For better or worse, a majority of people are creating ever-increasing digital footprints throughout their lives. While this may come with conveniences like seamless shopping and sharing vacation photos with friends at the click of a button, these luxuries can come at a high cost. The growing trend of doxxing, which is the publicizing of private information about individuals online, preys upon digital information as a means of attack, and can result in serious threats in real life.
Weaponizing Personal Information
Doxxing is the product of an open source intelligence (OSINT) attack. In OSINT attacks, bad actors leverage information that is publicly available via resources ranging from simple to find social media posts and company bios to more difficult to locate information known as “grey data” which often includes more obscure records. The term doxxing is thought to have been coined by the hacker group Anonymous, where “doxx” was used as a shorthand for “documents” and “doxxing” referred to the act of “dropping documents” that exposed personal information on targets. While some people may wonder, “where is the harm in releasing information that is already available?” the issue with doxxing is that it weaponizes private information such as phone numbers, addresses, family details, and various other pieces of information in an effort to intimidate, coerce, or shame an individual or group.
Recent examples of doxxing as a means of intimidation can be seen in instances such as the launching of the website “Dogequest,” which was designed with the expressed intent of protesting Elon Musk, the CEO of Tesla, and his involvement in The Department of Government Efficiency (DOGE). The website, which prominently featured the not-so-subtle image of a molotov cocktail, attempted to doxx Tesla owners by providing personal information including the names, addresses, and phone numbers of purported Tesla customers with a promise to remove this information once proof was submitted that the vehicles had been sold.
In April of this year, Collin County judge Angela Tucker, was doxxed for her decision to lower the bail for Karmelo Anthony, the suspect in a stabbing death that took place at a Frisco track meet. The family members of the victim in this case, the Metcalfs, were also doxxed and targeted in several “swatting” attacks. Swatting, which is closely tied to doxxing, occurs when an attacker falsely notifies authorities of an imminent threat at the location of their target. This attack is meant to harass and intimidate and has even resulted in death.
Global Lawmakers Taking Action
In order to stem the increasing frequency and severity of doxxing incidents, lawmakers at the state level are tackling doxxing through legislation such as the bill the Georgia Senate passed in March of this year. The law, which defines doxxing as posting another person’s “personally identifying information without their consent,” aims to broadly define the issue and prevent its spread. At the federal level, Congressmen from both sides of the aisle have joined together to request funding to aid in the removal of personal information belonging to federal judges, who have seen a startling increase in the number of threats lobbied against them over the past few years. The problem with doxxing is not unique to the United States and countries such as Australia, China, Germany, and the Netherlands have all recently enacted laws specifically prohibiting doxxing, while many more have existing policies that can be broadly interpreted as a means of prohibiting the practice.
How to Protect Yourself from the Misuse and Abuse of Open Source Intelligence
The thought of someone tracking a person through their digital footprint and using that information to harass, intimidate, or even cause them physical harm is a terrifying proposition. With that in mind, there are a number of recommendations that everyone should consider when attempting to safeguard their digital privacy.
As is true with any cybersecurity threat, the first step should always be to become educated on the techniques and approaches that bad actors use. Zoey Lindsey, a security strategist, recently spoke on doxxing at RSACTM 2025 Conference. During her presentation “Making OSINT Education Practical: Why Don’t You Go Dox Yourself?” Lindsey relays the axiom of, “I hear, and I forget. I see, and I remember. I do, and I understand,” as a means for explaining the importance of going through the process of doxxing oneself as the first step in learning not only what is and is not possible for attackers, but also as a method for understanding personal digital liabilities. With this information in hand, Lindsey recommends “reviewing, restricting, and removing,” as a process of managing a digital footprint. Essentially, after reviewing what information is out there, it is up to the individual to determine their own level of risk, restrict access to information like social media profiles to select users, and then remove information that is too sensitive for anyone to access.
Other experts recommend using fundamental cybersecurity practices such as employing advanced authentication techniques to secure accounts and using strong, unique passwords. It is also of the utmost importance to be cognizant of spear phishing campaigns, which are sophisticated social engineering attacks that employ the information contained in an individual’s digital footprint to create scams and approaches specifically tailored to the intended target.
Cybercriminals will use any advantage that they can find to gain leverage over their victims. In the case of doxxing attacks, bad actors will use publicly available information to identify, locate, intimidate, harass, and in some instances, even physically confront their targets. This information can also be used to compromise accounts and steal identities. For effective cybersecurity, it is necessary to assess what liabilities a digital footprint creates and what levels of risk are acceptable. In terms of information that is publicly available, this is certainly a scenario where less is more.