Doxxing, publishing someone's private identifying information without their consent, began as an online weapon in hacker and gaming feuds, and it still works that way. But over the past decade it has acquired a second life: a route from an online grievance to a person's front door. Doxxing and swatting now travel together. The thread running through every version of it, malicious or merely careless, is the same. The more of your personal information is discoverable online, the easier you are to find, to name, and to reach. Reducing that exposure has become a physical-security measure, not only a privacy one.
Where it came from
The term comes from “dropping docs,” 1990s hacker slang for stripping away someone's anonymity and revealing the real person behind a handle, usually to settle a score. For most of its history doxxing was an online act with online consequences: harassment, humiliation, a flood of abuse.
The 2014–15 Gamergate harassment campaign pushed the practice into mainstream awareness. Participants released targets' personal details, sometimes explicitly hoping the information would be used to cause physical harm. Around the same culture of online gaming and livestreaming, a related tactic took hold: the swatting call, a false emergency report designed to send an armed police response to a victim's address.
The risk in that combination became undeniable in Wichita, Kansas, in December 2017. An argument over a $1.50 wager in a game of Call of Duty escalated into a threat to “swat” a rival. The rival gave out a false address as a taunt. A third man, a serial swatter, called police claiming he had shot his father and was holding the rest of the family hostage at that address. The house belonged to Andrew Finch, a 28-year-old with no connection to the dispute who did not play the game. Police shot and killed him at his own front door. Three people were convicted; the caller received twenty years.
By then swatting had also become a way to perform for an audience. Prominent streamers were targeted live, the raid captured and clipped for viral reach; the Fortnite world champion Kyle “Bugha” Giersdorf was swatted on camera two weeks after winning the title. The motive had shifted from private grudge to public spectacle.
When the address became the weapon
The clearest illustration of what doxxing had become arrived in July 2020. A gunman posing as a delivery driver appeared at the New Jersey home of U.S. District Judge Esther Salas. He killed her twenty-year-old son, Daniel Anderl, and wounded her husband. He had found the judge's home address online, assembled in part from the records sold by data brokers.
Two years later, Congress passed the Daniel Anderl Judicial Security and Privacy Act. Among its provisions, it bars data brokers from selling or trading the personal information of federal judges and requires that such information be removed on request. It is one of the few moments where the law has named the mechanism plainly: the routine, commercial availability of a person's address is the bridge between an online grievance and a physical attack. Close the bridge, and the attack becomes harder to carry out.
The industrial phase
What was once improvised has become organised. From December 2023 into 2024, a sustained wave of swatting hit American public life: senators, members of Congress, a special counsel, a city mayor, secretaries of state, presidential candidates. Some calls were later traced to foreign infrastructure; some used AI-generated voices to defeat older laws written for human callers.
The tactic has also been industrialised into a service. In 2025, an eighteen-year-old was sentenced for placing at least 375 hoax calls over eighteen months, offering swatting for a fee to anyone who wanted it. Extortion groups have folded it into their playbook, threatening to swat the patients of hospitals that refuse to pay. Loose online networks built around harassment and notoriety, splinters of the communities researchers track as “the Com,” have claimed responsibility for campaigns of false active-shooter calls that, in one stretch of 2025, hit more than forty universities.
The motive matters here, because the easy story is the wrong one. This is not a single political phenomenon. The people behind these acts are driven by clout, by extortion, by nihilism, and sometimes by political intent, often interchangeably. What they share is not an ideology. It is a method, and the method depends on one thing: being able to find out where the target is.
Doxxing examples: it reaches every kind of person
The breadth of who has been targeted is itself the point. There is no profile that confers safety, and the examples are not confined to any one world.
The security journalist Brian Krebs was swatted in 2013 in retaliation for exposing a cybercrime operation; the same campaign mailed heroin to his house and forged a letter to take his website offline. That same year, a site called exposed.su published the Social Security numbers and credit files of a roster that spanned politics and entertainment at once: a First Lady, a sitting vice-president, a future president, Beyoncé, Jay-Z, Kim Kardashian. Much of it was lifted from the major credit bureaus. Corporate executives are now targeted often enough that firms specialising in their protection report it as a distinct and growing category.
And then there are people with no public profile at all, no title, no platform, no following, doxxed simply because they were online and findable.
The people in these cases were reachable because their details were discoverable. The same question applies to you: what would a search assemble about you today? A Snapshot Scan answers it.
See what’s exposed about youThe other kind of doxxing: getting the wrong person
Not all doxxing is malicious. A great deal of the damage now comes from people who believe they are helping.
After the 2013 Boston Marathon bombing, amateur investigators on social media named a missing student, Sunil Tripathi, as a suspect on the strength of a resemblance. He was not involved. He had, in fact, already died before the bombing took place. His family, already searching for him, was buried in accusations and abuse before the real attackers were identified. A major newspaper put two other innocent people, including a teenage runner, on its front page on the same flimsy basis.
This is not a relic of an earlier internet. In 2025, online sleuths hunting the killer of a political activist settled on a 77-year-old retiree in Toronto, the wrong man in the wrong country, and drowned him in abuse until he deleted his account. In early 2026, others turned AI tools on witness footage to try to unmask a masked officer, importing a new and confident source of error into the same old reflex. The pattern repeats: a crowd forms around an incident, fixes on a plausible match, and publishes a name or an address before anyone has confirmed it, and by the time the identification collapses the damage cannot be recalled.
