Threat Research

Violent Extremists Dox Executives, Enabling Physical Threats

RecordedFuture

Domestic violent extremists (DVEs) in the United States have increasingly targeted senior public- and private-sector leaders by publishing their personally identifiable information (PII), expanding beyond prior targets to include executives and officials and elevating risks of harassment and physical attacks. Recorded Future’s analysis identifies methods such as spearphishing, PII aggregation, and the use of web platforms for distribution, and recommends reducing digital footprints and using threat monitoring services. #DomesticViolentExtremists #RecordedFuture

Keypoints

  • DVE doxing has broadened from targeting other extremists to include government officials, corporate executives, and institutional leaders.
  • Doxing incidents increase victims’ exposure to physical threats (harassment, stalking, protests, surveillance, physical attacks) and cyber and reputational harm.
  • Attack methods documented include spearphishing, targeted collection of PII, exfiltration via web services, and publishing on online platforms.
  • Adversaries publish dox via web protocols and platforms such as Telegram channels, blogs, and paste sites, sometimes obfuscating content to evade moderation.
  • Recorded Future observed a notable increase in corporate-targeted doxing in 2023; a SafeHome survey estimated millions affected by doxing.
  • Recommended defenses: tighten cyber hygiene, remove exposed PII, conduct digital-audience audits, deploy threat monitoring, document incidents, mitigate leaks, and engage law enforcement.

MITRE Techniques

  • [T1566] Spearphishing – DVEs may use spearphishing tactics to acquire PII for doxing (‘may use spearphishing tactics to obtain personally identifiable information (PII) for doxing purposes.’)
  • [T1204] User Execution – Targets can be tricked into interacting with malicious or dox-related content (‘Victims may inadvertently execute malicious actions by interacting with content shared by DVEs, such as clicking on links that lead to doxing materials.’)
  • [T1589] Gather Victim Identity Information – Adversaries aggregate PII like addresses, phone numbers, and emails from multiple sources for doxing (‘DVEs collect PII, including home addresses, phone numbers, and email addresses, from various sources for doxing.’)
  • [T1565] Data Manipulation – Attackers publish and manipulate victims’ personal data online without consent to intimidate or harass (‘DVEs manipulate data by publishing victims’ PII online without consent and with malicious intent.’)
  • [T1071] Web Protocols – Threat actors use web protocols and public platforms to host and distribute dox files (‘DVEs use web protocols and online platforms, such as Telegram channels, blogs, and paste sites, to host and distribute dox files.’)
  • [T1567] Exfiltration Over Web Service – Collected PII may be moved via web services to enable publication and dissemination (‘DVEs may use web services to exfiltrate collected PII for the purpose of doxing.’)
  • [T1027] Obfuscated Files or Information – Dox content may be obfuscated or coded to evade detection and platform enforcement (‘DVEs may obfuscate dox files or use code words to avoid detection and terms of service (ToS) enforcement on online platforms.’)

Indicators of Compromise

  • [Domain] Report/source – go.recordedfuture.com/hubfs/reports/ta-2024-0327.pdf, recordedfuture.com
  • [Domain] Survey reference – safehome.org (SafeHome survey cited)
  • [Platform] Hosting/distribution channels – Telegram channels, blogs, paste sites (used to publish dox)
  • [Document] Report/PDF – ta-2024-0327.pdf (Recorded Future analysis PDF)

DVEs collect and aggregate personally identifiable information (PII) from public records and online sources, and they often supplement that automated collection with targeted social-engineering such as spearphishing to acquire additional sensitive details. Collected data typically includes home addresses, phone numbers, and email addresses; adversaries may exfiltrate this information through web services and prepare consolidated dox files for publication.

For distribution, actors frequently use web protocols and public platforms—examples noted include Telegram channels, blogs, and paste sites—where they host or repost dox material and sometimes employ obfuscation or coded language to avoid detection and content takedown. Victim exposure escalates beyond online harassment to tangible safety risks (stalking, protests, physical attacks), and incidents are commonly accompanied by negative sentiment campaigns that amplify reputational and financial damage.

Mitigation focuses on reducing attack surface and increasing detection: remove or restrict public PII, perform regular digital-audit sweeps, enable strong account security and phishing defenses, and subscribe to threat-monitoring services to detect published dox quickly. If doxing occurs, document the exposed data and publishing vectors, attempt to mitigate the source (take-down requests, platform reports), preserve evidence, and engage law enforcement as appropriate.

Read more: https://go.recordedfuture.com/hubfs/reports/ta-2024-0327.pdf

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint