On March 15, 2019, a white supremacist shot and killed 50 Muslim worshippers at two mosques in Christchurch, New Zealand. Six weeks later, another white supremacist shot and killed one Jewish worshipper and injured three others at a synagogue in Poway, California. Although the men who committed the attacks had never met or spoken, they had both spent countless hours lurking on 8chan, a surface web forum dedicated to “radical free speech” that proudly refers to itself as “The Darkest Reaches of the Internet.”
In 8chan’s largely anonymous and unconstrained culture, users often advocate violence and trolling campaigns meant to intimidate critics or public figures. This has led to a rise in doxxing—the practice of posting personally identifiable information about a person or organization on the internet. Information revealed in these attacks can range from addresses and phone numbers to much more sensitive information, such as social security numbers, social media and email passwords, and information about a target’s family members. People who have been doxxed may receive thousands of unsolicited phone calls, letters, or threats. More concerningly, personally identifiable information gives an adversary the tools to confront a target at their home or office, or send harmful substances or explosives in the mail. These tactics have become an increasingly popular way to intimidate, punish, or retaliate against people, groups, or organizations with divergent views or interests.
The idea of doxxing is not new; major league baseball umpire Don Denkinger famously had his home phone number and address published in retaliation for his alleged “bad calls” during the 1985 World Series. A more recent case involved a Congressional intern posting the personal information of three Republican Senators from the Senate Judiciary Committee—Mike Lee, Orrin Hatch, and Lindsay Graham—on the website Wikipedia prior to the congressional hearing to appoint Brett Kavanaugh to the U.S. Supreme Court. Even President Donald Trump used doxxing to undermine a political opponent prior to the 2016 election when he read out Lindsay Graham’s cell phone number during a televised speech in 2015.
Doxxing has also been used with more deadly aims in mind. In 2015, the Islamic State published a “hit list” with names and information about 1,400 U.S. military and government personnel that it wanted assassinated.
Other more recent cases of doxxing highlight a concerning confluence of internet trolling, the proliferation of online hate groups, and a toxic permissive culture in forums like 8chan where users encourage each other to act out their violent fantasies in the real world. One example of 8chan inspired harassment is the reaction by forum users after Robert Evans appeared on an ABC Australia documentary about the Christchurch attack to discuss the neo-Nazi rhetoric that pervades 8chan. Evans’ comments quickly spread across the forum’s “politically incorrect“ (/pol/) board after the documentary aired, inspiring one user to post a “Wanted” poster, featuring a photograph of Evans with a bullet in his head. The poster offered 15 bitcoin (approximately $60,000) for his murder. Moments later, another user wrote “for that much it can be done.” This example serves a chilling reminder of the vitriolic chatter that thrives on unmoderated web forums, and it was not the first—or the last—time 8chan users have attempted to intimidate critics.
Some 8channers have also directly threatened the executives of companies. Shortly after the Christchurch attack, /pol/ users began dissecting the shooter’s manifesto. As his call to “KILL YOUR LOCAL ANTI-WHITE CEO” spread across the forum, many of its users began suggesting ways to find and kill high-profile CEOs. Another user suggested that someone could easily “kill them coming or going” by posing “as a delivery person and say they need to personally sign, [then] shoot them dead.” According to the user, CEOs’ home addresses “should not be hard to find.”
Doxxing presents a unique challenge for security professionals. Once personally identifiable information is posted, it is impossible to remove from online forums, making it a persistent threat. While the vast majority of 8chan users never go beyond cyber harassment, the normalization of violent rhetoric serves to encourage a small percentage who are eager to carry out violence in real life. Recent attacks on mosques, synagogues, and journalists have taught us that we cannot ignore the threat posed by 8chan and other forums that encourage this type of behavior.
Targets of doxing are often journalists, celebrities, politicians, or high-profile individuals. However, increasingly we have seen doxxing used as an expression of grievance against ordinary individuals, company employees, or members of groups. As a result, this is a threat that everyone should take seriously and should protect themselves against. Tips for prevention: