ResearchTools & ResourcesFAQ

HKLEAKS Doxxing Explained Role of Online Harassment Tactics to Repress 2019 Hong Kong Protests

What is this report about, and what did it find?

The report is an in-depth analysis of the doxxing campaign known as “HKLEAKS”, which began in August 2019 and for at least two years targeted protesters active in the Anti-Extradition Bill 2019-20 Hong Kong protests. 

In February 2019, the Hong Kong government proposed a bill regarding extradition, which would establish a mechanism for the transfer of fugitives to mainland China, Taiwan, and Macau. Critics claimed that it would endanger freedom of speech and civil liberties enjoyed in Hong Kong as people could be subject to arbitrary detention and unfair trials. The proposed bill sparked mass protests in Hong Kong, which the local authorities tried to violently repress.

The online campaign HKLEAKS used doxxing as their weapon of choice. Doxxing is the unauthorized public exposure of Personal Identifiable Information (PII) with the intent to cause harm to the targeted individual.

Previous analyses have examined parts of the HKLEAKS campaign, making varied assumptions on its true nature. Our research took a holistic approach, conducting an in-depth forensic examination of the whole campaign’s online footprint. 

  1. It showed that HKLEAKS was most likely an inorganic, highly coordinated, and well-resourced campaign despite posing as the expression of a grassroots movement. 
  2. The report found that the campaign benefited from a broader support network that included – but was not limited to – overt governmental entities, such as a bounty campaign run by a former Hong Kong Chief Executive, as well as Chinese state media.
  3. It also found multiple indicators suggesting the campaign was carried out by operators from, or with links to, mainland China. 
  4. Additionally,  the report concludes that the broader network’s diversification of tactics – including bounty campaigns, addressing international audiences with alleged grassroots anti-protest content, and overt governmental messaging – contributed to the doxxing campaign’s increased impact.

The outbreak of COVID-19, followed by  the implementation of the National Security Law in Hong Kong in mid-2020, effectively muzzled the street demonstrations and brought an end to HKLEAKS. Nevertheless, this case study offers an important lesson and a potential preview of the type of targeted disinformation and doxxing campaigns that may become more common in the future.

How was this study conducted? 

After collating several pieces of publicly available analysis produced about HKLEAKS over the past few years, we took a holistic assessment of the campaign. We conducted a complete forensic analysis of its footprint, mapping out its relationships with other networks and digital assets, both in Hong Kong and in mainland China.

We then listed all the relevant evidence that we could identify, and utilized an analytical technique known as Analysis of Competing Hypotheses (ACH) to evaluate alternative scenarios answering the research question: what was the nature of the HKLEAKS campaign?

We scored the resulting four alternative scenarios for likelihood, and analyzed the evidence in support of each of them.

We highlighted technical signals that the campaign was not run by a grassroots movement as claimed, but rather by well-resourced and sophisticated actors, consistent with a government or its proxies.

What was the attribution process?

We examined the collected evidence for signals supporting the determination of the campaign operators’ identity or affiliation. We found that the HKLEAKS actors consistently went to great lengths to hide, and that as a result, a conclusive attribution without access to privileged data (i.e. the kind stored by the web hosting or social media platforms that the campaign exploited) was ultimately unattainable.

However, we identified circumstantial evidence indicating that a governmental organization likely conducted, or at a minimum actively supported, the HKLEAKS campaign. Also, we located evidence pointing to the likelihood that such an organization had linkages to mainland China.

How did the doxxers target protestors? 

The actors published individual doxxing cards, each containing varied types of PII for the target person, on proprietary websites utilizing multiple permutations of an “hkleaks” web domain.

The doxxing cards were then distributed over social media and instant messaging channels. We found that the platforms predominantly used to disseminate the doxxing content were Telegram, WeChat and, at a later stage, Twitter.

While we could not identify significant dissemination of the HKLEAKS doxxing content through other broadly accessible social media platforms (notably, those owned by Meta: Facebook and Instagram), we did observe the supporting network promoting certain communities, such as for example specific Facebook Groups, apparently aligned with their anti-protest mission.

Can social media companies be held accountable for doxxing on their platforms? 

Legislation punishing doxxing has only started emerging in a few countries. Prosecution therefore remains difficult, as the available judicial tools often do not address doxxing as a criminal action having specific signatures. Notably, a legislative amendment ostensibly punishing doxxing was made by the Hong Kong authorities in 2022, although as we describe in the report, it has to date not been applied to the doxxing of protesters by HKLEAKS.

Similarly to legislation, social media platforms’ policies prohibiting doxxing also appear as nascent, fragmentary, and inconsistently applied. We found that large amounts of the doxxing content are still freely available on both Telegram and Twitter. Elsewhere, where the content could have been disseminated in past years (for example, over Facebook or Instagram), it is possible that it was and that it has been rapidly removed by the platforms. However, there is no publicly available indication that the responsible network of accounts was enforced on, and barred from subsequent activity, or that the platforms have formulated dedicated policies targeting doxxing as an adversarial behavior that harms their users.

What are the avenues of redress for the victims of doxxing? 

Methods for the victims to mitigate or redress the harm caused by doxxing are generally limited. Inherently, doxxing has the effect of intimidating the targets by exposing them, and their close circles, to the pressure of a sympathetic (to the attacker) public. That impact, when achieved, can be hard to reverse.

In the case of this particular operation, additionally, the legal options available to the targets were further neutralized by the hosting of the doxxing on acquiescent web hosting and social media platforms.

This is why a combination of effective legislation and strictly enforced online content policies against doxxing is necessary to both empower the targets and keep the offenders accountable.

In this environment, it is advisable that protestors – and more broadly, civil society actors – apply heightened standards of online privacy, as well as of digital security hygiene, including using the recommendations provided by tools such as the Consumer Reports’ Security Planner.