JUICYJAM: How Thai Authorities Use Online Doxxing to Suppress Dissent

A sustained, coordinated social media harassment and doxxing campaign – which we codenamed JUICYJAM – targeting the pro-democracy movement in Thailand has run uninterrupted, and unchallenged, since at least August 2020. We define doxxing as the search for and the publication of an individual’s personal data on the Internet with malicious intent, in this instance, to suppress and harass the Thai pro-democracy movement. The operation utilized an inauthentic persona over multiple social media platforms (primarily X and Facebook) to target pro-democracy protesters by doxxing individuals, continuously harassing them, and instructing followers to report them to the police. Through our analysis of public social media posts we determined that the campaign was not only inauthentic, but the information revealed could not have been reasonably sourced from a private individual. Thanks to a public leak of confidential military and police documents in March 2025, we can now attribute the campaign to the Royal Thai Armed Forces and/or the Royal Thai Police. With a high rate of following and engagement across platforms, JUICYJAM is an uncommon instance of a successful state-sponsored influence operation. JUICYJAM’s tactics support a larger network of judicial harassment and democratic suppression that is infrequently enforced by social media platforms, but poses a significant threat to civil society. 

• Since at least August 2020, a coordinated social media harassment and doxxing campaign targeting the Thai pro-democracy movement has run uninterrupted and unchallenged. We codenamed it JUICYJAM. 
• Thanks to a public leak of confidential military and police documents that occurred in March 2025, we can now attribute the campaign to the Royal Thai Armed Forces and/or the Royal Thai Police, whose online repression efforts have allegedly been merged into a joint “Cyber Team” since 2023.
• The campaign operates within a broader context of dissent repression tactics, both online and offline, that closely resemble those we have previously analyzed in other regions – such as, for example, in Hong Kong.
• JUICYJAM’s longstanding, uninterrupted activity over multiple social media platforms (primarily X and Facebook) once again exposes the shortcomings of platforms in creating and enforcing policies on highly coordinated and harmful doxxing campaigns intended to suppress civil society. 
• Platforms’ policies on doxxing seldom consider the behaviour in the context of coordinated – and often state-sponsored – campaigns against civil society. They also do not consider environmental factors, such as the doxxing happening during unrest and protests.

In 2014, Thailand faced its second military coup of the century, placing a military junta – the National Council for Peace and Order – in power. The junta immediately imposed martial law, ratified a military-backed constitution, and, in 2019, the former army chief who led the coup, Prayuth Chan-o-cha, was elected Prime Minister. In July 2020, youth-led pro-democracy protests broke out across the country, demanding a more democratic constitution and reforms to the monarchy. The protesters were met with severe repression, and after a two-year pause of prosecutions, in November 2020, Prime Minister Prayuth ordered authorities to bring back the enforcement of lèse-majesté, or Section 112 of the Criminal Code, which criminalizes “insulting the monarchy”. Thailand’s use of lèse-majesté has been both arbitrary and prolific; protesters can be arrested for as little as sharing social media posts that are ‘insulting to the monarchy’. Furthermore, the weaponization of lèse-majesté has devastating consequences: those convicted under Section 112 face three to 15 years in prison per count. Thai authorities have extensively used lèse-majesté as a tool to punish pro-democracy advocates, with around 270 protesters detained and convicted since 2020.

Weaponizing the judiciary has not been enough, however. Since the 2014 coup, the Thai pro-democracy movement has been heavily targeted through various digital means. In 2022, Citizen Lab researchers uncovered an extensive espionage campaign impacting several groups within the movement, such as FreeYOUTH and WeVo. In fact, one of the authors of this report, Katekanok Wongsapakdee, was also found to be targeted.

Additionally, multiple influence operations (IOs) have been exposed for their attempts to discredit the pro-democracy movement and intimidate its members. In October 2020, the company now called X (formerly Twitter) exposed one of the most notorious online IOs targeting the Thai protest movement when it announced the removal of 926 covertly coordinated accounts. The network of accounts was attributed with high confidence to the Royal Thai Army (RTA). Twitter found the accounts to be “engaging in amplifying pro-RTA and pro-government content, as well as engaging in behavior targeting prominent political opposition figures.”

