Site Spotlight: Doxbin

June 15, 2024

DarkOwl analysts regularly follow darknet threat actors, marketplaces and sites. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

The site Doxbin is a paste site which allows users to post information in text format about other individuals, usually containing personal identifiable information (PII). Information is posted for a range of alleged reasons, which are usually provided in the title of the dox and can contain extensive information about individuals. Although this site is currently hosted on the clearnet and maintains an official Telegram channel, the site originally operated as an .onion site and is still used by dark web affiliated individuals.

In this blog, we explore the history of the site, who is behind it and the impact that it can have on the victims of a dox, as well as alleged recent activity related to the reported owner.

What is Doxbin?

To understand the purpose of Doxbin and how it is used, we must first understand the concept of “Doxing”.

Doxing is the act of publicly providing PII and other data about an individual or organization without their consent. In recent years, this has predominantly been done using the internet and is a process that began in the late 1990s. The act of doxing an individual in of itself is not illegal depending on how the information shared is obtained. Most data shared is likely obtained from data brokers and social media sites. Although, others are obtained through illegal means. Regardless of the way the data is obtained, the purpose and outcomes are usually nefarious and used for online shaming, extortion, targeting, stalking, and hacktivism operations. The law has not yet caught up with this practice and it is difficult to prosecute the sharing of publicly available information. However, this is beginning to change as outlined below.

Doxbin is a site that facilitates doxing. It is a paste site that allows users to upload any text-based content relating to individuals. It is exclusively used to share data about others or elicit more information about others.

The current controllers of Doxbin state that any text can be uploaded to the site, with the only limitations being that it should not be spam, child explicit material (CSAM), or something that violates the hosting countries jurisdictional laws (Domain and IP analysis linked to the site suggests that it is hosted in Russia and uses a DDoS Guard to protect the site from bot attacks). They also state that support of terrorism or threats of physical violence are not allowed.

However, in practice there is very little that cannot be posted and often information is shared in the hope that an individual will be targeted in some way – including risks of physical violence. A reason does not need to be provided, although one often is, and nothing is validated.

History of Doxbin

The current administrators of Doxbin have posted a lengthy description on their site about how it was founded and is currently run. In this description, they describe this iteration of the site as having been active since early 2018, being created by kt and Brenton “as a place to store personal doxes as an alternative to platforms which were not satisfactory.”

However, the name/site “Doxbin” has a history that precedes this. Originally Doxbin was launched in May 2011 on the dark web by an individual using the alias “nachash” as a pastebin for people posting personal information of others. The site was eventually seized by law enforcement – with the FBI and Europol taking town Doxbin in November 2014 as part of Operation Onymous, which also took down several other .onion sites, primarily those related to the sale of drugs, and led to the arrest of several individuals.

In 2019 it was reported that Doxbin was being controlled by a white supremacist group, who were using the site to maintain a list of swatting (more on that later) targets. In 2020 the controller was arrested by the FBI.

In 2022, the site was reportedly purchased by a threat actor associated with the group Lapsus$, using the alias “White”. However, it is alleged that due to ban management of the site, users started to target White and he himself was doxed. Before this occurred, White leaked the Doxbin data set which included private doxes which had not been published. The information contained in the dox of White, which included videos of his home proved to be accurate. Arion Kurtaj was later arrested and prosecuted for his role in several data breaches as part of his association with Lapsus$.

The current iteration of the site, which is on the clearnet, rather than TOR states that it is no longer affiliated with “nachash”, and that he left the operation in 2015. It also describes how the original site was created and transferred, mentioning several different aliases that have been connected to the original site. They also claim that there was no legal reason for the original seizure of the site.

Founders, Administrators, Users

At the time of writing the site indicates that it has 308,681 registered users, although there is no need to register. Registered users are listed and broken down into tiers which include:

Admins
Manage
Mod
Council
Founder
Clique
Rich
All Users

The oldest user – a founder – joined 5 years ago whereas the newest user joined 3 minutes ago (at time of writing). There is no description provided of the different tiers.

It is possible to search for users, as well as observe how many pastes that user has made and if they have commented on other’s posts. The most active user appears to be a user called “o” who is listed as a moderator. They have made 120 pastes and 3,333 comments, likely mostly in a moderator capacity. It is also possible to paste anonymously so there may be users that have made more posts.

What Information is Shared and About Who?

What?

