What is doxxing, how it works and how to protect against it
Doxxing is a major threat to everyone's privacy and security. Discover how doxing works, how to protect yourself and what to do if you fall victim, both legally and personally, to avoid maximum repercussions.
What doxxing mean?
Doxxing (also spelled doxing) is the act of revealing information that allows someone to be identified online, such as the real name, address, workplace, phone number, photos, vidéos, embarrassing details and other personal information. This information is then made public without the victim's permission.
The term "doxing" is short for "dropping dox", dox being a variant of the word "docs" for documents, and means "providing evidence" or "dropping info".
While revealing someone's personal information without their consent predates the existence the Internet, the word "doxing" first saw the light of day among cybercriminals in the 1990s, when anonymity was still a sacred notion. Arguments between rival hackers often led to the publication of "docs" about each other, previously known only under pseudonyms or aliases. These "docs" then became "dox", and the verb "drop" was added to add the notion of "revelation".
It can be used to harm opponents. Cybercriminals want to extend the conflict that took place online into the real world by providing information. Doxing attacks can range from simple site registrations using this information to display the person to more serious use such as untimely food deliveries, family harassment, false bomb threat in the workplace, identity theft, swatting or even physical attacks.
How does doxxing work?
There are lots of ways for a malicious person to find out someone's private information. Every piece of information attackers start with will be used against their target, and they're very inventive when it comes to exploiting this data.
Search by username
The username is often the first part of a search, because it's the most easily accessible piece of information with which to get the maximum amount of information. What's more, when someone finds a username that suits them, they often use it on every site they register with.
With reverse username search tools, it's possible to find all the profile pages linked to a username. All it takes is for the person to be on social networks and to provide some of their information. Or if one of the sites on which he is registered displays his email address or more personal information, the attackers have a breach of vulnerability.
Surveillance of social networks
Social networks are a godsend for the ill-intentioned. There has never been any general prevention of the dangers of giving out information on internet, especially when these are supposed to remain within the circle of family and friends. All that's needed is for the accounts to be set to public so that anyone can access them.
Even after awareness of the danger has been heightened, old and forgotten accounts created years ago can still exist, and data can be compromised. Or will remain indelibly on the Internet via cached versions of pages, archive sites, in Google search, at data brokers or even on spam sites that save tons of pages.
Cybercriminals are also capable of stalking their victims social networks for months on end, and using bots that constantly scan them to record each new post instantly, hoping for an error of inattention that will enable them to identify their target.
Search by email adresse
On the face of it, an email address is hardly a risk factor. Unless the password has been compromised, nobody is supposed to have access to it and be able to extract information from it. But even without access, they can tell you a lot.
Firstly, by analyzing what comes before the @ in the email address. It's quite common, especially in the case of business e-mail addresses, for the **first and last names to be used when creating an address for simplicity's sake. Also, if it's already taken, numbers are often added by the person so that it's unique and can be created. These numbers are rarely taken at random, and usually have some significance in the person's life, such as their year of birth or zip code. It's also possible to find a pseudonym that can lead to new information.
Secondly, as with usernames, it is possible to use reverse email tools. These can take several forms. First of all, some tools can be used to find out which sites an email address has been used to register with. It's also possible to reverse an email linked to a Google account. This allows to see the reviews posted, the places the person has been and their photos, which can give you an idea of their location. As well as the name of the account, which can be the person's first and last name or a pseudonym.
Thirdly, leaked databases with the email address inside can be used. Search engines such as Have I Been Pwned can be used to find out where it is present. All the cybercriminals need to do is download them, and they can be traced back to other sensitive information.
There are a plethora of techniques for extracting maximum information from an email address. It's impossible to draw up an exhaustive list, as there are so many possibilities, depending on the situation and the use of the address.
Database leaks and data breaches
One way that cybercriminals find information about a person is by searching leaked databases. With data such as a username, email, first or last name, IP address, phone number, physical address and more rarely passwords. They can find all leaked databases containing this information via special search engines. This can enable criminals to gain access to confidential data.
For example, the database of Zoosk, an American dating site, which leaked in 2020 and compromised the accounts of +20 million people with their date of birth, certain habits, level of education, ethnicity, gender, geographical location, income level, political opinions, religion, sexual orientation and so much other information about their users.
This was also the case for AT&T, a major US telephone service provider, in March 2024 with +49 million compromised accounts. Banorte, a Mexican bank, in August 2022 with +2 million customers.
