How Doxing Works: Inside an Attacker's Step-by-Step Process

In January 2023, a developer who had criticized a major cryptocurrency platform on GitHub received a message at 2 AM containing his full name, home address, the address of his workplace, his girlfriend's name and employment, and the names of his parents. The message came from someone he'd never met. They were angry about his code review. Within three hours, this attacker had built a complete identity profile starting from just a GitHub username.

This is doxing—but it's not random chaos. It's a systematic methodology with specific steps, specific tools, and a predictable progression from a single piece of information to a complete identity exposure. By understanding exactly how it works, you can defend yourself by cutting off the information at its source.

What "Doxing" Actually Means

Doxing (short for "dropping documents") is the act of researching and publicly releasing private information about an individual. The target could be a journalist, activist, politician, content creator, business owner, or someone who simply said something controversial online. The goal is humiliation, intimidation, harassment, or preparation for physical violence.

What makes doxing distinct from a privacy breach is intent: it's not about stealing data for financial gain. It's about weaponizing publicly available information to harm someone. And because most of the information is technically public (voter records, property records, people search sites), it's not technically illegal in most jurisdictions—despite being devastating in practice.

The Six-Step Doxing Methodology

Step 1: The Seed Identity

Every doxing attack starts with one piece of information. Usually this is one of the following:

• A username: from Reddit, Twitter, GitHub, Discord, forums, old message boards, gaming platforms, or any online account
• An email address: from a breach database, a contact form submission, a leaked mailing list, or LinkedIn
• A real name: from a business website, LinkedIn profile, published writing, or podcast appearance
• A phone number: from a people search site, a leaked contact list, or public business information

The attacker chooses whichever piece of information they have access to. A username is usually the starting point because it's what people use when they want to feel pseudonymous.

Step 2: Username Correlation Across Platforms

If the attacker starts with a username, they use automated tools to find that same username everywhere it appears online. Tools like Sherlock, WhatsMyName.app, and Maigret scan 300+ platforms simultaneously for the same username.

In practice: an attacker sees the username "alex_chen_dev" on a GitHub comment. They run it through Sherlock. Results come back showing "alex_chen_dev" also appears on Twitter, Reddit, HackerNews, Discord servers, YouTube comments, and a personal blog. Each of these profiles is a data point that will eventually lead to a real identity.

This step is fast (automated, takes minutes) and highly effective because most people reuse usernames across platforms.

Step 3: Email Reverse Lookup and Breach Database Scanning

The attacker now has multiple usernames pointing to various profiles. They look at those profiles for email addresses. A Twitter bio might include an email. A GitHub profile might have an email. A personal website definitely will.

With an email address in hand, they check:

• HaveIBeenPwned.com: a database of 14 billion compromised email addresses from thousands of breaches. This immediately reveals which services the target uses and when they had accounts breached
• Breach databases on the dark web: more detailed information, sometimes including passwords, phone numbers, and secondary email addresses
• Email permutation tools: if they have a name and domain (alex.chen@company.com), they can generate other likely email formats (achen@company.com, acheng@company.com, etc.) and see which ones appear in breach databases

In the case of our GitHub developer: his email "alex.chen@githubreason.dev" appears in the Okta hack (2023) and the Twitch creator database breach (2019). The attacker now knows he uses Okta for authentication and is a content creator.

Step 4: Social Media OSINT and Location Analysis

Now the attacker has multiple social media profiles and knows the target's real name and email. They dig into social media accounts with specific focus on metadata and location leakage:

• Photo metadata: if photos are posted without EXIF data stripped, the GPS coordinates are embedded. Google Maps reverse lookup shows the exact address
• Background recognition: unique buildings, landmarks, or street signs visible in photos can be identified via reverse image search. Tools like Google Lens identify locations from background details
• Check-in history: on Facebook, Instagram, Foursquare, or any platform where the target has checked in, location history is visible
• Tagged locations: friends tagging the target in location-specific posts reveals where they spend time
• Follower and following analysis: mapping who someone follows reveals their social circle, employers, family members, and close relationships

LinkedIn becomes especially useful here. A LinkedIn profile shows employer, job history (which reveals geographic movement), educational background, and hundreds of connections. The attacker examines followers to identify family relationships—often family members follow each other and have similar last names.

Step 5: People Search Sites and Public Record Lookup

By now the attacker has a real name and approximate geographic location. They search people search sites like BeenVerified, Spokeo, Whitepages, or TruthFinder. For $10–20 per month, these sites return:

• Current home address
• Previous addresses (full history)
• Phone number(s)
• Relatives and family members (with their names and sometimes addresses)
• Employer and job title
• Age and approximate birth date

If the attacker knows the target owns a home, they search county property records directly (all public, all online). Property records show home ownership, mortgage amount, purchase price, and history of all addresses associated with that property.

If the target has a business license, LLC, or is a registered agent, they search state corporate databases. These filings include the business address, the personal address, and sometimes phone numbers and email addresses.

Step 6: Cross-Referencing and Verification

The attacker now has multiple data points and conducts final verification:

• Google Maps Street View: verify the home address by checking the exterior of the building
• LinkedIn verification: confirm employer by checking the company's LinkedIn page and confirming the target is listed as an employee
• Social media address confirmation: check if any old posts mention the address or provide hints that confirm it
• Employer website: sometimes company websites list employee bios with locations or even office photos where the target might be visible

By this point, the attacker has: home address, previous addresses, phone number, employer, family member names and addresses, social media accounts, email addresses, and photo evidence of the building. From a single GitHub username.

Common Starting Points for Doxing

What information most commonly triggers a doxing attack? Research from multiple sources reveals patterns:

Online debates and disagreement: 45% of doxing cases start when someone expresses an unpopular opinion online. This could be a Reddit post, a Twitter argument, or a GitHub code review.

Leaked data from breaches: 30% of cases start when an email address appears in a breach database and an attacker decides to investigate who owns it.

Business information: 15% when someone has published business information (LLC filing, business website, etc.) and someone with a grudge uses it to find home address.

Content creation: 10% when a content creator (YouTuber, streamer, podcaster) becomes successful and faces harassment with doxing as escalation.

The Speed of Doxing

Experienced doxers can build a complete profile in 15–30 minutes. The GitHub developer mentioned at the beginning was targeted and found within 3 hours because the attacker had to wait for some queries to process and some manual verification. A less thorough doxing could have found him in under 20 minutes.

This speed comes from:

• Automated tools handling 70% of the work (username correlation, breach database lookup)
• Standardized databases (people search sites, public records, LinkedIn) with familiar interfaces
• Reusable methodology (same steps every time, just applied to a new target)

Defense: Cutting Off the Information at the Source

Understanding this methodology reveals the defense strategy. You can't prevent all of it, but you can eliminate the easiest pathways:

Username Hygiene

Use completely unique usernames across platforms. Don't reuse "alexchen" or "alex_chen_dev" everywhere. Use different usernames on GitHub, Twitter, Reddit, and forums. This breaks step 2 of the doxing methodology—if the attacker can't correlate your username across 5 platforms simultaneously, they lose a major attack vector.

Email Compartmentalization

Don't use the same email for everything. Use different email addresses for:

• Financial accounts (banks, credit cards, PayPal)
• Social media (Twitter, Instagram, TikTok, Reddit)
• Professional (GitHub, LinkedIn, work accounts)
• Anonymous/pseudonymous accounts

This breaks step 3. If your financial email is compromised in a breach, your social media accounts aren't automatically linked.

Photo Metadata Stripping

Before posting any photo online, strip EXIF data. On macOS, use Preview. On Windows, right-click → Properties → Remove Properties. On smartphones, disable location services for your camera app. This eliminates step 4 location attacks via metadata.

Data Broker Removal

Remove yourself from Spokeo, BeenVerified, Whitepages, and other people search sites. This eliminates the fastest path to your current home address. Even though this doesn't prevent county property records lookup, it removes the easiest option that most attackers will use first.

Social Media Settings

Make your social media profiles private. Disable location tagging. Don't display your employer or educational background publicly on any platform. Remove your phone number and email from publicly visible profile sections. On LinkedIn specifically, set your location to just a city, not a full address. Disable "People also viewed" so investigators can't see who else is viewing profiles similar to yours.

Voter Registration Confidentiality

In states that offer it, apply for confidential voter registration. This removes your home address from the most reliable public database.

Business Registration Privacy

If you own a business or LLC, use a registered agent service ($50–100/year). This puts the agent's address on public filings instead of your personal address.

If You've Been Doxed

If your information has already been published:

• Document everything: screenshots of where your information was published, what was revealed
• Report to the platform: if it's on Twitter, GitHub, Reddit, etc., report the specific post for harassment/doxing
• Contact law enforcement: if there are threats of violence, contact local police. Provide documentation.
• Change your address if possible: if the threat is credible, consider moving
• Inform family members: if relatives' information was also published, tell them to expect contact attempts
• Request removal from data brokers: immediately opt out of all people search sites to prevent the information from being re-aggregated