What separates this from legitimate investigative work is not access to information; the crowd often has the same raw material a professional would. The difference is standing and consent. Responsible work is done on behalf of a subject and with their agreement, measuring a person's own exposure because they asked you to, never run against a stranger who never consented and published before anything is confirmed. The disciplines that follow from that boundary — verifying before concluding, corroborating across independent sources, weighing whether an inference actually supports a name — exist so that the wrong person does not pay for a confident guess. The crowd's first error is not that it checks too little. It is that it appoints itself to identify someone who never agreed to be identified.
It is also where exposure cuts both ways. A visible online presence, a public photo, an old profile, a missing-person appeal shared in good faith, is what makes a person nameable in the first place. Visibility makes you a candidate for mistaken identity just as surely as it makes you a candidate for deliberate targeting.
The common fuel
Strip these cases down and you can see how doxxing actually works: the same component sits underneath all of them. Whether the doxxer is a rival with a grudge, an extortion crew, or a well-meaning crowd, the act depends on personal information being available to assemble: a current address, a phone number, a workplace, the connective detail that turns a name into a location.
Much of that information is not hidden. It is sold by data brokers, surfaced by people-search sites, and exposed in breach after breach, then quietly cross-referenced until a single record points to a front door. The home address is the hinge. Everything upstream of it is what makes the hinge turn: the email, the username, the old account, the leaked record.
This is the practical reason exposure and physical safety are no longer separate questions. You cannot control whether someone forms a grievance, joins a manhunt, or decides to make a call. You can influence how much there is to find when they go looking.
What reduces it
The work breaks into three steps, in order. The first is to see what is actually discoverable about you: the footprint an outsider could assemble from open sources, brokers, and past breaches. You cannot reduce what you have not measured. That is the purpose of a digital footprint audit, the basis of our work in the Mirror.
The second is removal: getting personal records pulled from the data brokers and people-search platforms that resell them, and keeping them down as they reappear. That sustained removal is what the Eraser is built to do, and it is the same logic the Anderl Act applied to judges, generalised to anyone who needs it.
The third applies to people at genuine elevated risk: executives, public figures, anyone already being targeted. For them the work is to harden the wider picture, to model what an adversary could realistically assemble and close the specific gaps that matter. That is the protective-intelligence work of the Shield.
None of this makes a person impossible to find. It makes them harder to find, and a less rewarding target. For a threat that depends entirely on being able to locate you, that is the part you can actually change.
Doxxing, and the physical risk that now travels with it, runs on how much of you is discoverable. A Snapshot Scan shows what a search returns about you today; the Mirror maps your full discoverable footprint; where it traces back to data brokers and people-search platforms, the Eraser removes it at the source; and for those at elevated risk, the Shield hardens what remains.
Talk to an AnalystFrequently asked questions
Is doxxing illegal, or a crime?
It depends on where you are and what was published. Several U.S. states and an increasing number of European countries, including the Netherlands, which criminalised it at the start of 2024, now treat malicious doxxing as a specific crime, often with heavier penalties when the target is a public official. We cover the legal position by jurisdiction separately.
What is the difference between doxxing and swatting?
Doxxing is publishing someone's private identifying information. Swatting is using information like an address to place a false emergency report, a swatting call, that sends an armed response to their home. Swatting is frequently the physical escalation of a dox.
Is swatting illegal, and what is the punishment?
Yes. Swatting is prosecuted as a serious crime. Penalties vary by jurisdiction: a growing number of U.S. states have passed dedicated swatting laws, and federal proposals would allow up to twenty years' imprisonment where a swatting call causes serious injury or death. The man behind the 2017 Wichita call that killed Andrew Finch received a twenty-year sentence.
Can you remove information that has already been posted?
Material on data brokers and people-search sites can usually be removed, and removal is the most effective single step most people can take to reduce their exposure. Content republished by individuals is harder and depends on jurisdiction and platform. The realistic goal is sustained reduction, not a guarantee of total erasure.
I have no public profile. Why would this affect me?
Most people who are doxxed are not famous. Mistaken-identity cases in particular fall on ordinary people, named by a crowd because they were findable and looked like a match. Visibility, not prominence, is what creates the risk.
Sources
- 2017 Wichita swatting (death of Andrew Finch); sentences reported by the U.S. Department of Justice and NBC News.
- U.S. Courts, “Congress Passes the Daniel Anderl Judicial Security and Privacy Act” (2022); statute at Congress.gov, S.2340.
- Federal Bureau of Investigation, “Threat Actors Use Swatting to Target Victims Nationwide” (2025); Alan Filion swatting-as-a-service sentencing reported by NBC News and The Register.
- Brian Krebs swatting (2013): TechCrunch; KrebsOnSecurity.
- Celebrity and political doxxing via exposed.su (2013), with data drawn from the major credit bureaus.
- Misidentification: Columbia Journalism Review on Sunil Tripathi (Boston Marathon, 2013); Cybernews (2025 misidentification); The Washington Post (AI-assisted misidentification, 2026).