Clear site: https://www.doxagram3.com
Registrar URL: http://www.eranet.com
IP address: 126.96.36.199
The “clearsite” has moved to: https://doxagram2.com
IP Address: 188.8.131.52
Register URL: https://subreg.cz/en
Both this IP address and the prior one are assigned to CloudFlare Inc.
Around August 31st 2017 Instagram suffered a major leak of user data. A group called the “DoxAGram Team” claimed responsibility. In the ensuing last couple of days it has become known that a flaw in Instagram’s API was to blame. DoxAGram created a site where for $10 (bitcoin only) you can allegedly get the phone number and/or email address associated with an Instagram account.
DoxAGram posted the XMPP address: firstname.lastname@example.org. Trying to get some accurate information (as news reports have been somewhat contradictory) I attempted to engage DoxAGram in a conversation. DoxAGram seemed a bit confused but I clearly stated up front my purpose and intention of contacting them:
email@example.com: I was hoping if you have a minute; I am involved in OSINT and related things; I am trying to get a blog off the ground and was hoping perhaps I might be able to ask a few questions of a general nature?
(10:46:54 AM) firstname.lastname@example.org: ye?
I managed to ask two questions before things got a bit bizarre:
email@example.com: Thank you. First off I have seen news reports that differ; how many accounts are you claiming?
(10:49:42 AM) firstname.lastname@example.org: 6613018
(10:50:37 AM) email@example.com: do you have any plans on doing an open source data dump at some point?
(10:57:52 AM) firstname.lastname@example.org: no
Now the question that I was begging to ask was why would not they not dump the data in the future? After all the days that go by this data becomes more useless as people will change email addresses and phone numbers. Surely the big named celebrities that allegedly have had their contact data leaked have already changed it. Alas, though despite my very initial upfront fact-seeking reason for chatting, DoxAGram after I ask my next question about the API flaw sends me:
(11:01:48 AM) email@example.com: are you a journalist?
To which I explain again I am trying to get this blog off the ground. *crickets*. As I wait for a response I start doing some recon and deeper research. I discover the Bitcoin addresses are not static and change with account creation. I then ask:
firstname.lastname@example.org: how many transactions have you processed thus far?
This must have struck a nerve as the response was short and sweet:
(11:54:35 AM) email@example.com: not interested in your 61 followers buddyu (sic)
Intel / Data
Currently there is a clear net version of DoxAGram’s database: DOXAGRAM.SU (184.108.40.206)
However their clear net version keeps going off line as apparently Facebook snaps up prior domains that have been used. Their Tor site is located at: freakier444chaos.onion
The two BitCoin addresses I have found thus far are:
… and neither one of them have had any activity.
The email address firstname.lastname@example.org has quite a bit of search history relating to various malware sites that seem to have a Chinese connection.