Normal view

Silent Swap: A Crypto Clipper Extension Campaign

30 June 2026 at 11:45

Authored by Neil Tyagi

Executive Summary 

McAfee Advanced Threat Research has identified an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses the moment a user initiates a transaction. The campaign is delivered through unsigned installers — observed in both .NET and Golang variants — that deploy a malicious Chromium extension masquerading as a benign “Google Notes” utility.  

This campaign is related to a previous blog published by McAfee Labs, Sinkholing CountLoader: Insights into Its Recent Campaign, as the threat actor appears to be the same behind both operations. In that earlier research, we analyzed a crypto clipper payload that was injected directly into memory. Here, we examine a different variant of the final-stage payload: a browser-based malicious extension designed to intercept and manipulate cryptocurrency transactions.  

In this report, we detail how the extension operates and provide a technical analysis of the mechanisms that make this threat particularly unique. The extension behaves as a clipboard-aware crypto clipper: it monitors copy-and-paste activity, identifies wallet addresses across multiple blockchains, and swaps them for attacker-controlled addresses just before the victim pastes the content. Because most Blockchain transactions are irreversible, even a single uninterrupted execution is enough to cause permanent financial loss. 

Two characteristics elevate this campaign above the typical clipper threat: 

  1. Chromium trust-layer abuse. The installer secretly forces a malicious browser extension into Chromium-based browsers like Google Chrome, Brave, and Microsoft Edge by modifying protected browser settings files. Normally, these browsers store security verification data (hash/HMAC values) alongside sensitive settings to detect unauthorized changes. The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately. This allows the extension to bypass the normal extension web store installation process and load silently without user approval. However for updated Chrome and edge browser, Victim must manually turn on the developer mode for the extension to load properly, but people with outdated versions of chromium based browsers, remain at high risk. Moreover, for latest versions as well threat attacker can employ social engineering tactics to enable developer mode.
  2. Blockchain-resolved command-and-control. The extension does not contain a hardcoded C2 domain. Instead, it queries a public blockchain RPC endpoint, invokes a read-only smart-contract method, and decodes the response at runtime to reveal its active C2 observed at the time of analysis as Zebregts[.]com 

    This technique, often referred to as “EtherHiding,” complicates takedown efforts because the attacker can rotate infrastructure by updating a smart-contract value rather than redeploying malware. 

McAfee telemetry indicates a globally distributed infection footprint with a pronounced concentration in India. The breadth of the geography suggests opportunistic targeting of consumer cryptocurrency users rather than a region-specific operation. 

Geographical Prevalence  

A map of the world showing countries impacted by this cybersecurity threat.
Our research shows that these are the most affected regions of the globe.

Telemetry analysis indicates that infections are globally distributed, with a significantly higher concentration observed in India compared to other regions.  

The widespread geographic presence highlights the campaign’s broad reach, suggesting opportunistic targeting rather than a region-specific attack. 

The Malicious Extension: “Google Notes” 

This malware is masquerading as a seemingly harmless Google Notes extension. 

The malicious Google Chrome extension.
Figure 1. This image shows the malicious extension at the center of this campaign

 

The dropped extension presents as a minimalist, legitimate-looking note-taking application branded as “Google Notes,” complete with a clean icon and a functional (& simplistic) user interface.  

The cover is calculated: a user who manually opens the extension finds something that behaves as advertised, dampening suspicion. The extension’s malicious logic is implemented in background service-worker scripts and content scripts that operate entirely out of view of the UI. 

A major red flag first appears when adding the extension, which requests  security permissions and access that are disproportionate to a typical notes application: 

  • Access to all URLs , granting content-script injection into every site the user visits. 
  • Browsing history access. 
  • Read and write access to the clipboard. 

Mitigation and Recommendations 

For Consumers 

  1. Before confirming any cryptocurrency transaction, visually verify the first and last six characters of the recipient address against the original source — ideally on a separate device. This single habit defeats the overwhelming majority of clipper attacks. 
  2. Install browser extensions exclusively from the official Chrome Web Store, Edge Add-ons store, or equivalent. An extension that appears in your installed list without a clear memory of having installed it should be treated as suspicious. 
  3. Review the permissions granted to every installed extension. A note-taking tool has no legitimate need for access to all websites, browsing history, or the clipboard. 
  4. Avoid running unsigned executables obtained from non-authoritative sources, particularly those offering free or cracked versions of paid software — a common delivery vector for this category of installer. 
  5. Keep endpoint protection up to date and enabled; McAfee customers are protected against this specific campaign as described below. 

McAfee security solutions help safeguard users at multiple levels: 

1. McAfee detects this threat as CryptoStealer.NE and keeps our customers safe 

Figure 2. This image shows McAfee Antivirus blocking this threat for consumers.
Figure 2. This image shows McAfee Antivirus blocking this threat for consumers.

2. Malicious Download Protection

The installer’s behavior—downloading and executing remote payloads—is flagged and blocked by McAfee before infection completes. All the malicious domains and URLs are blocked by McAfee in our tests. 

3. Network Protection

Connections to known malicious infrastructure (C2 servers) are blocked by McAfee, preventing Wallet address retrieval 

4. Real-Time Threat Intelligence

Because this threat was identified in McAfee telemetry, protections can be rapidly deployed to: 

  • Block similar variants 
  • Detect related infrastructure 
  • Protect customers globally 

How The Threat Campaign Works 

What the Malware Does  

  1. Installs a browser extension silently (web extension sideloading) 
  2. Monitors what you copy and paste (especially crypto addresses) 
  3. Works when you are making a crypto transaction 
  4. Silently replaces the wallet address with the attacker’s address 
  5. Your funds are sent to the attacker instead of the intended recipient 

Because cryptocurrency transactions are typically non-reversible, victims may permanently lose funds. 

Figure 3. How the extension works in a nutshell
Figure 3. How the extension works in a nutshell

 

Key Capabilities Identified 

1. Silent Extension Installation 

The malware does not use the official browser store. Instead, it directly modifies browser files to make the extension appear installed. (Sideloading Browser Extension) 

This bypasses normal security prompts and user awareness. 

Figure 4. Procmon logs showing BaseZipInstaller (malicious web installer) writing into chrome and edge secure preference files
Figure 4. Procmon logs showing BaseZipInstaller (malicious web installer) writing into Chrome and Edge secure preference files

2. Full Browser Access 

Figure 5. Chrome extension Permissions required
Figure 5. Chrome extension Permissions required
Figure 6. Manifest file for web extension
Figure 6. Manifest file for web extension

The malicious extension requests excessive permissions such as: 

  • Access to all websites 
  • Reading browsing history 
  • Reading and modifying clipboard content 

3. Crypto Address Interception

The extension contains logic to detect wallet addresses across multiple cryptocurrencies, including: 

Figure 7. Hardcoded cryptocurrency Regex and fallback address
Figure 7. Hardcoded cryptocurrency Regex and fallback address
  • The fallback wallet addresses shown in the code are not used for every transaction; instead, they serve as a backup mechanism when dynamic address retrieval from the attacker-controlled server fails.  
  • Under normal operation, the extension fetches replacement addresses from a remote server, enabling dynamic and potentially per-victim wallet assignment.  
  • Fallback addresses ensure the attack remains functional even if the command-and-control infrastructure is temporarily unavailable or blocked. 
Figure 8. Malicious extension performing dynamic crypto address resolution
Figure 8. Malicious extension performing dynamic crypto address resolution
  • This function is responsible for obtaining the attacker-controlled replacement wallet address corresponding to a victim’s original address.  
  • It sends the intercepted wallet address to the attacker backend and uses the response to dynamically substitute the original address.  
  • If the backend request fails, the function falls back to a predefined hardcoded wallet address, ensuring uninterrupted malicious activity. 
  • 3J98t1Wxxxx is the address that was copied in the clipboard 

