Wikipedia Deep Dive

Doxing

10 min read

In 2012, a Gawker reporter named Adrian Chen published a story revealing that one of Reddit's most notorious trolls—a user called Violentacrez who posted sexualized images of minors and other disturbing content—was actually a programmer from Texas named Michael Brutsch. The backlash was swift, but not in the direction you might expect. Reddit users didn't celebrate the unmasking of someone posting vile content. Instead, they accused Chen of "doxing" and declared war on Gawker.

This was one of the first times the term "doxing" entered mainstream conversation, though the practice itself was much older.

What Doxing Actually Means

Doxing—sometimes spelled "doxxing"—is the act of publicly revealing someone's personal information without their consent, usually online. The word comes from hacker slang: "dropping dox," where "dox" is a deliberate misspelling of "docs," short for documents. It means compiling and releasing a dossier of personal details about someone—their real name, home address, phone number, workplace, family members, or any other information that was previously private or hard to find.

The information itself might come from different sources. Sometimes it's aggregated from public databases, social media profiles, and other legally accessible records. Other times it's obtained through hacking, social engineering, or other criminal methods. The legality depends on how the information was gathered and what's done with it afterward.

A Tactic Born in Hacker Culture

According to Wired contributor Mat Honan, dropping dox emerged as "an old-school revenge tactic" in hacker culture during the 1990s. Hackers operating outside the law used it as a weapon: if you breached someone's anonymity and exposed who they really were, you could subject them to harassment, legal consequences, or worse.

This is why doxing carries such a negative connotation. It violates privacy as a form of punishment or revenge.

But the concept predates the internet entirely. Publishing people's personal information as a form of vigilante justice goes back centuries. In the 1760s, radical groups like the Sons of Liberty in the American colonies harassed tax collectors and British loyalists by publishing their names in pamphlets and newspapers. If you didn't comply with boycotts on British goods, your name might appear in print, marking you as a target for public shaming or worse.

The Internet Makes It Easier—and More Dangerous

The first prominent examples of doxing on the internet appeared in the late 1990s on Usenet discussion forums. Users circulated lists of suspected neo-Nazis and racists. Around the same time, an anti-abortion website called the Nuremberg Files published the home addresses of abortion providers with language that seemed to encourage visitors to stalk and kill the people listed.

These weren't just exercises in naming and shaming. They were calls to action, designed to put people in physical danger.

The practice exploded in visibility during Gamergate in the mid-2010s. Participants in that harassment campaign became notorious for releasing sensitive information about their targets—often women in the gaming industry—with the explicit intent of causing them harm. Caroline Sinders, a research fellow at the Center for Democracy and Technology, later said that "Gamergate, for a lot of people, for mainstream culture, was the introduction to what doxxing is."

When Is Unmasking Someone Journalism, and When Is It Doxing?

From 2014 to 2020, much of the debate around doxing centered on a thorny question: when is revealing someone's identity a legitimate act of journalism, and when is it an invasion of privacy?

In 2014, Newsweek attempted to identify the pseudonymous creator of Bitcoin. Cryptocurrency enthusiasts accused the magazine of doxing. In 2016, an Italian journalist tried to uncover the identity of Elena Ferrante, the pseudonymous author of the acclaimed Neapolitan novels. Critics called it gendered harassment. Vox referred to the investigation as "the doxxing of Elena Ferrante."

In 2020, The New York Times indicated it was planning to publish the real name of the California psychiatrist who ran the popular blog Slate Star Codex. The blogger shut down his site in protest, claiming the Times was threatening his safety. He said the resulting backlash caused the Times to lose hundreds or thousands of subscriptions.

And in 2022, BuzzFeed News reporter Katie Notopoulos used public business records to identify the previously anonymous founders of the Bored Ape Yacht Club—a wildly popular NFT project. One of the founders, Greg Solano, said he "got doxxed against [his] will," even though the information came from publicly filed business documents.

These cases illustrate the tension. Journalists argue they're doing their job: investigating public figures and revealing information the public has a right to know. Those being identified argue they have a right to privacy, even if they have influence or run profitable projects.

Doxing as a Political Weapon

In April 2022, Washington Post reporter Taylor Lorenz revealed that the person behind the influential Twitter account Libs of TikTok was Chaya Raichik, a real estate professional. Right-wingers immediately accused Lorenz of doxing, even though Raichik's account had significant political influence and Lorenz used standard journalistic methods to identify her.

The Gaza war that began in October 2023 saw a surge in doxing in the United States, particularly targeting students involved in Palestinian activism. Pro-Israel groups including the Israel on Campus Coalition and Canary Mission published public dossiers documenting activists' participation in protests and campus organizing.

Right-wing advocacy group Accuracy in Media sent trucks to Yale and Columbia displaying the names and faces of students involved in anti-Israel activism under banners labeling them "leading antisemites." Canary Mission published the identities and images of Harvard students who circulated an open letter holding "the Israeli regime entirely responsible for all unfolding violence" following the October 7th attacks.

These weren't just naming people. They were painting targets on them, inviting harassment and professional consequences.

