders, including government officials, C-suite executives, and heads of organizations, are prime targets for DVE doxing. To reduce the risk, these individuals should implement strong cyber hygiene practices and prepare response plans in case they are targeted.
To minimize doxing risk, potential targets should:
- Regularly assess their online presence, possibly using red team exercises or services like Recorded Future’s Executive OSINT Investigations. Credit monitoring can help identify potential breaches.
- Remove personal and family details from people search sites using services like DeleteMe or ReputationDefender, or through free guides.
- Be cautious about sharing personal info on social media, public interviews, and conferences.
- Use trusted entities like lawyers or LLCs for real estate transactions to prevent PII from being published in public records.
- Follow basic cybersecurity practices, such as strong passwords, pseudonymous usernames, and VPN usage.
- Prepare a doxing response plan, which includes taking steps to mitigate harm once doxed.
- Encourage family members to adopt similar cyber hygiene practices, as threat actors may target family members as proxies.
If doxed:
- Contact law enforcement if there is an immediate threat.
- Document and archive the dox file, especially if illegal activity or a credible threat is involved.
- Assess the risk based on the exposed PII, such as home addresses, which can increase the likelihood of harassment or physical threats.
- Report the dox to platforms for removal and request search engines like Google to eliminate personal information from results.
Future Prospects: The Impact of Doxing in Incident Response and Threat Intelligence Article
While DVEs will likely continue targeting opposing DVE members and political activists, they will also increasingly target government officials, business leaders, activists, and other public figures. Doxing these individuals enables further threats like harassment, stalking, surveillance, and physical attacks, often making victims vulnerable to other forms of cybercrime, such as spear-phishing, social engineering, and extortion.
Public sector leaders, especially those involved in controversial policies or law enforcement actions against DVEs, are at higher risk of being doxxed. In the private sector, leaders are more likely to be targeted after making contentious business decisions or taking public stances on political or social issues.
Upcoming geopolitical events, like the Israel-Hamas conflict, and the 2024 US presidential election, will likely spur an increase in doxing activity targeting business and political leaders. Additionally, as companies adopt more visible social justice positions, DVEs opposing these actions may focus on doxing corporate executives associated with diversity, equity, and inclusion initiatives or support for minority groups.