4Detection evasion and stealth 

Figure 8. settings.js file which shows config
Figure 8. Settings.js file which shows config
  • The configuration includes a hardcoded API key, which is used by the extension to authenticate communication with attacker-controlled infrastructure.  
  • An RPC URL pointing to a public blockchain node is leveraged to dynamically resolve backend server information, allowing the attacker to hide critical infrastructure behind decentralized systems.  
  • The presence of a smart contract address and method indicates that the malware retrieves its command-and-control (C2) domain indirectly via blockchain queries, making takedown and tracking more difficult. 
  • Blacklisted domains contains a list of blockchain inspection related websites where the web extension will not work , this is done to not alert the victim while he is trying to paste his own address and view the balance of his wallet or inspect his wallet transactions 
Figure 9. Resolving attacker c2 domain via etherium smart contract (etherhiding)
Figure 9. Resolving attacker C2 domain via Ethereum smart contract (etherhiding)
Figure 10. Request payload with Ethereum contract address
Figure 10. Request payload with Ethereum contract address
  • Dynamic analysis revealed that the malware resolves its command-and-control domain via a blockchain smart contract, which returned the domain devops-offensive[.]cc at runtime.  
  • The response from the blockchain is decoded at runtime, revealing the active C2 domain (devops-offensive.cc).  
  • This domain is not hardcoded, enabling the attacker to update infrastructure without modifying the malware.  
  • The resolved domain is cached locally to maintain persistence and reduce repeated network queries. 
Figure 11. This image shows the long-encoded string with the malicious domain
Figure 11. This image shows the long-encoded string with the malicious domain

This Longencoded string is decoded using this function to give the final attacker domain.

Figure 12. This image shows the final attacker domain
Figure 12. This image shows the final attacker domain

Persistence and Evasion Techniques 

The campaign’s persistence and evasion posture is deliberate and layered. The operator has clearly optimized for two properties: low visibility to the end user, and high resilience against takedown and static analysis. 

Persistence 

  • Extension registration through Secure Preferences tampering ensures the extension loads on every subsequent browser launch without requiring any auxiliary Windows persistence mechanism — no registry Run keys, scheduled tasks, or services that endpoint hunters typically inspect. 
  • Developer mode is enabled programmatically where required, allowing unpacked extensions to persist without triggering the periodic “unpacked extensions warning” flow that Chromium displays to dissuade sideloading. 
  • The cached C2 domain allows the extension to continue operating against a known-good backend even if the blockchain RPC endpoint is briefly unavailable. 

Evasion 

  • The extension’s visible identity — a simple “Google Notes” note-taking application — provides plausible cover against casual inspection of the installed extensions list. 
  • Recomputed HMAC values satisfy Chromium’s integrity verification, avoiding the “extension installed by an unknown source” warning banner that would otherwise alert the user. 
  • The installer self-deletes after execution, removing the most obvious on-disk indicator of initial compromise. 
  • C2 resolution through a public blockchain means that there is no persistent C2 domain observable in the malware bundle itself; network-based detections built against hardcoded indicators will not fire until the domain is resolved and contacted. 
  • Multi-language installer variants (.NET and Golang) reduce the effectiveness of compile-artifact and binary-feature signatures. 
  • Per-address dynamic wallet substitution means that published attacker addresses age rapidly and do not generalize into durable blocklist entries — the defender must block the backend service itself, not the addresses it dispenses. 

Wallet Substitution Logic 

The clipper logic sits in two layers: a content-script layer that monitors clipboard activity and DOM input fields across every visited origin, and a background layer that communicates with the attacker backend to retrieve replacement addresses. 

When the extension observes a copy event, it applies a set of cryptocurrency-specific regular expressions to the clipboard payload. If a match is found, the intercepted address is transmitted to the attacker’s backend over an authenticated request (authenticated with the API key embedded in the configuration). The backend responds with a replacement address specific to the submitted original, and that replacement is written back to the clipboard, overwriting the legitimate address before the victim can paste. 

Testing against a reconstructed backend client — built by re-implementing the extension’s request format and response-decoding logic in Python — produced a revealing behavioural profile: 

  • Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash: Each submitted address is mapped to a unique attacker-controlled address. Re-submitting the same original returns the same replacement, indicating a deterministic one-to-one mapping maintained server-side. 
  • Solana: All submitted addresses collapse to a single attacker address, suggesting the per-victim mapping feature is selectively implemented per chain 

Analyzing Attacker Crypto Wallets 

Based on the code snippets from the web extension responsible for retrieving replacement addresses, a Python script was prepared to programmatically extract attacker wallet addresses. The payload was crafted using the attacker’s own code, and the “get replacement address” snippet was lifted directly from it. The attacker’s logic for decoding data received from the C2 server was also faithfully reimplemented in the script. 

The script was then executed using a few test Bitcoin (BTC) wallet addresses. The results showed that for every Bitcoin address provided, a unique Bitcoin address was returned in response, and all of these returned addresses were valid BTC wallets. This indicates that for every BTC address supplied, the attacker dynamically generates a new wallet tied to that specific input address. Furthermore, when the same address was provided again, the same BTC address was returned — confirming that each victim BTC address is deterministically mapped to a single, specific attacker-controlled address. While some of these attacker wallets contained funds and others were empty, the unknown total number of attacker wallets makes it difficult to put a reliable estimate on how much cryptocurrency has been stolen overall. 

The same behavior was observed for Ethereum, where different wallet addresses were returned for each input. Interestingly, when the script was tested with Solana addresses, only a single address was returned regardless of how many different inputs were provided. This suggests that the attacker has implemented the per-address mapping feature only for specific cryptocurrencies, while others fall back to a single static drop wallet. Because the Solana address is shared across all victims, a noticeable bump in its balance is visible. Additionally, one of the Ethereum addresses uncovered was found to be holding approximately 1,902 USD worth of funds. 

In summary, the cryptocurrencies for which unique per-victim wallet addresses are generated include Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash. 

Fig 13. Payload was crafted as attacker code
Fig 13. Payload was crafted as attacker code
Fig 14.Getting replacement address code snippet taken from attacker code
Fig 14. Getting the replacement address code snippet taken from attacker code
Fig 15. Attackers logic of decoding received data from c2 was also implemented
Fig 15. Attackers’ logic of decoding received data from C2 was also implemented

Running script with few test Bitcoin Wallet addresses 

Fig 16. Every bitcoin address a unique bitcoin address was returned and All addresses are valid BTC wallet address
Fig 16. Every unique Bitcoin address was returned and all addresses are valid BTC wallet addresses
Fig 17. Similarly, Ethereum saw unique addresses
Fig 17. Similarly, Ethereum saw unique addresses
Figure 18: Running Script for Test Solana Addresses
Figure 18: Running Script for Test Solana Addresses

Luckily for Solana we are getting only 1 address when given multiple addresses. This shows that the attacker has implemented this address mapping feature only on specific cryptocurrencies 

Fig. 19 Here you can see a bump in the balance amount
Fig. 19 Here you can see a bump in the balance amount
Fig 20. ETH address was found to be having 1902 USD
Fig 20. The ETH address was found to have 1902 USD

Technical Analysis for .net file (Extension installer) 

Fig. 21 BaseZipInstaller is a .NET installer which is unsigned
Fig. 21 BaseZipInstaller is a .NET installer which is unsigned

 

Fig. 22 Stored Config as seen in Dnspy
Fig. 22 Stored Config as seen in Dnspy
  • The malware embeds a complete configuration JSON directly within the binary, eliminating the need to fetch initial setup data from external sources.  
  • This embedded configuration includes critical details such as API keys, backend server URL, targeted wallet extensions, and the full extension manifest with extensive permissions.  
Fig 23: Main function from where execution starts
Fig 23: Main function from where execution starts
  • The installer retrieves and validates a remote ZIP archive (google-services[.]cc/base[.]zip), which serves as the primary payload for deploying the malicious browser extension, marking the transition from initial infection to browser-level compromise. 
Fig. 24 The extension is created at the following location In system with files which are downloaded as base.zip.
Fig. 24 The extension is created at the following location in the system with files that are downloaded as base.zip.
Fig. 25: Dnspy showing the list of targeted browsers
Fig. 25: Dnspy showing the list of targeted browsers
  • The installer iterates through multiple Chromium-based browsers, including Chrome, Edge, Opera, and Brave, identifying available user profiles on the system.  
  • For each detected profile, the malware forcibly terminates the browser process to safely modify configuration files without interference.  
  • It then injects the malicious extension by directly modifying Secure Preferences and Preferences, enabling the extension to be loaded without user interaction. 
more code
  • The malware identifies browser installation paths by querying standard system directories, enabling it to locate user data folders for Chrome, Edge, Opera, and Brave.  
  • It systematically enumerates browser profiles and specifically looks for the presence of the Secure Preferences file, which stores critical browser configuration and extension data.  
  • By targeting profiles with Secure Preferences, the malware ensures it modifies only valid browser environments, increasing the reliability of extension injection. 
We can see writefile Event on Secure preferences file of chrome and MS Edge , when details of downloaded extension are written to those config files
We can see writefile Event on Secure preferences file of chrome and MS Edge , when details of downloaded extension are written to those config files
Fig 27 Attacker logic to resign the secure preference files
Fig 27 Attacker logic to resign the secure preference files
  • The malware reads and modifies the browser’s Secure Preferences file, which controls installed extensions and their trust state.  
  • It injects the malicious extension into the configuration and attempts to re-sign the modified data, making the changes appear legitimate to the browser’s integrity checks.  
  • The updated configuration is then written back to disk, ensuring the extension is loaded automatically and persists across browser restarts. 
Fig 27B :Extension path is added to chrome secure preferences file
Fig 27B :Extension path is added to chrome secure preferences file
Fig 28: Logic to Manipulate defenses of Brave Bowser
Fig 28: Logic to Manipulate defenses of Brave Bowser
  • For browsers such as Brave and Opera, the malware injects the malicious extension directly into the browser’s configuration by adding entries under the extensions.settings (or extensions.opsettings) section.  
  • It also updates integrity-related fields (protection.macs) to make the injected extension appear trusted by the browser.  
  • Additionally, the malware attempts to enable developer mode programmatically, allowing unpacked extensions to run with fewer restrictions. 
Fig 29: Attacker logic to get device ID used to further calculate integrity Values
Fig 29: Attacker logic to get device ID used to further calculate integrity Values
  • The malware attempts to recompute browser integrity signatures by generating new MAC (Message Authentication Code) values for the modified Secure Preferences file.  
  • It uses system-specific identifiers, such as the machine SID, combined with a seed value to mimic Chrome’s internal verification mechanism.  
  • By recalculating these integrity checks (macs and super_mac), the malware tries to make its unauthorized modifications appear legitimate to the browser. 
Figure 30 Self Deletion Logic
Figure 30 Self-Deletion Logic
  • The malware includes a self-deletion mechanism designed to remove the installer executable after successful execution.  
  • It launches a hidden command prompt process that delays execution briefly before deleting the original file from disk. 

Conclusion 

This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading. The operator has taken the oldest and simplest category of crypto malware — the clipper — and quietly upgraded three of its weakest links. Static attacker addresses have been replaced with a server-side, per-victim mapping. Fragile, hardcoded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction. And a fragile dropper has been replaced with a Chromium extension that lives inside the user’s most trusted application, loaded under the browser’s own integrity signature. 

McAfee will continue to track this campaign and related infrastructure. Our customers are protected by existing detections and will benefit from telemetry-driven updates as new variants and rotated infrastructure are identified. 

Indicators of Compromise (IOC)

Type  Category  Value 
SHA-256  .NET Installer (BaseZipInstaller)  2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf 

053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0 

 

SHA-256  Golang-compiled Installer Variant  11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962   

1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d   

URL  Payload distribution  hxxps://google-services[.]cc/base[.]zip 
Domain  Command-and-Control (resolved via smart contract)  devops-offensive[.]cc 

Zebregts[.]com 

BTC wallet  Crypto wallet  3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy 

1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT 

3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj 

1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX 

Artifact  Sideload target  Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles) 
Extension files  manifest.json  

crypto-patterns.js 

 

Interceptor.js 

 

content-script.j  

 

cache.js  

 

domain-resolver.js 

 

service-worker.js 

 

api-client.js 

ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c  

daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b  

6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5 

 

a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01  

 

eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c  

6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8  

 

2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3  

ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2  

 

The post Silent Swap: A Crypto Clipper Extension Campaign appeared first on McAfee Blog.

How to Protect Yourself from Doxxing and Lock Down Your Data

By: McAfee
5 May 2026 at 17:30
Woman gamer confused at computer

You post an opinion about a contentious issue on social media. Within hours, strangers have shared your home address, your employer’s phone number, and photos of your children’s school. Your inbox floods with threats. Someone calls your workplace demanding that you be fired. A crowd shows up outside your house. What started as online speech has become a safety crisis that follows you everywhere. You’ve been doxed.

If you’re looking for real answers about how to prevent doxxing before it happens or how to respond if you’re already facing harassment, this guide provides actionable strategies to lock down your digital footprint and protect your personal information. 

Key Takeaways

  • Protect yourself from doxxing by reducing exposed data on social media, data broker sites, and public records
  • Secure your accounts with strong passwords, multi-factor authentication, and privacy-focused security tools like a VPN or antivirus protection
  • Platform-specific strategies help prevent doxxing on Discord, Twitter, and other high-risk spaces
  • If you’ve been doxxed, act immediately to document everything, remove content, and involve authorities when threats escalate

What Is Doxing?

