HONG KONG, China – Using Russia-based servers and promoted by powerful groups linked to China's ruling Communist Party, a sophisticated anonymous website is targeting Hong Kong pro-democracy figures – and there is almost no way to stop it.
"I received hundreds of threatening calls," a female reporter at Apple Daily, a pro-democracy newspaper, told AFP.
"They would call me a bitch, and a prostitute, and tell me to watch out or they would kill me."
Disclosing certain personal details, including phone numbers, without consent is illegal in Hong Kong.
Privacy Commissioner Stephen Wong said on September 17 he had ordered HK Leaks to take down all posts.
But the site remains online: on its front page, a photo of black-clad protesters with a Chinese-language banner saying: "We want to know who these people are and why they are messing up Hong Kong!"
Personal details – names, home addresses, personal telephone numbers – of hundreds of people are posted alongside details of their "misdeeds".
More than two million people follow Facebook pages that have shared HK Leaks posts, according to data from social media monitoring platform CrowdTangle.
And the site itself has received more than 175,000 unique page views, according to SiteWorthTraffic.
"I felt really helpless when I realized the site couldn't be blocked," said the reporter, who suspended her telephone number in a bid to escape the abuse.
Apple Daily obtained a court order in a bid to prevent further doxxing attacks, but her personal details remain on HK Leaks.
The problem, experts say, is that HK Leaks is a sophisticated operation specifically designed to evade prosecution.
It is registered anonymously on a Russian server, uses so-called bulletproof anonymous hosting – also favored by controversial white supremacist-linked sites such as 8chan – and has shifted domain 3 times since August alone.
In early August, the site was live as hkleaks.org, before migrating to hkleaks.ru which became defunct late October, replaced by 3 other similar domain names, with the same content on each, according to an AFP investigation.
Its listed contact email is registered on Yandex, a Russian internet services company.
"This site seems to be really well set up to reveal as little as possible and it doesn't use lots of external services, like buttons, statistics trackers, various scripts that would leak information," said Maarten Schenk, co-founder of the fact-check site Lead Stories.
It would require a court order to get the domain registrar to hand over any details, Schenk said, warning that the people behind HK Leaks could have paid in bitcoin and be untraceable anyway.
"Whoever is running this site is good at what they do," he told AFP.
HK Leaks uses DDOS-Guard, a Russia-based hosting provider, and "the IP address that is shown for the website is not that of the website itself but of the DDOS-Guard company," cybersecurity expert Brian Honan told AFP.
The site is also registered under the name of a DDOS-Guard employee, which is "part of the device which enables owners of websites to hide their identity," he added.
Some pro-democracy protesters have also doxxed Hong Kong's police, which last week obtained a court injunction giving them further protections against personal details being leaked.
Hong Kong's Privacy Commissioner for Personal Data has logged around 2,000 cases of doxxing – roughly half affecting police – since protests began in June, according to a spokesman for his office, Stephen Kai.
However the doxxing of police has been in a less co-ordinated fashion and without any specific or sophisticated website.
Meanwhile, HK Leaks has been promoted by groups linked to China's Communist Party.
These include the Chinese Communist Youth League, which has promoted the doxxing site on their official Weibo accounts.