Update 7-8-2017

Clear site: https://www.doxagram3.com
Registrar URL: http://www.eranet.com

IP address: 104.28.20.7

Update 9-6-2017

The “clearsite” has moved to: https://doxagram2.com

IP Address: 104.24.106.55

Register URL: https://subreg.cz/en

Both this IP address and the prior one are assigned to CloudFlare Inc.


Around August 31st 2017 Instagram suffered a major leak of user data. A group called the “DoxAGram Team” claimed responsibility. In the ensuing last couple of days it has become known that a flaw in Instagram’s API was to blame. DoxAGram created a site where for $10 (bitcoin only) you can allegedly get the phone number and/or email address associated with an Instagram account.

DoxAGram posted the XMPP address: doxagram@jabber.calyxinstitute.org. Trying to get some accurate information (as news reports have been somewhat contradictory) I attempted to engage DoxAGram in a conversation. DoxAGram seemed a bit confused but I clearly stated up front my purpose and intention of contacting them:

infoskirmish@jwchat.org: I was hoping if you have a minute; I am involved in OSINT and related things; I am trying to get a blog off the ground and was hoping perhaps I might be able to ask a few questions of a general nature?
(10:46:54 AM) doxagram@jabber.calyxinstitute.org: ye?

I managed to ask two questions before things got a bit bizarre:

infoskirmish@jwchat.org: Thank you. First off I have seen news reports that differ; how many accounts are you claiming?
(10:49:42 AM) doxagram@jabber.calyxinstitute.org: 6613018
(10:50:37 AM) infoskirmish@jwchat.org: do you have any plans on doing an open source data dump at some point?
(10:57:52 AM) doxagram@jabber.calyxinstitute.org: no

Now the question that I was begging to ask was why would not they not dump the data in the future? After all the days that go by this data becomes more useless as people will change email addresses and phone numbers. Surely the big named celebrities that allegedly have had their contact data leaked have already changed it.  Alas, though despite my very initial upfront fact-seeking reason for chatting, DoxAGram after I ask my next question about the API flaw sends me:

(11:01:48 AM) doxagram@jabber.calyxinstitute.org: are you a journalist?

To which I explain again I am trying to get this blog off the ground. *crickets*. As I wait for a response I start doing some recon and deeper research. I discover the Bitcoin addresses are not static and change with account creation. I then ask:

infoskirmish@jwchat.org: how many transactions have you processed thus far?

This must have struck a nerve as the response was short and sweet:

(11:54:35 AM) doxagram@jabber.calyxinstitute.org: not interested in your 61 followers buddyu (sic)

Intel  / Data

Currently there is a clear net version of DoxAGram’s database: DOXAGRAM.SU (104.27.176.157)

However their clear net version keeps going off line as apparently Facebook snaps up prior domains that have been used. Their Tor site is located at:  freakier444chaos.onion

The two BitCoin addresses I have found thus far are:

181fzVS2FsVBhkSBSNRR7ofZ5C7CNWrQfT

1PYsZZU89uYbn33VgZ4LUXBnks78B5DvYt

… and neither one of them have had any activity.

The email address ctouma2@gmail.com has quite a bit of search history relating to various malware sites that seem to have a Chinese connection.