At the time of writing, the site contains 157,225 pastes. Any text-based information can be uploaded very simply.

The site states that they provide users “the ability to upload text information without the fear of censorship. Most pastes won’t come down without a court order. What this means is that if your info goes up, it’s not coming down unless it’s inaccurate, breaks our TOS or we receive a court order from our server hosted country.” There are no details provided about how they validate if the information posted is accurate. However, there are terms that the site provides which users must stick to, if this is violated, in the opinion of the moderators, then it will be removed.

Examples of the type of information that are shared on Doxbin include full names, addresses, telephone numbers, IP addresses, account information including passwords and usernames commonly for streaming services and social media accounts, work locations, financial information, and email addresses. They often also post details of family members.

The information included in a Dox generally comes from a range of locations, usually open-source information from data brokers or social media, but some of the information is stolen through hacking activities.

Who?

Anyone can be the victim of a Dox.

Many individuals from the hacking community are targeted by their associates, the site has a section which it refers to as the “Hall of Autism” where it provides a list of individuals they have targeted. This area includes images of the individuals, their name, alias and a description of why they are included. This area of the website also has a song…

Celebrities and politicians are also often targets, employees of prominent organizations, and law enforcement agencies and officers, but any individuals can be targeted and often are.

Why?

The motivations for doxing someone can be very varied. On the site itself, a very common reason to share the data is because the individual is alleged to be a pedophile, however there is usually no evidence supplied to support this and is likely used as a means to encourage others to target the individuals.

Other reasons provided are that they have no hacking skills, they have done something to annoy the poster, they are accused of being bullies or of being scammers. The reasons can vary and likely there is very little behind why some of the individuals are targeted. However, posting this information can have real dangerous consequences.

The Real World Impact

Although this information is posted online, it can have very real consequences for the individuals whose information is posted.

The owners of the original Doxbin used it to target individuals they were not happy with. In June 2014, after their Twitter account was suspended, information relating to the founders and CEO of Twitter was posted on Doxbin. That same year, information relating to a federal judge who had presided over the case against Silk Road was shared on Doxbin leading to death threats and swatting attempts.

Swatting is the practice of reporting a serious crime at an individual’s address which leads to a strong response by law enforcement often with SWAT teams surrounding the area. The practice has become more and more commonplace, with the current version of Doxbin often being used as a source of information to conduct these swatting attacks. These attacks can be very damaging to the victims and can be dangerous. However, law enforcement has sought to prosecute these crimes and ensure prison sentences for the perpetrators.

Another impact of doxing is identity theft and financial crime, as all information about an individual is provided, criminals can use this data to conduct financial crimes. This can be a difficult thing to identify and recover from, with funds often taken before an individual even knows their data has been shared.

The posts can also cause reputational damage, sharing information an individual may not want shared with their friends and family. There is also the possibility that material could be shared which may affect an individuals employment status.

Furthermore, this data can be used to stalk and harass individuals, some of the posts on Doxbin actively encourage others to target individuals. This can leave the victims open to threats of physical violence as well as the trauma of knowing that someone knows where they live and work and could attempt to contact them at any time. Victims are often also subjected to harassment through prank/harassing phone calls, spam emails, and online harassment and cyber bullying through social media.

These threats can have a lasting emotional impact on individuals.

Operator Kidnapped?

In mid-May the Doxbin site was briefly taken offline. A post on the official Telegram channel indicated that the administrators had taken it offline for security reasons.

Soon after images began to circulate on Telegram alleging that one of the “current” owners of Doxbin “Operator” had been kidnapped. The images showed an unknown individual wrapped in trash bags as well as videos that were claimed to be of the kidnapping, showing him being beaten. However, this could not be validated and many online question if this was actually some kind of exit scam.

After this was posted, not much further information was shared. The site came back up and is currently operating as normal. It is unclear if this video was real.

Conclusion

Doxbin is a site which exists on the clear net and has been used to target countless individuals for largely unknown reasons. The site facilitates individuals who wish to cause harm to others through a variety of different reasons. Once this data is shared on the site, it is all but impossible to have it removed. Meaning that the victims can be subject to harassment and threats not just by the original poster but also by other viewers of the site. Much of the time this data is used by threat actors to torment victims and conduct swatting attacks seemingly for personal entertainment.

Constant monitoring of this site is recommended to ensure company and employee data is not shared.