Did you know that a confession is the thing that gets most criminals into jail? Not the evidence (which often is circumstantial and non permissible in court) and not the witnesses (rare). Given enough dots, anyone can form the map, its just a matter of time but a confession is the final nail in the coffin.
So keep that in mind when you are wandering the alleyways of the internet. Don’t share anything that you don’t want the world to know. No travel photos, no statuses, no show-offs.
I have been seeing a rise in people sharing their pics with their head hidden by an emoji. Don’t do that.
Follow these and stay anon:
People IRL
You have to be most careful not of the people you interact with online but the ones near you, they will see a shirt that you posted online and recognize that its you. Worse they will post about it and it may not be a loved one but just a stranger walking past you in some random restaurant.
Similarly AI will not be the one that recognize your voice and match it with some digital voiceprint (not just yet) but someone near you, that will recognize some phrases you repeat or some tonality of yours and figure it out.
Aliasing Information
It goes without saying that don’t use your work email or personal number for accounts that you don’t want others to find out. Always use some kind of aliasing information. Your IP also needs to be shielded with a VPN and a mobile proxy (or just use different cafe wifis and rotate between them).
Service Recommendations:
Email - (new) ProtonMail / Simplelogin
VPN - Windscribe
Phone - mysudo
Phone Number
Calling up your cell company and telling them to store a password for any changes in your account will prevent attacks like SIM swap.
Also lock your sims with a pin in settings. If you put incorrect Pin 3 times, it will be locked and then you have to call your SIM provider for PUK code
Hide from WHOIS
When you register for a domain name, you give out personal information. You should always opt for whois protection with your domain name provider. I recommend Namecheap as they provide it for free but if you are paranoid enough you can use njal.la
Payments to someone
Payments is by far the most difficult thing to do anonymously. You can use bitcoin but its a public blockchain which means all your transactions are visible to anyone who knows your wallet address. You can mitigate that risk by using wallets that do the masking for you but I don’t recommend that - Just use monero.
But the thing is, monero is not accepted or received everywhere. But you can fund prepaid cards with crypto, Cakepay mastercard is what I use.
Cash is by far the best way to pay anonymously, just ask around and there will be people that will send cash even from one country to another off the books.
But what I like the most are gift cards. I recommend buying them from coincards. There are multiple stores that give them out and amazon gift cards seem to be the best of the best as people need to buy stuff anyways so they are more likely to accept amazon vouchers.
Payments from someone
To receive payments you need a stripe account, just setup an LLC in wyomming with a registered agent and open up a stripe account. Your agent is the one you have to trust. But even if you don’t want that. Setup a company in Dubai or Singapore and enable crypto exchanges and stripe/paypal access. No naming the names here ofcourse.
Disinformation
Another way to confuse your enemy is to have false trails left behind. If your enemy is chasing a ghost, there resources will be wasted and you will have an advantage and some extra time.
In terms of Browser extensions I recommend adnauseam and consentomatic.
Enable autodelete of cookies in the browser and just add exceptions for certain websites.
Google yourself. What can your enemies learn?
The best way to mitigate doxxing is to clear your tracks from time to time. Your old accounts will get you sooner or later. Just search them and delete them. You can find information on what different companies store and how to delete accounts here.
Search Google for:
first name, last name and city.
different usernames
old emails
search account details in haveibeenpwned to see if your passwords are leaked.
You should use other search engines to doxx yourself also. Like yandex, brave search and bing. You should file DMCA takedowns as well, information regarding the same can be found out here, here and here.
You can use a service like tweetdeleteme (though I recommend scripts for this but you may not know how to use them) to delete your old X posts and you should browse your timeline from time to time to delete anything that may get your real identity out there.
Someone may be archiving your content on sites like web archive or archive.ph. so you should go there and make them delete your stuff.
Nuke Social Media
I recommend running JS (your browser’s programming language) scripts rather than using random services, you can DM me on twitter if you need any help regarding this.
I recommend this for reddit, this for Instagram, this for YouTube and this for twitter.
Overlapping Information
Don’t use same phrases / words across different accounts. Different accounts should ideally have different brands and from the extension of it, personalities. Your compartmentalization should be top notch. Don’t shit where you eat.
Making friends on X
The biggest reason you made an account on X is to meet like minded people and interact with them offline too, but that creates a very big attack surface.
Just slowly reveal information and slowly build up the trust, as they say, hire slowly and fire quickly. If you feel something is wrong you probably should back out. If you trust the individual from the other side of the screen, you can meet them irl.
Kill Switch
We have all seen that big red button, that clears and destroys everything so that no trail is left behind, in the movies. Turns out they are very much real. There are VPN kill switch’s, Lock screen codes to wipe phone, USB sticks to wipe laptop. setting one up is out of the scope of this article but like I mention you can DM me on twitter, I will share some links and my wisdom :P
Burning and scares
If a number is burned, throw it away. If an email is burned don’t use it, you get the point. Journal your scares. Write down where they got your info and what extent of info and what can be done to prevent it in the future. You will feel more secure having this habit under your belt as time passes.
Mark on your back
If a hunter is after you, they will catch you. So don’t make enemies and don’t create trouble that may cause someone to look for your real identity. If no one’s looking for you, no one will find you (easy, no?).
Avoid controversy wherever you can, you don’t want to get in trouble that ain’t worth your time.
Smear Campaign
The extreme case of doxxing is a campaign by a very motivated adversary that tries to harm you by using sock puppets and bot farms. If you suspect such an attack is happening please report to the platforms and preferably your country’s cyber cell.
If such a thing is happening you are probably big enough to have a security team, so well, consult them.
Post-Doxx
If you are in immediate danger, please call your local emergency number.
Be self aware about the amount of tolerance you have for harassment, and what are your feelings about what constitutes a threat. And this tolerance can change over time for eg when you have kids and other responsibilities.
Access the situation always. If you feel like a random kid is after you for fun and he is not a well motivated actor, the worse thing he can do is find your friends through Facebook and call them and tell them the embarrassing stuff in your post history.
So just keep in mind - who is after you. Your Goals and Needs should trump everything I write here.
Its a good thing that doxing is against the ToS of just about every web platform that I can think of. Be familiar with the Terms of Service of your staple platforms, file a takedown when your information does get up there. Remove your name from people-search lists, take down information about yourself, make sure that your number is unlisted from your country’s usual places for reverse number lookups.
Create a table with columns - Incident, time, date and description, in excel or your favorite table software.
Temporarily disable all your public accounts.
Take deep Breaths.
Take screenshots, with url and timestamps to form evidence for legal action. Then if you want, delete everything but this may hinder catching the enemy.
Tell your partner or anyone you trust.
Call emergency services in your locality, and if you think you are being tracked, throwaway your phone.
Call your credit cards, cell phone provider, utilities, and bank to let them know you are a target.
Change passwords, 2fa, higher privacy settings and call and report to your staple platforms’ support center.
Make a list of most important stuff you want to protect.
Set a Google alert for your name or any keywords. Add a filter in your gmail. Ask a friend to monitor your accounts and email you.
Public Examples of doxx attack
https://www.reddit.com/r/Twitch/comments/8wu3r8/got_doxxedharassed_last_stream_and_heres_what/