Doxware: When Malware Threatens to Expose You

In 2003, cryptography researchers Adam Young and Moti Yung presented a new kind of cyberattack at West Point. They called it "doxware"—a form of malicious software that steals your data and threatens to publish it unless you pay a ransom.

It's the inverse of ransomware. In a ransomware attack, the malware encrypts your files and demands payment for the decryption key. You can't access your own data until you pay. In a doxware attack, you still have access to your data—but the attacker threatens to release it publicly unless you pay up.

The attack is rooted in game theory. As Young and Yung wrote in their book Malicious Cryptography, "the victim retains access to the information but its disclosure is at the discretion of the computer virus."

Doxware turns your own data into a weapon against you.

What Happens After Someone Gets Doxed

Once someone's personal information is public, they become vulnerable to a range of harassment tactics. Some are annoying: fake food deliveries, magazine subscriptions signed up in their name, mail bombing. Others are terrifying.

"Swatting" is one of the most dangerous. Someone files a false police report—claiming there's a hostage situation or active shooter at the victim's address—triggering an armed emergency response team to show up at their door. It's illegal in most jurisdictions and can result in fines up to two thousand dollars, six months in jail, or both. More importantly, it puts lives at risk. People have been injured and killed in swatting incidents.

Hackers may also use doxed information to break into someone's online accounts, take over their social media, or extort them. Sometimes the doxing itself is just the first step—a way to gain power over the victim through intimidation.

Doxing has also been documented as a form of intimate partner violence. In a 2018 study on digital abuse, 28 out of 89 participants—both professionals and survivors—reported that abusers exposed victims' private information to humiliate, shame, or harm them. This sometimes included sharing intimate images or impersonating the victim online.

Why Do People Dox?

Motivations vary. Some people dox to reveal harmful behavior and hold someone accountable—like exposing a person posting racist content under a pseudonym. Others do it to embarrass, scare, threaten, or punish. It's frequently used in cyberstalking, making victims fear for their physical safety.

Researchers have noted that some instances of doxing can be justified—particularly when they reveal genuinely harmful behavior—but only if the act also serves the public interest. The line between legitimate exposure and vigilante harassment is often blurry and contested.

Protecting Yourself: The Rise of Anti-Doxing

As doxing has become more common, so has the push for better cybersecurity and privacy protections. The Online Privacy Alliance and various companies now offer anti-doxing services. High-profile institutions like the University of California Berkeley have published online guidance for protecting community members from doxing.

Eva Galperin from the Electronic Frontier Foundation offered this advice in a Wired article: "Google yourself, lock yourself down, make it harder to access information about you." That means auditing what's publicly available about you online, locking down your social media profiles, using privacy settings, and being careful about what personal information you share.

Legal Responses Around the World

Different countries have taken different approaches to criminalizing doxing.

In 2024, Australia announced new legislation making doxing punishable by jail time, following an incident where the personal details of over 600 Jewish Australians from a WhatsApp group were leaked. Some received death threats. The proposed law received bipartisan support from Prime Minister Anthony Albanese's government.

Hong Kong made doxing a criminal offense in 2021, defining it as releasing private information "for the purposes of threatening, intimidation, harassment or to cause psychological harm." Convictions carry up to five years imprisonment and fines up to one million Hong Kong dollars—about 128,000 US dollars.

Germany added doxing to its criminal code in September 2021 under the offense of "endangering dissemination of personal data." Publishing freely accessible data can result in up to two years in prison or a fine. Publishing non-public data carries up to three years. The law includes exceptions for journalism, education, and historical research.

The Netherlands passed anti-doxing legislation in 2024, making it a felony to share personal data with intent to intimidate, harass, or hinder someone's work. Penalties include up to two years in prison or fines of about 28,000 US dollars, with increased penalties when targeting public figures.

South Korea is one of the few countries with a statute specifically addressing doxing. Article 49 of its information and communications law prohibits unlawful collection and dissemination of private information sufficient to identify specific people. In practice, though, prosecutions often rely on broader defamation and harassment statutes.

Russia's Article 137 on "Invasion of Personal Privacy" makes public sharing of personal information via mass media, internet, or public events a crime punishable by fines, compulsory labor, corrective labor, forced labor, arrest, or imprisonment—with sentences up to two years and potential bans on holding certain positions.

China's 2020 "Regulations on the Ecological Governance of Online Information Content" explicitly prohibit users and platforms from engaging in "online violence, doxing, deep forgery, data fraud, account manipulation and other illegal activities."

The Unresolved Tension

Doxing remains deeply controversial because it sits at the intersection of competing values: privacy versus transparency, anonymity versus accountability, protection versus exposure.

Is revealing someone's identity an act of journalism or harassment? Does it depend on who they are, what they've done, or how much influence they wield? If someone spreads hateful rhetoric under a pseudonym, does the public have a right to know who they are? And who gets to decide?

These questions don't have easy answers. What's clear is that doxing—whether used to expose wrongdoing or to terrorize innocent people—has become a permanent feature of online life. The challenge now is figuring out how to draw meaningful lines between legitimate investigation and weaponized exposure, between accountability and abuse.