Doxxing (sometimes spelled doxing) is the act of publicly exposing someone’s personal information online without their consent. Doxxing is often intended to harass, intimidate, or cause real‑world harm. This information can include a home address, phone number, workplace, family details, or other identifying data.

For a foundational understanding of what doxxing is, why it’s escalating, real‑world examples, and how the law treats doxxing, see our full guide on what is doxxing.

How Do People Get Doxxed? 

Your digital footprint is a jigsaw puzzle spread across the internet, with each piece alone being harmless: a tagged photo here, a WHOIS domain record there, a mention of your hometown in an old forum post. Doxers piece together these fragments using open-source intelligence techniques like reverse image searches, username lookups, and metadata analysis.

Much of the information used in doxing also comes from data brokers, which aggregate public records and purchased data sets. Plus, there are information leaks from data breaches: billions of stolen email addresses, passwords, and personal details circulating on dark web forums.

That data can be cross-referenced with your online purchases, domain registrations, avatars, usernames, and even your writing style. Then there’s what you share and what others share about you on social media. In effect, you are leaving a trail of breadcrumbs every time you interact online. 

Taken together, all these pieces create a detailed profile that doxers weaponize. Once they have your information, they post it on social media, anonymous forums, or dedicated harassment sites along with inflammatory language urging others to contact you.

Campaigns are coordinated across platforms, escalating from online harassment to email and text message threats, and sometimes physical confrontations or swatting attempts that put you in immediate danger.

How to Protect Yourself From Doxing

You shouldn’t have to make yourself invisible online, but you can significantly reduce the information available to potential doxers and make yourself a harder target. Here’s what to do:

Lock Down Your Social Media Accounts

Starting with your social media accounts, go through your privacy settings on every platform you use and maximize protection:

Immediate actions:

  • Set all accounts to private or restrict visibility to friends/followers only
  • Hide your friend lists, location data, and tagged photos from public view
  • Remove personal details like phone numbers, email addresses, birth dates, and hometown from your profile
  • Disable location services and strip metadata from photos before posting
  • Turn off check-ins and location tagging features

Audit Your Digital History:

  • Search your own name and review what appears publicly
  • Delete or edit old posts that mention your home address, children’s schools, or exact workplace
  • Ask family and friends not to tag you in posts that reveal your location or personal details
  • Review and untag yourself from photos that expose identifying information

Platform-Specific Settings:

  • Facebook: Restrict who can see your friends list, past posts, and profile information; disable facial recognition; review tags before they appear on your profile
  • Instagram: Make your account private, disable activity status, restrict comments, and carefully review follower requests before accepting
  • Twitter/X: Protect your tweets, disable photo tagging, hide sensitive content behind warnings, and enable two-factor authentication on a separate device
  • Discord: Use a unique username not tied to other accounts, disable DMs from non-friends, never share your Discord tag publicly, and avoid voice chat in public servers where your voice can be recorded

Remove Your Data from People-Finder Data Broker Sites

Data brokers are companies that mine the internet and public records for financial and credit reports, social media accounts, and more. They then sell that data to advertisers, companies, or individuals who may use it to doxx you.

You might be surprised by how much sensitive information is available to anyone who wants it. Data brokers often have contact information including real names, current and former addresses, birth dates, phone numbers, social media profiles, political affiliations, and other information most consider private.

There are two ways you can remove your personal information from data brokers or people-finder sites: manually or with an automated solution

The Manual Approach:

While you can remove your private information from many data broker sites, they tend to make the process tedious and frustrating. You’ll need to:

  • Identify which sites have your information (search for yourself on sites like Whitepages, Spokeo, BeenVerified, PeopleFinder)
  • Submit individual opt-out requests to each site
  • Follow unique removal processes for each broker (some require email verification, others need physical mail)
  • Re-check periodically as your information may reappear

The Automated Solution:

McAfee Personal Data Cleanup makes this process dramatically easier. Enter your name, date of birth, and home address, and we’ll scan it across high-risk data broker sites and help you remove it automatically.

If you plan to employ other automated data broker removal services, verify that they are reputable before handling over your information. 

Secure WHOIS Records and Domain Privacy

If you own a website, your WHOIS record publicly lists your name, address, phone number, and email unless you take action. Use WHOIS privacy protection (also called domain privacy) through your registrar to replace your personal details with the registrar’s contact information, keeping your personal data out of public domain records. Most registrars offer this service for free or a nominal fee.

