The clumsy tale of a failed doxxing attempt.
On Thursday, one of my colleagues sent me a strange message he had just gotten on Facebook.
While it might seem like a somewhat innocent request, clearly, someone was trying to doxx me. I decided to reach out to the person who sent the message, whom we'll call John Smith, and see if I could find out more about what was going on.
"You always write about security and hacking, and I was like wondering whether you're really secure," he told me, adding that he was coming up empty-handed and was going to lose the bet, so he decided to reach out to some of my friends on Facebook as a "last resort."
Then, he just straight out asked me. "Could you please give me your address?"
I laughed, and told him that I'd rather not do that, wished him luck, and then didn't think more of it. Then, the next day, a hacker I used to talk to months ago reached out to me via encrypted chat.
"Quick question. Can you either confirm or deny that you live at: [REDACTED]?" the hacker said."No harm intended just a question."
I laughed since that was definitely not my address. But I wondered, could this be related to Smith's attempt?
"Could you please give me your address?"
As it turned out, it was. The hacker told me that Smith had registered to a hacking forum where the hacker is an administrator. As a rite of passage to be accepted in the forum, new members have to complete a challenge. Since Smith had claimed to be a good social engineer, the hacker challenged him to get my home address and document every step he took to get it.
Smith apparently really tried, though in a really clumsy way. I know that because the hacker sent me Smith's forum post, detailing his quest to doxx me.
"Hi, I'm back with the address," Smith claimed in his post.
He then went on to recount how he read the first five pages of Google results for my name, and then researched "multiple databases," but couldn't get any match. That made him conclude I was an "immigrant," "using a pen name," or so paranoid that I removed myself from all databases.
Then he said he read all my articles on Motherboard since mid-2015 (thanks for the clicks!), and figured out my old jobs as well as the fact that I'm from Spain (information that's openly available on my public bios). He also figured out I love my cat (wrong, I hate that guy). He also claimed to have posed as a Motherboard fan who loves my articles and wanted to talk about my cat with a friend of mine on Facebook (as far as I know, however, neither my colleague nor any of my Facebook friends took the bait and talked to him though). This friend apparently referred to me as "Loren" so Smith figured that might be my real name and said he searched for "Loren" and "Lauren" on some databases, and looked for people with a Spanish sounding last name.
"Perez is a last name used mainly on Spain, it's [sic] address is on Brooklyn, and he's 30-34 years old (we know that Lorenzo is 30 years old)," Smith wrote. "The only problem is there were 2 results, one for Lauren and one for Lorraine, but a quick research showed that Lorraine is a girls name so there was only one left: Lauren."
Bingo? Not really, no.
Amused by this whole story, I decided to message Smith again on Facebook to check in on his quest.
After some small talk, I asked him why he wanted to get into that hacker forum so badly. Smith initially pretended not to know what I was talking about—"What forum?"—but then I copied and pasted part of his post.
"Wow, now you're really good," Smith said as he seemed to get discouraged. "Considering that you're a member of that forum I really doubt I'll get your address at this rate."
For the hacker who moderates the forum, this whole process was clearly a majestic failure, and the hacker told me Smith will probably get banned. The hacker also thought this was all "pretty funny," but Smith's doxxing attempt was "terrible."
As the hacker put it, however, Smith's post "gives a real stalkery vibe." And I did feel stalked a bit. For for a short time, I was also worried that the guy could find my address and perhaps trick 911 to send the heavily armed cops of a SWAT team to my house, which is a common (and dangerous) online hoax known as SWATTING.
But strangely enough, given how clumsy his whole doxxing attempt was, it just mostly made me laugh.