The word doxxing entered common use in the late 1990s on early hacker bulletin boards, a contraction of "dropping docs". The documents in question were rarely the interesting kind. They were the boring kind: a real name, a home address, an employer, the names of a spouse and children. The act was, and remains, the conversion of a person from a handle on a screen into a fixed point on a map.

That conversion is what doxxing does. It is not hacking, it does not require breaking into anything, and it almost never relies on illegally obtained data. It relies, instead, on the quiet industry of public-record aggregators and the equally quiet habit most of us have of leaving small breadcrumbs across the open web.

What doxxing is, and what it is not

Doxxing is the deliberate publication of someone's real-world identifying details — name, address, phone number, workplace, family members — typically in a venue where strangers can act on them. It is a tactic, not an outcome. The outcome is what comes next: the harassment campaign, the unwanted delivery, the visit, the call to the employer.

It is not the same as "being looked up". An old classmate finding your LinkedIn is not doxxing. A journalist naming a public official in an investigation is not doxxing in any practical sense, although the word gets stretched that way. The line, imprecise but useful, is intent: doxxing is published with the expectation that someone will use the information against you.

The seven-minute OSINT chain

The mechanics are unflattering in their simplicity. A reasonably motivated stranger, with no special tools, can usually go from a username to a street address in under ten minutes. The chain looks roughly like this.

  1. Handle. They start with what is already public — a Twitter handle, a Reddit account, a comment on a forum.
  2. Reverse image search. Your profile picture, or any photo you have ever uploaded, goes through Google Lens or PimEyes. If you have used the same image on a dating app, a professional site, and a hobby forum, all three accounts now belong to one person.
  3. Real name. One of those accounts will, almost certainly, carry your real name — a tagged photo, an old comment, a fundraiser.
  4. Aggregator dossier. The name goes into Spokeo, BeenVerified, or one of the dozens of UK equivalents like 192.com. For a few pounds, sometimes for nothing, they receive a dossier: previous addresses, relatives' names, approximate age, sometimes an email.
  5. Cross-reference. They check Companies House for directorships, the Land Registry for property ownership, the electoral roll where it is still open. Each source on its own is harmless. Stacked, they triangulate.
  6. Address. By this point, the home address is either already in the dossier or trivially inferable from the property record.
No single source in the chain is illegal, dramatic, or hidden. It is the joining of them that produces the result.

Why people do it

Motivations cluster into a small number of recognisable shapes. Understanding them is worth doing, because the defensive posture differs slightly for each.

Political harassment accounts for a great deal of contemporary doxxing — a target says something disliked online, and an organised or semi-organised group publishes their details to invite a pile-on. Fandom feuds look superficially different but operate identically, with the disputed subject being a YouTuber or a streamer rather than a politician.

Ex-partner harassment is statistically the most common form and the least discussed. It is rarely public; it usually involves a single aggrieved individual using aggregator sites to maintain unwanted surveillance of someone who has left them. Investigative journalism sits at the legitimate end of the spectrum, although the methods overlap. Extortion sits at the other end: pay, or your address goes on a forum frequented by people who enjoy that sort of thing.

The legal position in the UK

Doxxing, as such, is not a discrete offence in English law. There is no statute called the Doxxing Act. What exists, instead, is a constellation of laws under which the consequences of doxxing are usually prosecutable.

The Protection from Harassment Act 1997 makes a course of conduct that causes alarm or distress a criminal matter, and a single dox followed by a co-ordinated pile-on tends to qualify. The Malicious Communications Act 1988 covers messages sent with the intent to cause distress. The Online Safety Act 2023 introduced specific offences around threatening communications and the encouragement of self-harm, and gives Ofcom enforcement powers over the platforms themselves.

Useful in theory. In practice, prosecutions are rare and slow. The realistic defensive strategy is to make yourself a poor target in the first place.

The defensive baseline

Most defensive advice on doxxing focuses on the wrong end of the chain — telling people to use stronger passwords or avoid posting personal details. That is fine, but it ignores the chokepoint. The chokepoint is step four: the aggregators.

If your record is not on Spokeo, BeenVerified, 192.com, Pipl, and the forty-odd UK equivalents, the chain breaks. The reverse image search still works, the real name is still findable, but the dossier that turns name into address simply is not there. The stranger gives up and moves on.

Three things, in order of leverage:

  • Scrub the people-search aggregators. Each has an opt-out form. They are tedious, they expire, and the data tends to repopulate every six to twelve months from the source brokers, which is why this is a recurring chore rather than a one-off.
  • Use a separate identity for any public-facing work. A pseudonym that is genuinely separated — different email, different photo, never cross-posted — collapses the reverse-image-search step.
  • Strip EXIF metadata from any photo you post. Most modern platforms now do this automatically, but not all, and a single geotagged image is sometimes the entire chain.

If it is happening to you right now

Speed matters and panic does not help. The steps, in order:

  1. Archive the post using archive.org or a screenshot before it disappears or is edited. You will need it later.
  2. Report to the platform under their harassment or personal-information policy. Most of the major platforms remove confirmed doxxes within hours.
  3. File an Action Fraud report at actionfraud.police.uk, or call 101 if you feel physically unsafe. In the United States, this is your local police plus the FBI's IC3.
  4. Tell your employer's security team if you have one. They would much rather hear from you on a Tuesday than read about you on a Friday.
  5. Begin the scrub. The same aggregators that supplied the dossier are still supplying it. Until they are dealt with, the address remains one search away.

None of this is theatrical or technical. The thing that protects you is the thing the doxxer needed and could not find: a clean record across the data-broker layer. Get that right and most of the chain falls apart on its own.

If you would rather not work through the broker opt-out forms yourself, Nox Æterna handles all 150+ of them as a one-off, with a PDF proof at the end. It costs £89 once, and it closes the chokepoint without an account or a subscription.