Further analysis conducted by the Stanford Internet Observatory found that this influence operation did not achieve any relevant traction with legitimate audiences. The authors state that “the accounts had few followers, the tweets received very low levels of engagement, and the magnitude of tweets is unlikely to have effectively diverted public attention”. Despite the relative investment of resources to conduct this operation, it appears to have failed.

Twitter’s takedown did not, however, stop influence operations from being deployed to repress the then still very active pro-democracy protests in Thailand. Within this context, we identified several social media campaigns for research candidates, and singled out one that appeared to show the hallmarks of a well-coordinated, and resourced, influence operation. We set out to investigate the campaign’s footprint, tactics, and to determine attribution. 

We codenamed this operation JUICYJAM.

While compiling our initial analysis on JUICYJAM, there was a significant leak of information from a Member of the Thai Parliament. On March 25, 2025, Thai MP Chayaphon Satondee, released confidential documents allegedly illustrating the influence operation’s machinery put in place by the Thai authorities to quash dissent.

It is important to clarify the following:

• We could not independently verify the documents as authentic, or complete. The documents were released by a Thai opposition MP, who claimed to have obtained them from “military and police officers who love democracy,” in the context of a general debate for a vote of no confidence in Prime Minister Paethongtarn Shinawatra.
• The MP claims the documents originated from a joint-forces “Cyber ​​Team” created in 2023. They allegedly contain the “Weekly Cyber ​​Team Operations Report” for August 17-23, 2024, or the first week after Paethongtarn Shinawatra received parliamentary approval to assume the position of Prime Minister, and the report for October 19-25, 2024, or the period after Paethongtarn assumed the position of Prime Minister. 
• We could review the available documents in detail thanks to the MP making them available on the web, which allowed us to assess them as, at the very least, highly plausible.
  • The documents’ layout, language, and alleged purpose are consistent with those from internal reports produced by a military or law enforcement agency.
  • The documents were reported about in detail by international, as well as local, media, such as the BBC.
  • What caught our attention, however, was the presence, within a set of leaked presentation slides ostensibly explaining the strategy behind the IO, of several tweets where the account’s handle was consistently cut off from the presented screenshot, as if to protect it from inadvertent exposure.
  • Through cross-comparison, we were able to confirm that the tweets seen in the documents had been posted by the X handle we had been researching as the main online asset for JUICYJAM: @jjookklong3.

If authentic, the leaked documents prove JUICYJAM to be a state-sponsored influence operation, designed to suppress the protest groups, and to counter protest narratives, through a variety of aggressive tactics.

Summary

Note: as we have done in previous research, in this report we define doxxing as the search for and the publication of an individual’s personal data on the Internet with malicious intent.

JUICYJAM is a prolific set of social media entities, particularly on X and on Facebook, working in coordination to dox and harass individuals and groups within the broader Thai pro-democracy camp. It centres around a single persona, a supposed middle-aged businesswoman going by the name of “Ms. Juk Khlong Sam”. Visually, it consistently utilizes a character from the popular Japanese Anime comic “One Piece” in its profile and cover photos.

Unlike many other influence operations, JUICYJAM can be considered as highly successful. Utilizing its visible views and engagement metrics as a proxy measure for influence, we can observe that the campaign enjoys:

• Almost 110,000 followers on its X account, with tweet views often upwards of 15,000 (peaks of more than 50,000), and a consistent flow of likes, replies, and retweets.
• A combined (non-unique) count of more than 133,000 followers on Facebook, divided between Pages (claimed to be non-official, as we will see, but reposting the X account’s same doxxing content), and a Group. An average post by one of the Facebook Pages typically achieved several hundred reactions, and dozens of comments.
• The vast majority of that audience, and of the consequent engagement, appears to be authentic – i.e. generated by real users, rather than other accounts operated by JUICYJAM.

Timeline

We can observe JUICYJAM’s activity as far back as August 2020. At that time, two identical blogs were created on separate platforms – WordPress and Blogger, respectively – only days apart. On them, the previously unseen alias “Ms. Juk Khlong Sam” published two separate posts containing photos and private information – the veracity of which we could not verify – on two alleged members of the Thai protest movement. Some of the information being exposed included the names of the individuals’ family members; the schools they attended; or the name and location of the small businesses their families owned.

The blogs were no longer updated after the two posts were made. The persona, however, lived on.

On September 1, 2020, a Twitter (now X) account was created utilizing the same alias as the blogs: @jjookklong3. The profile for the first time displayed pictures of the “Big Mom” Anime character – which will remain a constant theme for the operation across its several years of activity.

• Weeraphab Wongsaman (วีรภาพ วงษ์สมาน), also known as “Rev’’
  • The protester nicknamed “Rev” was doxxed by @jjookklong3 on March 26, 2021, after he allegedly participated in the mentioned March 20th REDEM protest. Rev became a frequent target of @jjookklong3, identifying him in protest images from May, July, August, and September 2021.
  • On May 14, 2021, he was arrested for participating in the May 2 REDEM rally and released on bail. 
  • On September 15, 2021, he was arrested for his alleged participation in the September 13 Din Daeng protest and held in pre-trial detention at the Bangkok Remand Prison. 
  • On October 29, 2021, “Rev” and another activist, Auttasit Nussa, were dragged and beaten by the police while they were in custody at the Din Daeng Police Station.
  • In November 2021, “Rev” and Auttasit filed a complaint against the police at the Din Daeng police station, and later at the Department of Special Investigation (DSI). Despite requesting CCTV footage of the incident, the police refused to give it to them. The investigation was eventually closed, as the Torture Sub-committee determined that the beating did not constitute torture.
  • On September 28, 2023, he was sentenced to three years in prison for lèse-majesté. He remains in prison since then after having been denied multiple bail requests.

Key Factors

• The notion of doxxing is only sparsely captured within the policies of the main social media platforms.  It is therefore difficult for an external reader to conclusively identify the rules and actions that the platforms promise to enact in response to its deployment.
• Moreover, as doxxing is typically framed merely as a privacy violation, the platforms’ policies do not expressly consider its use by adversarial coordinated actors, particularly in the context of state repression.
• Additionally, our analysis of JUICYJAM’s history shows that even when doxxing is specifically mentioned in policies, the related prohibitions are inconsistently enforced on.

Reviewing the Policies on Doxxing for X and Meta

In the current version of their Private Information policy (last updated in March 2024), X states: 

While JUICYJAM did primarily post pictures and videos taken at public demonstrations, it very frequently enriched them with private information and footage, including in certain cases government IDs and other official documents – which would most definitely qualify as “a breach of [the targets’] privacy” and posing “serious safety and security risks for those affected”. The continued, and highly prominent, activity and existence of the @jjookklong3 account therefore appears to be a clear failure in this policy’s enforcement by the platform.

Additionally:

• Platforms’ policies on doxxing seldom consider the behaviour in the context of coordinated – and often state-sponsored – campaigns against civil society, where the great imbalance of power between attackers and targets exponentially increases their harm, as we have seen in this report. 
• They also do not consider environmental factors, such as the doxxing happening during unrest and protests.

In 2022, these issues were addressed in a set of 17 recommendations made to Meta by the Oversight Board  in response to a request for a policy advisory opinion on “Sharing Private Residential Information”. Recommendations 11 and 12 are especially relevant to the case of JUICYJAM:

The Oversight Board’s recommendations – unlike decisions – are not binding. Neither of these recommendations were implemented by Meta at the time of publication of this report. 

• Recommendation 11 was blocked (“no further action”), with Meta deferring its intended purposes to the existing partnership with “850 safety partners globally, including helplines and organisations that work with victims of harassment, online and offline”.
• Recommendation 12 was initially labeled with “assessing feasibility”, stating that “to assess the board’s recommendation, we will first need to determine how to identify when sharing private residential information ‘is clearly related to malicious action that created a risk of violence or harassment’ and how we can log this type of information in our system.” However, the most recent update was shown to have happened on June 12, 2023. 
  • We note that in the complete list of recommendations provided by the Oversight Board to Meta, Recommendation 12 on “Sharing Private Information” is also labelled as “no further action” and “no further updates”, signalling that the company has eventually decided not to implement it.

As shown before in this report , JUICYJAM’s inauthentic persona, and its doxxing and harassing content, continues to be visible – and highly reachable – on at least four Facebook Pages, one Facebook Group, one Instagram account, and one Threads account as of April 2025.

Finally, successes in enforcing policies against coordinated doxxing do happen, occasionally. In June 2021, shortly before JUICYJAM started, Google removed two custom Google Maps that “had listed the names and addresses of hundreds of Thai activists who were accused by royalists of opposing the monarchy”. The maps had been published by a team coordinated by Songklod “Pukem” Chuenchoopol, a prominent pro-monarchy activist, with the intention of reporting everyone named to the police for lèse-majesté. We also noticed that the hashtag #CaptainPooKhem – commonly used by his supporters to amplify his posts – appears to be blocked on Facebook, returning no results. It remains however possible to post it, as can be seen on existing posts.

Government-operated doxxing campaigns are potent tools of repression, and it is no accident that they are often targeted against peaceful pro-democracy movements.  Critically, whether in Hong Kong, Thailand, or elsewhere, governments and their proxies often deploy them to complement and enhance more traditional forms of state repression, like violence and deprivation of liberty.

In the case of JUICYJAM, for example, targets of the campaign were also detained, charged, and often physically assaulted. The harm can be devastating. 

Low Risk, High Reward

While JUICYJAM was ostensibly the work of a fictitious persona, the campaign was fueled with information and content only available to government entities. The veil of plausible deniability it offered to them was sufficient for the campaign to thrive for several years before being exposed as linked to the Thai authorities. There is also no guarantee that it will stop now.

In the conclusions to our report on the HKLEAKS influence operation – which, as we have seen, followed the same general playbook as JUICYJAM – we had stated: “If digital repression is about raising the cost of activism, then the HKLEAKS case suggests that doxxing can be a fairly low risk but potentially high reward instrument of digital repression.”

Despite the extremely serious harms for the targets of doxxing campaigns, this statement continues to be accurate.

Coordinated Government-Backed Doxxing: Likely to Grow

JUICYJAM’s five-year-and-counting run in Thailand without serious disruption shows that the current tools, attention, and approach to this problem were largely insufficient to mitigate the harm caused to peaceful protesters and activists. 

Social media companies frame their limited action on doxxing as a necessary balance of freedom of expression and safety (and the difficulties of determining public vs. private information) . However, repressive states specifically deploy coordinated doxxing as a technique to punish authentic freedom of expression and threaten safety. Today, most major social media platforms are moving towards reducing, gutting, and eliminating programs originally aimed at increasing ecosystem safety and health initiatives.  Campaigns like JUICYJAM are likely to become more common as states learn from each other and operate in an increasingly permissive environment on certain platforms. The playbook stands to be repeated on a potentially global scale in a world that is seeing a continued trend of democratic decline.

On April 9, 2025, we sent emails to Meta and X with questions and recommendations to address the concerns raised by our work. At the time of publication, we had not received a response from X. While Meta acknowledged receipt, they did not answer our questions.

Our recommendations to X and Meta include:

1. Provide an easily accessible and responsive way (i.e. a hotline) for victims of doxxing to report the malicious public sharing of their private content. The content should be quickly removed after Meta and X verified it as the product of doxxing.
2. Implement instruments for Meta and X to identify, and remove, networks acting in a coordinated manner to conduct doxxing. The action should not only consist in the removal of individual pieces of content, but in the simultaneous removal, permanent ban, and subsequent monitoring of the networked actors responsible for the malicious activity.
3. Develop and implement instruments for the protection of civil society from doxxing through Meta’s and X’s platforms in hybrid and authoritarian regimes according to The Economist Democracy Index, or Partly Free and Not Free countries according Freedom House’s Freedom in the World survey. Such instruments should include appropriate solutions on both the policy and the technological side.
4. Conduct an audit on the existence and activity of potential coordinated doxxing networks, with priority on illiberal countries as defined per point above. Implement a coordinated removal of the networks confirmed as conducting doxxing. Publicly disclose proven cases of state-sponsored doxxing networks.

We would like to thank Rebekah Brown and Siena Anstis, for peer reviewing this report. Special thanks to Adam Senft and Alyson Bruce.

Research for this project was supervised by Ronald Deibert.