Fortify Your Account Security

Anyone who gains access to your email or social media accounts through phishing or a data breach could expose your private conversations, documents, and personal details. Protect yourself with robust security measures: 

Use Strong, Unique Passwords:

  • Use passwords with at least 12-16 characters. Avoid personal information like pet names, birthdates, or family members
  • Never reuse passwords across accounts
  • Use a password manager to generate and store complex passwords securely
  • Change passwords immediately if a service you use reports a data breach

Use Multi-Factor Authentication (MFA):

  • Enable MFA on all critical accounts (email, social media, banking, work accounts)
  • Use app-based authenticators (Google Authenticator, Authy) rather than SMS when possible
  • Store backup codes in a secure location separate from your primary device

Be Vigilant against Phishing:

  • Be suspicious of unexpected emails, texts, or messages requesting login credentials
  • Always verify the sender before clicking links or providing information
  • Check URLs carefully. Phishing sites often use slight misspellings
  • Never enter credentials on a site you reached via a link in an email

Secure Your Document Storage

Keep sensitive documents, such as tax records, passport scans, and financial statements, out of easily searchable email folders or cloud storage that might be compromised. If you store them digitally, use encrypted storage with strong access controls.

Use Privacy and Security Tools

No single tool can prevent all doxing, but layered protection makes a big difference. 

Identity Monitoring Services:

Consider using identity monitoring services that alert you when your personal information appears in new data breaches, on the dark web, or elsewhere it shouldn’t be. Early detection will allow you to act before the information is weaponized.

Comprehensive security suite:

A comprehensive security suite such as McAfee+ helps protect your devices from phishing attacks, malicious websites, and malware that could compromise your accounts. 

Virtual Private Network (VPN):

When browsing on public Wi-Fi networks, your data is at greater risk of being intercepted. A virtual private network gives you an additional layer of protection by hiding your IP address and browsing activities when you’re on an unsecured network.

Encrypted Messaging:

For sensitive conversations, use end-to-end encrypted messaging apps like Signal or WhatsApp rather than standard SMS or unencrypted email.

Educate Your Family, Friends, and Colleagues

You might take every precaution, but if your partner posts a photo of your new house with the address or your colleague tags you in a work event with the location, your efforts are undermined. 

Have honest conversations:

  • Explain why you’re cautious about personal information online
  • Share specific examples of what information should stay private
  • Encourage those close to you to adopt similar privacy practices

Set Family Guidelines:

For the digitally active, younger adults and teens in your family who may not fully understand the risks of oversharing, set family guidelines about what can be posted publicly and what should remain offline. 

Workplace Training:

If you work in education, government, or a high-visibility field, suggest brief safety training sessions for staff to recognize and respond to doxing threats.

What to Do if You’ve Already Been Doxxed

If your information is already out there and you’re facing harassment, here’s how to respond quickly and effectively.

1. Assess the immediate situation

If you’re receiving threats, someone is showing up at your home with the intent to harm, or you believe you’re at risk of swatting, contact local law enforcement immediately. Your physical safety comes first. 

2. Document Everything Thoroughly

Create comprehensive evidence:

  • Take screenshots of every post, message, and webpage that shares your information or threatens you. 
  • Take note of URLs, usernames, timestamps, and platform names 
  • Save original messages and emails. Don’t just screenshot; save the actual files.
  • Record any phone calls if legally permitted in your jurisdiction
  • Keep a detailed timeline of events

These pieces of evidence are essential for pursuing legal action, getting content removed from platforms, and demonstrating the severity of the harassment to law enforcement. 

3. Get Your Content Removed

Platform Reporting:

Use the reporting tools on every platform where your private information has been illegally shared. Platforms can be slow to act, but be persistent and keep submitting reports and escalating through support channels. Clearly cite violations of the platform’s terms of service (most prohibit doxxing), and invoke your legal right to have your personal details removed. 

Remove Data from Website Operators:

If your personal information appears on websites or forums, contact the site administrators directly and request removal. Many will comply, especially if the information was posted without your consent.

Remove Data from Search Results:

Google offers a removal request process for certain types of content:

  • Doxing content (name, address, phone number)
  • Non-consensual intimate images
  • Financial information like bank account numbers
  • Government identification numbers

Submit removal requests through Google’s removal request page.

