In February 2026, a 24-year-old man in The Hague was arrested for posting the mobile phone number of Feyenoord football director Dennis te Kloese online. It was one of the first prosecutions under the Netherlands’ new anti-doxxing law — Article 285d of the Criminal Code, which came into force in January 2024.
The case was straightforward: a frustrated fan, a phone number, and a wave of threats. But the pattern it represents is not limited to football. Across Europe and the United States, the deliberate exposure of personal data — home addresses, phone numbers, family details — has become a tool of intimidation aimed at executives, officials, and public figures. The broader context and countermeasures are covered in our Executive Digital Privacy hub.
And the infrastructure behind it is getting more organised.
The CEO Database
In May 2025, threat intelligence firm Flashpoint identified a website called the CEO Database. It listed the personal and professional details of executives from over 1,000 companies: names, titles, phone numbers, email addresses, LinkedIn profiles, and office locations.
The site was ideologically motivated, linked to the aftermath of the December 2024 UnitedHealthcare CEO shooting and the arrest of Luigi Mangione. A predecessor site linked to the same movement appeared in April 2025 before going offline. The expanded CEO Database launched on 29 May. It too has since gone offline.
But the data does not disappear when a site goes down. Once compiled and published, executive PII circulates through forums, messaging channels, and archives. Flashpoint assessed that the information “alone likely does not pose a significant physical threat,” but that further analysis by threat actors could enable AI-powered phishing, deepfake-based fraud, and physical targeting.
The CEO Database matters not because it is still live. It matters because it demonstrated that targeting executives at scale is now a structured activity with ideological backing.
The Federal Dimension
The trend extends beyond the corporate world. In 2025, a whistleblower leaked the personal data of 4,500 US Department of Homeland Security and Immigration and Customs Enforcement agents to a doxxing website. The result was a documented increase in death threats and physical harassment — not just against the agents, but against their families.
That same year, Elon Musk accused journalists investigating his Department of Government Efficiency initiative of “doxxing” his staff by publishing publicly available information about them. The incident illustrated how blurred the line between investigative reporting and targeted exposure has become in political contexts.
Where the Data Comes From
Doxxing is not a single technique. It is a collection of open-source intelligence methods combined with data that should not be public but is.
Public registries. In the Netherlands, the Kadaster (land registry) and the Kamer van Koophandel (Chamber of Commerce) expose home addresses of property owners and sole proprietors. These are searchable by anyone. In April 2025, the Autoriteit Persoonsgegevens objected to a proposed amendment to the Kadasterwet, warning that it would allow commercial companies to access property registry data without adequate safeguards against misuse of personal data. A 2026 RTL Nieuws investigation found the personal data of thousands of Dutch citizens — including children — on a single doxxing website that had operated uninterrupted for eight years despite police intervention.
Data brokers and people-search sites. Services that aggregate and resell personal data from public records, social media, and commercial databases. In the US, sites like Spokeo, WhitePages, and BeenVerified compile detailed profiles. In Europe, GDPR gives individuals the right to request removal, but the process is manual and slow. The EU data broker opt-out directory consolidates the removal process for the most significant European and US operators active in this region.
Social media. Geotagged photographs, check-ins, employment histories, family connections, and daily routines — all available through careful observation of public profiles. Even private accounts leak data through tagged photos, shared connections, and cached content.
Breach data and stealer logs. Phone numbers and passwords from data breaches can be cross-referenced to identify individuals and take over accounts. Infostealer malware — variants like Raccoon, RedLine, and Lumma — harvests browser credentials, cookies, and autofill data from infected devices. These logs are sold on marketplaces and used for credential stuffing attacks against email, banking, and corporate systems.
Internal sources. Sometimes the data comes from inside. The ICE agent leak originated from a whistleblower. Corporate legal proceedings, employee disputes, and insider threats all create pathways for personal data to reach hostile actors.
Europe Is Legislating. Enforcement Is Catching Up.
The Netherlands was one of the first countries to criminalise doxxing explicitly. The law — passed on 12 July 2023 and effective from 1 January 2024 — created Article 285d of the Criminal Code:
The person who provides personal data of another or a third party, distributes this data or otherwise makes it available for the purpose of causing that person fear, having them hunted, causing serious nuisance, or seriously hindering them in the exercise of their duties or profession, shall be punished with imprisonment of at most two years.
The penalty increases by a third when the target is a minister, judge, lawyer, journalist, or police officer.
The Feyenoord case in February 2026 was among the first arrests under this provision. Within days, the Tweede Kamer called for harder enforcement, citing the gap between the law on paper and its application in practice. Professor Bart Schermer of Leiden University noted that hosting platforms can be held liable if they refuse to cooperate with takedown requests.
Beyond the Netherlands, the legal landscape is moving — unevenly.
Australia criminalised doxxing in February 2024. The EU’s Digital Services Act requires online platforms to assess and mitigate systemic risks, which includes the spread of doxxing campaigns. GDPR Article 17 provides the right to erasure — a tool for removing doxxing data, though enforcement depends on the platform and jurisdiction. The United Kingdom’s Online Safety Act addresses harassment but does not define doxxing as a distinct offence, leaving a grey area.
The United States has no federal anti-doxxing law. A handful of states have enacted statutes protecting specific groups — judges, law enforcement, government officials — but there is no comprehensive framework. The CEO Database operated in this gap.
What You Can Do Now
Doxxing prevention works in layers. Not every measure applies to every person, but the logic is the same: reduce the amount of personal data that is publicly available, and monitor for signs that it has been compiled. A practical starting point is our Executive Exposure Checklist — ten reconnaissance surfaces with a Low/Medium/High weighting per row.
Immediate steps. Audit your social media privacy settings across all platforms. Remove or restrict geotagged content, family connections visible to strangers, and employment details beyond your current role. Enable two-factor authentication on every account — particularly email, which is the gateway to password resets elsewhere. Set up alerts for your name, home address, and phone number using monitoring services or search engine alerts.
Data broker removal. Submit opt-out requests to data brokers and people-search sites. In the EU, this is your right under GDPR Article 17. In the US, each broker has its own process — and many re-list data within months. This is a recurring task, not a one-time fix.
Registry protection. In the Netherlands, sole proprietors can request that the KvK shields their home address from public view. Property owners can apply for restrictions on Kadaster data under specific threat circumstances. If you hold property through a corporate entity, your personal address is less directly exposed — but not invisible.
Communication separation. Use a dedicated phone number for professional and public-facing activity. Keep your personal number, home address, and family details off anything connected to your professional identity. This includes domain registration (use WHOIS privacy), professional bios, and conference speaker profiles.
Ongoing monitoring. Organisations are increasingly using threat intelligence to monitor extremist forums, hacktivist channels, and paste sites for mentions of executive names and corporate affiliations. This is not something most individuals can do on their own — it requires access to sources that are not indexed by search engines.
When Self-Service Is Not Enough
The measures above reduce your exposure. But they do not tell you what is already out there.
A targeted search — the kind a motivated attacker would run — goes beyond what you can see in a Google search. It covers data broker holdings, breach databases, dark web forums, social media footprints, public registry records, and archived content.
If you want to know what that kind of search returns about you before someone else runs it, a Shield assessment maps the full exposure surface and provides a prioritised remediation plan.