Or Ledger, a start-up that designs and markets physical cryptocurrency wallets, which in June 2020 found itself the email addresses, name, phone number, and their physical address of +1 million customers in the wild.
There's also the very famous Collection #1 in January 2019 with a total of +2.7 billion records including 773 million email addresses and 21 million unique passwords. Making it the biggest leak database to date.
The number of pwned websites is constantly growing. Data leaks affect everyone, and can leave private, even dangerous information in plain sight due to weak security systems. This is a boon for hackers and ill-intentioned individuals looking to harm others by mining this data.
Photos shared on social networks
Sharing photos for all to see may seem harmless, but it's quite the opposite. There are many ways in which a photo can reveal much more than you think:
EXIF metadata: Hidden data called EXIF is stored in photos. It can contain information on the camera used, the date and time, GPS data, etc. Although most social networks delete this data when photos are uploaded to their servers, not all do.
Information in photos: With GEOINT, an ill-intentioned person can find out where a photo was taken using background elements such as shop signs, iconic city buildings or road signs.
Who's in the photo: Whether it's you, your friends, family or local residents who are visible in the photo you're sharing, facial recognition software can be used to track down your private information.
The best way to avoid this is never to post these photos. But if you absolutely must share them, make sure you do so in a restricted context by checking the privacy settings on your social networks, so that they are visible only to the people concerned.
Check that they cannot be referenced by search engines. And that they are inaccessible only to your friends.
Face recognition search engine
Facial recognition using artificial intelligence is a method increasingly used by cybercriminals to carry out doxing attacks. Thanks to technological advances, it is now possible to retrieve and analyze facial images from public sources such as social networks, security cameras, or even group photos.
Cybercriminals send photos of their target's face to AIs that compare similarities with a gigantic database of images and pull up all the sites containing photos of the people who most closely match. And the result is absolutely stunning.
All it takes is for the person you're looking for to be featured in the photos regularly published by their sports club, or for their work to publish photos of their seminars, for anyone with a picture of their head will be able to find them. Thanks to this, it's possible to find out a person's name, city, friends or even schedule.
Small sites of this type are never considered potentially risky, as they are often consulted by only a handful of people. Yet it's usually these sites that are crawled by facial recognition AI and used to build their databases.
Company identification numbers
Most countries give each company a unique identification number when it is set up. These numbers enable administrations, business partners, suppliers and customers to verify a company's identity and legitimacy, simplify administrative procedures and collect statistical data.
Via government public registers, anyone can consult company data such as status, directors, shareholders, addresses, accounts, etc. All it takes is for the targeted person to own or have owned a company, and that company will appear on the register.
WHOIS lookup domain name registration
The domain name of a site, whether for a company or an individual, is packed with information about its owner. With domain name WHOIS tools, unless they have been masked, it is possible to find out where the domain name was purchased, the date and time it was created, the owner's name, address, telephone number, e-mail address...
Is doxxing illegal ?
In most countries, doxing is illegal and punishable by law, as it is a practice that invades the privacy of others. It is often initiated by an angry person or group who focuses on someone as a scapegoat, with the aim of harming them. Their personal information is published without their consent.
The consequences are manifold, and the outbursts numerous. The methods used by cybercriminals to recover information from their victims are often illicit. They don't hesitate to cross the line, even breaking into secure systems or using identity theft (spear phishing) to achieve their ends.
People who have or undergo doxing and all its consequences can end up with a totally shattered life and severe lifelong trauma. Which makes it a process not to be taken lightly.
Doxxing vs OSINT: what's the difference?
Doxxing and OSINT are two terms associated with online information retrieval, but they have different connotations and methodologies.
The main difference lies in intent and ethics: the practice of doxxing violates privacy, aims to harm in a variety of ways, and illegality is no barrier to retrieving the coveted information.
OSINT, on the other hand, uses publicly available information from open sources in a legal and ethical manner. For example, as part of research or investigations by journalists, security researchers, law enforcement agencies and companies.
How to prevent doxxing?
There are proactive measures that everyone can take to reduce the risk of being doxed. Once you've set up automatic actions to remove your digital footprints, it's easy to strengthen your online security, and keep it that way.
Delete accounts you no longer use
The less information is available, the harder it is to find out about you. Deleting your mostly useless accounts makes for a cleaner online presence. It'll be harder to find information, you'll be less likely to suffer a data leak, and you'll be able to delete the overly private information you've left lying around.
Go to your email addresses, open your password managers if you have them, find out in your browser which account it has registered, remember all the email addresses you've had since you started using Internet, and make a list of all the sites you've registered with. After all, your personal blogs, Youtube channels or Facebook accounts from when you were younger, full of information and photos, probably still exist.
Once you've done this, decide which accounts are really important. For example, if you no longer intend to order from an online store, it's important to delete it, as it still stores your contact details. By deleting it, you reduce the risk of your data being leaked and found by someone else.
Once you've established which accounts you don't need, log in to each of them and delete them. This is an important step, but it can take a long time, depending on the number of accounts you have, and especially on the sites you've registered with. Some of them make it difficult to delete your data by using dark patterns or making you take absurdly long steps, with the aim of keeping it on their servers.
To simplify the task, there are tools like Just Delete Me, which are directories that direct you to direct links for deleting your accounts. Unfortunately, there are millions of sites and each one may have its own way of deleting an account from their database. Here are the most common methods for deleting accounts most of the time:
Delete button The easiest sites to unsubscribe from are those that provide a button for deleting your account. Often found in the settings, it allows you to send a deletion request directly. They will probably send you a security code or a link by email to confirm your request. Once validated, everything will be done automatically.
Contact par email For the others, you will need to send a request to the support using the address linked to your account. In most cases, it's easy to delete your account, just mention the protection of your data in the message.
They will probably ask for no further information and delete your data immediately. By contacting the support service directly, you can have all your data deleted and clearly formulate your request. Sometimes they don't actually delete the data, but simply deactivate the account.Data protection act It's very rare, but you'll only be able to delete your data if you live in a jurisdiction that requires the site administration to delete it, in Europe with the General Data Protection Regulation (GDPR) or Canada with The Personal Information Protection and Electronic Documents Act (PIPEDA).
If you don't, they'll ignore your requests or say it can't be done. Unfortunately, you'll probably have to go through qualified service providers to get things moving, and that's not likely to work.Ask Google Pages for deleting your account from sites can be hard to find. In this case, an effective way is to do a Google search with the name of the site + "delete account". Links or steps to follow are often explained on forums by other users who have been in your situation.
What should I do if I can't delete my account?
When deleting your account and related data is totally impossible. You'll need to contact organizations and agencies to do this for you. But this can be time-consuming and expensive.
If you're not ready to go that far, you can simply change all your account information with anything. Change your email to a throwaway, your username to random letters, your name or contact details to a randomly generated identity and your profile photo to an image found on Google images or an AI-generated face.
This method isn't perfect, because if they keep a history, you'll always be present in the database. However, it doesn't guarantee that this will be the case, as they may very well overwrite the information with the fake ones you've freshly saved. On top of that, it still protects you from an attacker who might try to find your public profile or search the site's API to discover hidden information.
Deleting or privatizing your information
You may not want to part with any of your accounts. You may have a progression you want to keep, a site you've put money into or a social network to communicate with your friends. Even so, you can still reduce the information it can give out about you.
Remove all unnecessary information about your life that you've entered in your settings, profile or posts. You may have put your interests, an alias, a location, a birthday, a phone number, your other social networks and so on.
Next, activate as many privacy settings as possible. For example, some social networks like Snapchat, Twitter, or Instagram, allow people with your phone number in their contact to find you. Others like Telegram, if you don't deactivate the possibility, will display your phone number on your profile and your connection activity.
Don't hesitate to delete your old publications. There's no point in letting everyone see that you've passed your driving test, that you've graduated or that you've moved to such-and-such a town. With only this personal information, people can easily dox you.
However, you should bear in mind that your information, especially if it was public, even once modified, made private or deleted, is probably still available somewhere on the internet. All it takes is for your profile to have been saved in the Wayback Machine and it will remain accessible for life, and this for every date on which it was entered on the site.
Use different usernames
To obtain information, the username is always the preferred attack vector for criminals.
The easiest way to counter this is to have a different username for each site, application or game. Even if it's better to have a totally different one for each of your accounts, if you want to keep your username, you can add numbers, extra letters, underscores, dots or by shortening it. You'll make it harder to find you, especially on sites where you need the exact link to access your profile. This will also make username search tools unusable.
The strongest winning combo is to have an ultra-common username. If you have the name of a character from a TV series, movie, video game or manga, like hundreds or even thousands of other people, it becomes absolutely impossible to know which accounts belong to you and to find out anything about you.
If you can't delete, confuse the tracks
Can't delete your data because you've lost access to your email address, or because it's spread too far and wide on internet? A crude but effective solution is to flood the internet with false information about yourself.
This is called intoxication. Create tons of profiles, but with different first and last names, photos, email addresses and usernames, and link them to the information that compromises you.
For example, if your username can be used to find an old Facebook account with your first and last name and photos. By creating lots of accounts with this username, but with totally different and contradictory information, when a person carries out a search, they'll be so drowned in a stream of information going in all directions that they won't know where to turn. They won't know which content is real and which is fake. She'll either give up or think she's on the wrong track.
Protect your IP using a VPN
You can be doxed because of your IP address. Some ill-intentioned people use IPlogger tools to collect the IP of the person who clicks on a trap link.
With your IP address, the doxxer can find out in which part of the world you live and with which operator you have your subscription. It can also be used to find out other information about you from leak databases.
Your IP address can also be used to DDOS (Distributed Denial of Service) you. This means that the attacker can saturate your Internet connection with data, rendering your browsing unusable or interrupting it.
To protect yourself, you can use LIEN VPN that mask your IP address by replacing it with that of a server, passing data through it before it reaches the sites you're visiting. And if a DDOS attack is launched on the server, all you have to do is select another one.
Protect your accounts from hacking
Doxers don't limit themselves to searching for open-source information. They don't hesitate to hack into their victims' accounts to get what they're looking for.
To protect yourself from attacks on your accounts, use different email addresses and strong passwords. That way, if your credentials leak, you'll just have to change those on the site concerned, and they can't be used to log on to other sites. It also means they can't cross-reference data to find new information.
To avoid having to recreate email addresses for every account you want to create, you can use email alias services like SimpleLogin or Firefox Relay.
They allow you to have a permanent disposable address per site, so you can hide your real email address when registering. Every e-mail you receive on your disposable aliases will be forwarded to your main email address. This ensures that the hacker can't reset passwords, and if you have any login attempts or it ends up in a database, simply delete the alias and replace it with a new one.
For passwords, you can use password managers such as LIEN dashlane, 1Password or Keepass if you prefer open source software. These allow you to have long, complex, randomly generated passwords, accessible via a master password, so you don't have to remember them.
Turn your paypal account into a professional account
When you shop online or send money with paypal to someone, your first and last name are displayed. Your address and phone number may also be displayed. If you make a transaction with someone you don't trust, they can easily dox you.
One way to prevent this is to turn your Paypal account into a professional account. You won't have to provide any paperwork. It's just a type of account that allows you to have a business name and so hide your private information. And it only takes a few minutes.
Avoid ending up in databases
If you're not careful, it's easy to end up in a database, risking the resale or leakage of your information. To minimise the risk, here's what you can do:
Do not participate in giveaways Brands sometimes offer free giveaways to potentially win prizes. But what they really want is your personal details, so they can either resell them to databrokers or sell you their products via cold calling or by sending advertising to your home and email address.
It's impossible to know exactly what they do with it, but it's best never to give it to them. For one thing, it's a pain to receive advertising. But above all, because your customer file can be shared with their business partners or leaked. It will also be very difficult for you to be removed from their databases.Don't play online quizzes Who hasn't dreamed of finding out which Simpsons character they are by taking an online quiz? On the face of it, these quizzes are fun, entertaining and harmless. But their business models are based on harvesting your personal data and reselling it. The same goes for paid polls.
They take advantage of people's ignorance to create sites filled with trackers and cross-site tracking cookies to find out about their habits, tastes, browsing history, etc. They also ask you to create an account or give your email address, which enables them to create a very complete and targeted database.Beware of fishing with false pages Phishing is a technique used by cybercriminals to trick you into thinking you're on a legitimate site, such as your bank or a company whose service you use, in order to extract confidential information such as passwords, credit card numbers or personal details.
Phishing is mainly used to steal data on a massive scale for combolist or resale purposes. In the case of people who have a grudge against you, they won't hesitate to make fake pages and send them to you to dox you.Avoid subscribing to newsletters When you're interested in a subject, you're tempted to sign up for newsletters to keep up to date and learn more about it. The people who work to provide this content rarely do it for free. The healthier model is for them to sell their own product or to do affiliate marketing, introducing you to products in the same sector. But if they're stingy or have nothing to offer you, they're probably selling the email addresses of people who have signed up.
To avoid this, use disposable email addresses, or create your own that's only used to sign up for newsletters. If they ask you for your first name, surname, phone number, etc, use fake ones, as they generally don't need your real information. By doing so, you'll remove the risk of your information getting out in the wild.
Do self doxxing
Practice self doxxing : put yourself in the shoes of someone who wants to know everything about you and find all the loopholes that open the doors to your private life. Then remove or confuse every lead that allows them to dox you.
Remove your information from search results
If you've removed all public information about yourself, you may find that these pages are still available in Google searches. It's normal for Google's robots to go over all the pages, and it can take several weeks before they disappear. That's why Google has created a form to request that obsolete content be updated.
There is also a Google de-indexing form for pages containing private information about you that cannot be deleted. This won't delete the page, but at least it won't be findable via Google's search engine. However, this method is not necessarily persistent, and the results may reappear. You'll need to check from time to time, and reapply if necessary.
How do I know if I'm Doxxed?
There's no method to ensure that no one will or has doxed you. Often, it's done on the sly and it's only once the person has found what they want and is posting or boasting about having information on you that you know. But there are approaches that can help you find out where that might be.
Search on pastebin
Some doxxers want to make your information public and easily accessible, using sites like Pastebin, a web application that lets users put pieces of text or code online, so that when someone searches with your nickname or name, anyone can find you.
If a paste with your information has been created, you can easily remove it by reporting it to Pastebin for the reason "doxing". But unfortunately, it's easy to repost the dox again and again.
On the plus side, moderation is extremely responsive to reports. When you come across a doxing link, you can report it on the page without having to create an account. As a general rule, sanctionable Pastebins are removed within 24 hours.
There are also sites like doxbin, which is the same principle as Pastebin, but specifically for sharing dox. In this case, you won't be able to delete your information, but at least you'll know.
Email alert
Sometimes the person trying to dox you isn't discreet and tries to do something, but some security is activated and sends you emails warning you that suspicious activity has been detected on one of your accounts. This doesn't mean that you've been doxed, but you can at least be sure that your information isn't really secure and act accordingly.
What are the consequences of doxxing?
The consequences of being doxed are many and can be very serious. It's a sword of Damocles hanging over the victim's head. She never knows what her tormentor is capable of, or how far he's prepared to go. And they can cause irreversible physical and mental damage, as well as destroying the victim's life.
Swatting
Swatting is a form of malicious hoax where a person calls the emergency services, usually the police, with false information about a serious and urgent situation, such as a hostage situation, a shooting, or a bomb, in order to provoke a massive and armed intervention by the forces of law and order at a specific address.
Swatting can lead to serious consequences, including injury or death, due to the violent and stressful nature of the police response. As in the case of Andrew Finch, in December 2017. An altercation between two Call of Duty players led to a fake 911 emergency call orchestrated by Swautistic, a swatting regular. The address given to the police is incorrect, and during the intervention, Andrew Thomas Finch, an innocent and unarmed resident, is killed by a police officer.
Fake pizza order
One of the methods used to harass a doxxed person is to call the home delivery services in their area. These are often pizzerias, but can also be any type of business. The aim is to order and request delivery to the victim's address.
Once the delivery driver arrives, this will create discomfort, as she will have to pay for something she didn't ask for, or refuse at the risk of angering the company into misunderstanding.
False bomb alarm
Making false bomb threats consists of calling the target's school or workplace and making it look like a terrorist has set off a bomb inside the building. The aim is to get the target to evacuate the building and send bomb disposal experts out to inspect it for hours on end, wasting everyone's time and inflicting general panic.
Blackmail and extortion
Once the desired information has been retrieved, blackmail can be exercised in exchange for money or a service for non-disclosure of personal or embarrassing information. Unfortunately, if the victim decides to pay up or comply, there's no guarantee that the blackmailer won't continue to take advantage of this vulnerability to continually extort the victim.
Contacting family members
To damage their victims' reputations, cybercriminals may find their family members or friends to send disparaging messages or invent a life for them.
They may also be able to retrace the person's life and usurp their identity with all the information they have to social-engineer their loved ones into stealing money or finding out even more.
What can I do if I've been doxxed?
If it's too late for you to delete your information or make it private, and you've been doxed, all you can do is damage control. It's important to take the wind out of the doxer's sails and reduce the risk of attacks he could potentially inflict on you.
Don't panic
Despite the determination and nuisance your opponent shows you, that doesn't mean he'll go through with it. Chances are he'll use your vulnerability just to scare you. By not panicking and showing no fear, you increase the chances that he'll leave you alone and allow you to act in an enlightened way.
Warn your family and friends
By warning your family and friends that someone with malicious intent has obtained information about you and what they might do, you can prevent them from impersonating you or spreading lies in an attempt to tarnish your reputation.
Ask to be blacklisted from services in your area
One of the first ways an ill-intentioned person will turn to attack you in real life is by calling a business that offers home delivery, or the emergency services that can come to your home.