4. File a Police Report

Consider involving authorities in cases involving:

  • Explicit threats of violence
  • Stalking (repeated, unwanted contact that causes fear)
  • Swatting attempts
  • Targeted campaigns that severely disrupt your life
  • Hacking or unauthorized access to your accounts

Prepare for law enforcement:

  • Bring all your documentation (screenshots, timelines, messages)
  • Be prepared to explain what doxxing is and how it’s affecting you
  • If local police aren’t responsive, reach out to specialized cybercrime units at the state or federal level
  • Consider consulting a lawyer familiar with online harassment cases who can advocate on your behalf

5. Seek Support and Expert Guidance

Don’t face this alone. Seek support from your family, trusted friends, and professionals. Crisis communications organizations or reputation management professionals should be able to offer guidance or connect you with legal resources.

Platform-Specific Protection: Discord, X (Twitter), and Beyond

Different platforms present unique doxxing risks. Here’s how to protect yourself on high-risk spaces:

How to Avoid Getting Doxxed on Discord

Discord’s voice chat and community-focused structure create specific vulnerabilities:

Account Security:

  • Use a unique username not connected to other social media accounts or your real name
  • Enable two-factor authentication
  • Never share your email address, phone number, or Discord tag publicly
  • Use Discord’s privacy settings to limit who can DM you (friends only)

Voice Chat Precautions:

  • Be aware that voice chat can be recorded without your knowledge in public servers
  • Avoid discussing personal details, location information, or identifiable stories
  • Consider using voice modulation software for high-risk conversations

Server Safety:

  • Only join servers from trusted communities
  • Be cautious about clicking links in Discord (they can lead to IP-grabbing sites)
  • Report suspicious users immediately to server moderators

How to Prevent Doxxing on Twitter

Twitter’s public nature and engagement-driven algorithm make it a prime target for harassment campaigns:

Profile Protection:

  • Protect your tweets (make account private) if you’re at high risk
  • Remove location information from your profile and tweets
  • Don’t use your full legal name as your display name
  • Disable photo tagging to prevent being tagged in revealing photos

Engagement Strategies:

  • Be cautious about what you share publicly, especially during controversial discussions
  • Don’t share photos that reveal your location, workplace, or home
  • Block aggressive users immediately—don’t engage
  • Report coordinated harassment to Twitter’s support team

Advanced Privacy:

  • Use a separate email address for your Twitter account that doesn’t contain your real name
  • Turn on login verification (two-factor authentication)
  • Regularly review connected apps and revoke access to any you don’t recognize or use

How to Avoid Getting Doxxed as a Creator or Public Profile (TikTok, YouTube, Twitch)

Creators and public‑facing accounts face unique risks because content, schedules, and personal details are often shared at scale:

Account & Identity Separation:

  • Use creator accounts that are completely separate from personal email addresses and phone numbers
  • Never link personal social media accounts in public bios or “about” sections
  • Use business contact emails that don’t contain your real name
  • Enable two‑factor authentication on all creator platforms and connected email accounts

Content & Filming Precautions:

  • Be mindful of what appears in the background of photos and videos (windows, street signs, landmarks)
  • Avoid showing mail, packages, or documents with identifying information
  • Delay posting content shot in real‑time to prevent location tracking
  • Disable automatic location tagging and metadata whenever possible

Livestream & Interaction Safety:

  • Avoid sharing schedules, routines, or future travel plans publicly
  • Use chat moderation tools and trusted moderators during live streams
  • Immediately ban users who ask probing personal questions
  • Be cautious with donation messages or alerts that may reveal personal information

Take Control of Your Digital Footprint Today

Doxxing has become an escalating threat in our increasingly connected digital world. But you’re not powerless. By taking proactive steps to reduce your exposed data, secure your accounts, and understand how to respond if targeted, you significantly reduce your risk and increase your ability to protect yourself and your loved ones.

Start with the basics: tighten your social media settings, remove your information from data broker sites, and secure your accounts with strong passwords and multi-factor authentication. Consider installing identity monitoring services, security software, and privacy features to detect threats early and give you time to respond. McAfee+ can help you stay one step ahead of anyone trying to weaponize your information.

If you’ve been doxxed, document everything, report to platforms persistently, and involve law enforcement when threats escalate. You don’t have to face this alone; support resources and professionals are available to help you through the process.

The post How to Protect Yourself from Doxxing and Lock Down Your Data appeared first on McAfee Blog.

❌