What is Doxxing?

Doxxing (also spelled doxing, derived from “dropping documents”) is the act of researching and publicly publishing private or personally identifiable information (PII) about an individual without their consent, typically with the intent to harass, intimidate, or harm them.

The term originated in hacker communities where exposing a rival’s real identity was used as retaliation or leverage. It has since become a widely recognized form of online harassment targeting private individuals, public figures, journalists, executives, and political figures.

How Doxxing Works?

Doxxing typically combines several information-gathering techniques:

Social Media Harvesting:

Pulling profile details, location check-ins, tagged photos, and relationship networks from public or semi-public accounts

WHOIS Lookups:

Retrieving personal contact details of a domain registrant when privacy protection was not enabled at registration

People Search Aggregators:

Sites that compile public records, address histories, and phone numbers into searchable databases

Data Breach Cross-referencing:

Using leaked databases to link an email address to a real name, phone number, or physical address

Automated Data Scraping:

Tools that assemble personal profiles by pulling and correlating data across multiple sources. The US National Association of Attorneys General has noted that automated scraping tools allow bad actors to assemble personal profiles with significantly reduced manual effort compared to earlier methods

Types of Doxxing

De-anonymization:

Unmasking the real identity behind an anonymous or pseudonymous online account. Commonly used against activists, whistleblowers, and online personalities.

Location Targeting:

Identifying a person’s home address, workplace, or daily routine to enable physical harassment or stalking.

Third-party Doxxing:

Exposing information about a target’s family members, friends, or associates to apply indirect pressure.

Swatting:

A physically dangerous extension of doxxing where the attacker uses the victim’s address to make a false emergency call, sending armed police to the victim’s location. Tyler Barriss was sentenced to 20 years in federal prison in 2019 after a swatting call he made resulted in the fatal shooting of an uninvolved person.

The Legal Landscape

United States:

As of June 2025, three states, Alabama, California, and Illinois, have established doxxing as a standalone crime with an explicit statutory definition. Fourteen additional states have established doxxing as a standalone offense without naming it explicitly in statute. At the federal level, the Protecting Law Enforcement from Doxxing Act (H.R.5118) was active in the 119th Congress. Federal prosecutors also apply existing stalking, cyberstalking, and harassment statutes to doxxing cases.

Australia:

Following a 2024 incident in which personal information of over 600 academics and public figures was leaked alongside threats, the Australian government introduced new laws specifically criminalizing doxxing.

Publishing “publicly available” information is not automatically legal when the intent is harassment and the result is demonstrable harm.

Corporate Risk

The Security Executive Council tracked a 313% increase in total executive targeting incidents between 2023 and 2025. In May 2025, a site published full names, business emails, mobile numbers, compensation details, and LinkedIn profiles of hundreds of Fortune 500 executives. The data was archived and remains indexed.

Doxxed employees can also become social engineering entry points. Personal details obtained through doxxing are used to craft more convincing phishing attacks or to impersonate the employee internally.

Dark web markets offer paid doxxing services where a client submits a target’s name and receives a compiled dossier, lowering the barrier to coordinated attacks.

How to Protect Yourself?

Proactive steps:

• Review and tighten social media privacy settings and remove location data from posts and profiles
• Opt out of people search aggregator sites manually or using a removal service
• Enable WHOIS privacy protection on any domains you own
• Use a PO Box or virtual mailbox instead of a home address for public-facing registrations
• Enable multi-factor authentication on all accounts
• Use different email addresses across services to reduce cross-platform correlation

If you are doxxed:

• Screenshot and document everything immediately with timestamps
• Report the content to the platform where it was posted
• File a police report, particularly if threats are included
• Notify your employer if work-related details were published
• Contact your financial institution if financial information was exposed
• Consider a credit freeze if identity documents or financial data were published

Key Takeaways

• Doxxing is the non-consensual publication of private information, typically with intent to harm
• Around 11.7 million US adults reported being doxxed in 2025
• Methods range from manual social media research to automated scraping across multiple data sources
• 17 US states had established doxxing as a specific offense by mid-2025
• Executive targeting incidents tripled between 2023 and 2025, making this a significant corporate risk