It sounds bad.  It is bad.  But what is it?


Doxing is shorthand for “dropping dox” (documents), a phrase invented by hackers in the 90s.  Dropping dox means to publish embarrassing or incriminating documents about a person or company online. It’s normally done to punish them for some perceived wrongdoing.

People differ on what qualifies as doxing, compared to whistleblowing or even journalism. But doxing isn’t about revealing political coverups or human rights atrocities; it’s done to cause problems for a person or group the hacker doesn’t like.


During the nineties and early 2000s, doxing wasn’t associated with extortion.  But as early as 2003, software engineers understood that combining cryptography and doxing could be a potent weapon for extortion.  That became a reality in 2017 thanks to doxware – software cybercriminals use to steal internal company data so they can threaten to dox the company unless a ransom is paid.


For years, ransomware was defined by cybercriminals gaining access to a target’s network, encrypting their data, demanding a ransom and hoping the company had no up-to-date backups.  But as ransomware became more common, more businesses invested in regular offsite backups, allowing businesses to simply restore their backups instead of paying the ransom.

Doxware was an easy way for hackers to get around this defense.  Doxware attacks also became known as double extortion attacks, because perpetrators threaten to delete a company’s internal data and publish the company’s most sensitive files online unless a ransom is paid.

While the term doxware is derived from doxing, it differs from traditional doxing in one critical way: the goal of doxware is to make money.  Cybercrminals don’t necessarily target companies that pursue activities they don’t agree with.  They’ll target anyone who they think will pay them – including professional firms, manufacturers, technology companies, first responders and even hospitals.

Triple Extortion

Recent months have brought a new doxware trend: Triple Extortion.  Targeted companies who delay paying six-to-eight-figure ransoms are starting to receive calls from their customers, who tell them the cybercriminals emailed them personally.  The email customers receive explains that hackers have acquired their sensitive information by breaching the (named) company’s network and that the company refused to pay a ransom.  Each customer is then subjected to their own ransom offer. For a fee, the hacker will delete that individual’s data from the dossier they’re planning to publish.

The Future of Ransomware, Doxware and Triple Extortion

Ransomware and doxware both started out as isolated attacks before becoming constant, daily events that yield billions of dollars of profit annually.   Will triple extortion catch on?

It’s too early to tell.  Reaching out to customers with individualized lists of stolen data is a time-consuming effort for cybercrime rings, and these individual payouts are far smaller than the huge sums they can command from the target companies themselves.  But reaching out to a company’s customers one-by-one to let them know their data was stolen also puts enormous pressure on the breached company to pay the ransom.  Triple extortion is more likely to be used as a pressure tactic going forward than an actual attempt at making a profit from third-party victims.

Whether Triple Extortion hangs around or not, Doxware and Ransomware are both here to stay.

To learn how WingSwept can help you protect yourself from a growing range of cyberthreats, call us at 919-779-0954 or email us at and ask to learn about our enhanced cybersecurity services.