Internet anonymity both protects and threatens our sensitive information. Aside from unconsented data scraping by Big Tech, doxxing is the biggest exploitation of our privacy. What started out as a method of one-on-one extortion has now become a lucrative business model, with the average culprit earning “well over six figures annually,” according to security researcher Jacob Larsen.

Doxxing has many forms. The first, and oldest, is the publication of an individual’s private information — such as name, home or email address, phone number, financial information, or workplace — online as an act of revenge. This can also be done after a failed threat to extort the individual to pay a ransom in exchange for their privacy, monetarily or otherwise.

Keeping personal data private isn’t just important to the user, it’s important to the people profiting off of it. Large corporations realized that they were sitting on a goldmine — raw data gathered from users or subscribers was described as the new oil, a valuable source for other companies to make informed, data-led decisions. But as Voltaire (and more importantly, Uncle Ben) said, with great power comes great responsibility. These companies took loudly marketed strides to protect the data — not necessarily out of concern for the user, but out of proprietorship.

Safe, meet safe robber. Doxxing experts and ransomware groups realized that they could exploit these companies twofold — threatening to leak prized databases threatens a company’s revenue stream as well as their reputation, making them a lucrative target and an easy bet. A safer bet? Commissioned attacks.

B2C doxxing: The Dark Web is home to many unsavory services that now include doxxing-on-demand. For as little as USD 150, you can order a complete profile on a person through Ran$umBin, which includes “email addresses, ISP information, known passwords, banking and credit card data, driver’s license number, as well as education, medical history, court, and property records.” Other less complete profiles, which include little more than a person’s name, date of birth, phone number, and address run for USD 40 and USD 80.

Bounty hunters can earn a commission by doxxing for fun. Some Dark Web users will post information they collected onto Ran$umBin to be verified by the administrators. If the information is proved credible, the doxxer would receive a commission, and the victim will receive an offer: For a fee, they can have their information deleted. The fee depends on which category the victim was sorted into, with average people receiving a lower price, but famous people, law enforcement agents, and sexual predators being charged more.

Ran$umBin makes it clear that it can indeed get worse. In the letter sent to the victim, they warn them that: “The longer the fee remains unpaid, the longer your identity [including SSN, DOB, Tax IDs, email logins, etc.] will be public, leaving it open for people to establish bank accounts and other lines of credit with your identity.”

Legal protection against doxxing doesn’t exist in common legislation, and other doxxing entities aren’t as egalitarian as RanSumBin. Doxbin, the most popular doxxing website that describes itself as a third-party “Whitepages alternative” refuses to remove any information posted on its site unless it breaks the website’s terms of service, which only protects minors or people whose leaked information has led to threats of physical violence. “If a [post] does not break our rules, there is nothing we can do,” their website states. “It is your sole responsibility to manage and uphold your online anonymity. You are not intuitively guaranteed [that] right.”

Can you really protect yourself from being doxxed? Larsen interviewed Ego, a contributor in the doxxing community and member of ViLe, a cybercrime group that broke into a federal law enforcement database and ran a blackmail scheme based on information gathered from that portal. Cybersecurity measures, like “ not reusing passwords across apps and websites, locking social media accounts and not posting photos and personal information, and turning on multifactor authentication for as many accounts as possible” are common-sense practices that can help protect you from having your information exploited, says Larsen. “Let’s be real,” said Ego, “no matter how careful you are, someone might still track you down.”

Tags: