fatcousin
// first 10 minutes

online doxxing (post-event triage) — quick-start

online doxxing — first 10 minutes. victim safety before osint. print this, check boxes, then run the primary tools.

checklist

  1. confirm the victim is safe and wants evidence preserved — if not, stop here and connect them to an advocate (988 · 1-800-799-7233).
  2. record UTC timestamps for when the dox was first seen, first republish, and any escalation (swatting threat, in-person contact attempt).
  3. screenshot or archive every live post and paste-site page with visible URL, account handle, and UTC clock — do not rely on memory after takedown.
  4. list every piece of PII exposed (address, phone, employer, family names, photos) in a plain text index — this drives safety planning before OSINT.
  5. copy shortened links from posts into a file and resolve redirect chains before they expire — save the full URL chain, not just the social post.
  6. pull any social exports, threat DMs, and abuse-report confirmations the victim can legally provide; hash every file sha-256 before editing.
  7. list paste-site and mirror domains in a plain text file — include full URL, first-seen date, and how the victim encountered them.
  8. run the doxxing victim investigation kit on collected exports — score exposure severity and flag critical findings.
  9. do not confront the poster, do not post public accusations, do not visit paste URLs from accounts the actor may monitor.
  10. begin the primary tool path below — on copies, not live accounts while the harasser still has shared-login access.

primary tools

  1. 01doxxing victim investigation kitdrop social posts + pii exposure logs + threat messages · build victim safety report · runs locally
  2. 02osint normalizerpaste osint dump · extract emails phones ips crypto handles · disposable tor private heuristics · e.164 · five tabs · per-category csv · runs locally
  3. 03multi-source entity resolverdrop forensic csvs · resolve names emails usernames ips across sources · probabilistic entity profiles · runs locally
  4. 04investigation knowledge graph builderdrop forensic csv exports · extract entities and relationships · knowledge graph visualization · hub and path analysis · runs locally
  5. 05domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  6. 06ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
  7. 07url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  8. 08ai chatbot multi-account correlation analyzercorrelate AI chatbot accounts, sessions, and devices across platforms · detect multi-account usage, shared devices, account switching · runs locally

go deeper

methodology →case type tools →
ready