One of the Worst Sites on the Internet Compromised by Hackers

Peter Smith
Canadian Anti-Hate Network

A screen capture of Doxbin’s logo.

A site dedicated to revealing private and personal details about individuals so they can be targeted for harassment or extortion became the victim of a group of computer hackers last week. 

On February 12, Doxbin’s main page was changed to read “Tooda was here.”

Doxbin’s text-only “pastes,” as they are called on the site, have been used by neo-Nazis, hackers, and the large cybercrime nexus referred to as The Com for years to share everything from addresses, phone numbers, and Social Insurance and Social Security Numbers of their targets and enemies.

Names that appear on Doxbin can be subject to harassment and in some cases swatting — when false calls are placed to law enforcement claiming a violent crime is in progress, hoping to result in an armed police response. 

The only way for a victim to have a name removed from the site is to pay. 

The site’s main page still contained numerous listings of people’s personal information, often accusing them without proof of various heinous acts—normal for Doxbin. The “pinned posts” section had been changed to include multiple entries of the personal information of Doxbin’s alleged administrator, a Romanian woman who uses the pseudonym “River” filled the top of the page. 

“You could have just continued living your sad, worthless life collecting your money from selling blacklists and gambling it away, all while you hang around other worthless losers on Discord,” a message read inside the file. “If you have purchased a blacklist in the past consider that money wasted, you will need to blame Paula for it being leaked, she alone created this situation.”

A link in this text leads to a separate website run by the hacking group Tooda, which includes an angel hanging from a noose swinging back and forth while a song by Evanescence plays automatically. Other links contain an alleged “blacklist” of names and social media accounts that cannot be posted to the site. 

Tooda alleges these are the names of people who have paid to have their information removed from Doxbin. 

Doxbin went offline shortly after reports of the hack appeared on the social media site X. After several days offline, the site appears to have resumed normal operation and Raven’s dox was removed. 

Several days after the breach, the Tooda site was updated to include a spreadsheet of usernames and email addresses the group alleged was a complete list of site accounts. The site’s accounts do not require a verification message to be received for account creation, meaning many of the emails appear to be fake—these include names like [email protected], [email protected] and multiple supposed email address made up of only racial slurs. 

Despite the obvious fakes, many of the emails and usernames can be connected to individuals in the real world. Of the over 136,000 of accounts leaked, around 50 use emails that reference Canada in some way. In total, 23 emails used to create accounts were from provincial school boards in Nova Scotia, Quebec, Ontario, Saskatchewan, Alberta, and Manitoba. 

Some school boards assign email addresses to students, as well as staff. We are investigating these emails in particular and will be contacting school boards. 

Doxbin’s administrator ran a Telegram channel that was removed by Telegram shortly after the breach. On February 12, River posted a message saying that the hacker had gained only limited access to the administrative functions of the site and claimed that the leaked lists had already been released by a former member of their team. 

Doxbin told its users that Tooda was able to get “a scrape of 60 per cent old users that were leaked beforehand.”

More details were not offered about the extent of this other leak or when it happened. The only data to currently appear on a forum used by hackers to share and sell leaked information naming Doxbin did not appear until February 11, 2025, the same day of the most recent hack.

Doxbin was previously the subject of a leak in 2022. It was reported to contain usernames, password hashes, and browser user agents, while the latest version only included usernames and emails. 

The Bin

Doxbin’s purpose is vile, but often not illegal, as it claims to rely only on publically available data. A transparency section of the website is dedicated to posting their responses to takedown requests. Some posts are taken down when the site claims the material is illegal, most posts are not. 

This does not mean that Doxbin has not had brushes with the law. 

The site is frequently used by participants in an extremist network referred to as “The Com”—a network of threat actors engaged in a wide swath of cybercrime that includes fraud, hacking, online extortion, and in some cases, real world violence.   

When two American men pleaded guilty in June 2024 to hacking into a Drug Enforcement Agency (DEA) server, the indictment against  Sagar “Weep” Singh and Nicholas “Convict” Ceraolo indicated that they worked with another individual referenced an unidentified man referred to as co-conspirator #1 (CC-1) who ran a doxing forum where victims could pay to have personal information removed.

According to cyber security reporter Brian Krebs, “CC-1’s hacker handle is “Kayte” (a.k.a. “KT“) which corresponds to the nickname of a 23-year-old man who lives with his parents in Coffs Harbor, Australia.”

Krebs adds that KT has been the administrator of Doxbin for years, even selling the site to a teenaged hacker and then later buying it back. The teenager, purported to be living in the UK, and several members of his family were then doxed on the site.