To avoid this, open Google maps, put in your address and call each of these businesses in your area and ask them to blacklist your address. You'll also need to call the emergency services in your town to explain the problem, so they don't have to come to your place for nothing if they get a call.
File a doxing complaint
Filing a complaint after being doxed has several important benefits:
Recognition as a victim:: Filing a complaint formalizes your status as a victim, which can be important for any future proceedings.
Identifying the culprit: A complaint can trigger an investigation which may lead to the identification and criminal prosecution of the person responsible.
Evidence: The complaint creates an official record of events, useful if further legal action is required.
Deterrence: Knowing that victims will press charges can deter people from doxing or going further.
Preventive action: Authorities can take action to remove disclosed personal information and prevent further incidents.
Unfortunately, not all countries and their police forces are aware of cyber-attacks and doxing, which can lead to inaction on their part, but it's still important to lodge a complaint and alert the authorities.
Delete your social networks
A radical way to stop online harassment is to delete or at least privatize all your social networks. This will allow you to think less about it, or even to forget about it, as well as making you unattainable for your harasser, who will get bored and give up sooner or later.
Once you've spent some time under the radar, you'll be able to recreate your accounts, at best under new usernames, and return to normal use.
Concrete cases of doxing
Arion Kurtaj: The GTA VI hacker
In 2022, Arion Kurtaj decided to acquire DOXbin, following a series of online hacks and criminal activities that made him a lot of money. But he neglected to maintain the site, which angered the community.
Faced with mounting pressure, Arion claimed it wanted to sell the site back to the previous owner for just 20% of its value and withdraw. Despite the sale, Arion retains control of the site and its social networks, creating a hostage situation.
Things soon get complicated for him. He loses access to the site's Discord server, and in a desperate attempt, he offers a $100,000 reward on Twitter for whoever can dox the former owner. However, he soon loses access to the Twitter account, reducing his leverage to the DOXbin database alone.
In an act of revenge, Arion publishes the entire site's data on Telegram. This thoughtless act turns the entire DOXbin community against him, and in less than 48 hour, his identity and criminal activities are discovered and published. Arion then became the target of direct threats: individuals went to his mother's house and knocked on his door, seeking to intimidate him.
Two weeks after the data leak, Arion Kurtaj is arrested by the police. But in the absence of tangible evidence on his electronic devices, he is not held in custody. The only existing evidence comes from DOXbin, but its legal validity is questionable.
However, under pressure, Arion Kurtaj confessed to having taken part in sim swapping activities. Given his young age and particular situation, he was eventually released.
But all this doesn't stop him from continuing his illegal activities with his hacker group LAPSUS$. Who have made a name for themselves hacking into some of the world's biggest companies, including Rockstar Games and their game: GTA 6.
Shia LaBeouf VS 4chan trolls
Following the election of Donald Trump on November 8, 2016, Shia LaBeouf launched a protest movement called "He Will Not Divide Us". On January 20, 2017, he set up a live stream in New York, inviting people to repeat this slogan continuously for the duration of Trump's term.
However, the stream quickly attracts trolls from the 4chan forum, making the situation unmanageable. On February 10, after less than 20 days, the police force the stream to stop due to the unrest caused.
On March 8, 2017, Shia LaBeouf relaunched the project with a stream showing a white flag marked "He Will Not Divide Us" in an undisclosed location. It was impossible to find out where it was, as all we could see was the sky and the flag at the top of a flagpole.
But that was without counting on the members of 4chan, who used various GEOINT techniques, such as analysis of winds, clouds, ambient noise and aircraft movements, to locate the flag. They also tracked Shia's movements on social networks, which led them to Greenville, Tennessee. Using trigonometry and astronomical observation, they managed to locate the flag in just 38 hours.
Determined, Shia LaBeouf moved the livestream inside a house onto a wall with the sound muted. But he'd made a mistake - the light source wasn't artificial. The forum was able to deduce that the flag was located in the UTC+1 time zone, which corresponded to London.
They looked to see if any of the two friends with whom he'd done another project in Lapland lived in that time zone, and they did. One of them lived in London, so they searched for his address and found it. To check that it was really here, someone was sent out with a flashlight to shine through the windows to see if it was really this house, and it was.
Even if in this story the aim of the 4chan members was not to publicly display private information, but rather to troll a personality with ideas at the opposite end of the spectrum from those of the /POL/ section of the forum. The methods used are the same as those cybercriminals might use to dox someone.