EN
EN FR DE JA AR ES
Home | Blog | Executive Targeting Is Up 313%. Here Is What to Do About It.

Executive Targeting Is Up 313%. Here Is What to Do About It.

Written by: Orlaith Traynor

4 min readApril 19, 2026

When did your security team last check whether your CEO’s home address is on a data broker site? Do you know if there is a fake LinkedIn profile impersonating your CFO right now? And if your CISO’s credentials appeared on a dark web market this morning, how quickly would you know?

For most organisations, the honest answer to all three is: we wouldn’t. That is the problem.

Executive targeting incidents surged 313% between 2023 and 2025, reaching their highest level on record, according to the Security Executive Council. In May 2025, sites like luigiwasright.com and theceodatabase.com published the full names, mobile numbers, compensation details and home addresses of hundreds of Fortune 500 executives — no breach required. Just open-source data, assembled quietly and weaponised publicly. 16 billion credentials were exposed in a single 2025 mega-leak, with executive accounts included routinely. And 56% of CISOs still do not monitor social media for executive impersonation, according to ZeroFox — meaning most fake profiles run undetected for weeks.

Most organisations have physical security for their executives. A driver, a travel protocol, a safe room procedure. Very few have the digital equivalent. That gap is exactly where attackers operate in 2026, and it is widening.

The scale of the problem

16 billion credentials were exposed in a single 2025 mega-leak. Executive accounts — work email, VPN credentials, personal email addresses tied to corporate systems — are routinely included. When those credentials hit a dark web market, the window between exposure and active exploitation is days, not months.

56% of CISOs do not monitor social media for executive impersonation, according to ZeroFox. That means more than half of security teams have no visibility into fake LinkedIn profiles mimicking their CEO, X accounts cloned from their CFO’s identity, or WhatsApp messages purportedly from the CISO asking a finance team member to authorise a wire transfer.

17 US states now have laws that specifically address doxxing. But as our guide to US doxxing laws makes clear, those laws are built for prosecution after the fact — not prevention before it. Most require proof of malicious intent, take weeks to enforce, and cannot remove content already circulating. Legal protection ends where digital monitoring should begin.

The four ways executives are targeted in 2026

  • Doxxing rarely announces itself. It builds quietly — first in closed Telegram channels and dark web forums, then on fringe platforms, then in the open. By the time a doxxing post surfaces on X or Reddit, it has already been live for 48 to 72 hours in places your team is not monitoring. An executive’s home address, their children’s school, their daily commute — assembled from data brokers, LinkedIn, public records and leaked databases long before any public post appears.
  • Social media impersonation of executives is the fastest-growing attack vector. Fake LinkedIn profiles, cloned X accounts, WhatsApp messages appearing to come from your leadership team. These accounts are not passive — they are used actively to contact employees, customers and partners, directing them toward payment fraud, credential harvesting or malware. 56% of CISOs do not monitor social media for executive impersonation, meaning most of these accounts run undetected for weeks.
  • Credential exposure compounds every other threat. Once an executive’s work email and VPN credentials are circulating on a dark web market, attackers do not need to phish them — they can simply log in. The credentials may have come from a third-party breach, an infostealer infection on a personal device, or a data broker aggregating information across multiple leaked datasets. The executive may never know until the account takeover succeeds.
  • Physical threat escalation is the outcome no security plan anticipates until it happens. Digital targeting can escalate to physical risk faster than any incident response plan allows for. The gap between an executive’s home address appearing on a closed forum and a credible physical threat arriving at their door can be hours. That is not a hypothetical — it is the documented pattern from 2025 incidents.

What the law covers and what it doesn’t

The legal landscape is improving but fragmented. 17 US states have enacted doxxing-specific legislation and Congress has introduced a federal law carrying penalties of up to five years — but enforcement is slow, evidence requirements are high, and the damage is almost always done before any legal process begins. For security teams, waiting for the law to intervene is not a strategy. It is a gap that attackers exploit every day.

Three detection steps that work

Monitor dark web forums for executive names in real time. A mention in a closed channel today is typically a public post within 48 to 72 hours. Real-time automated monitoring of paste sites, Telegram channels and dark web forums for your executives’ names, home cities and personal email addresses is the earliest warning signal available — and it is a step most security teams have not taken.

Run a quarterly OSINT audit on your top five executives. Search each name combined with their home city, employer and personal email across data broker sites and people-search engines. Any result surfacing a home address, family member’s name or personal phone number is data an attacker can use to build a targeting package. The audit takes less than an hour per executive and should produce a list of removal requests to data brokers as its output.

Scan social platforms proactively for lookalike profiles. Most executive impersonation accounts live for weeks before anyone inside the organisation notices — because no one is looking. Automated monitoring for usernames, profile photos and bio text that match your leadership team needs to run across LinkedIn, X, Facebook and Instagram continuously. A manual check once a month is not sufficient when a fake account can be created and used for fraud within hours of going live.

The bottom line

Executive protection in 2026 means monitoring the digital channels where targeting begins — before the doxxing post goes live, before the impersonation account gains followers, before the credentials get used. The organisations that catch these threats early share one capability: continuous visibility into what is being said about their executives in closed channels, on dark web forums and across social platforms before it becomes a public incident or a physical risk.

CybelAngel monitors dark web forums, paste sites and closed channels continuously, alerting security teams when executive personal data appears before it can be weaponised.

See how CybelAngel protects your executives

About the author

Orlaith Traynor

Orlaith is a Paris-based B2B content marketing strategist specializing in cybersecurity and tech, with deep expertise in SEO, AEO, editorial planning, and CMS management. Having led content at companies like CybelAngel and PhantomBuster, she helps technology brands create content strategies that drive organic visibility and buyer trust in competitive markets.

read all the articles