OnlyFans Models Are Accidentally Making Hacked Government Websites Disappear

Scammers are hijacking government websites to upload ads for “leaked” OnlyFans content. Thousands of copyright complaints from adult creators are helping people avoid malicious links.
OnlyFans Models Are Accidentally Making Hacked Government Websites Disappear
Photo-Illustration: Jobanny Cabrera; Getty Images

Adult content creator Laura Lux says she has been publishing pictures of herself online for almost two decades. She primarily posts on OnlyFans these days, but she previously used Patreon and at one point hosted her own subscription website. No matter the platform though, people have always tried to steal her content and “leak” it online. “It’s an endless battle,” says Lux, who uses her creator name for privacy reasons.

“We do lose a lot of money just because the content is literally a Google search away a lot of the time,” Lux says, describing the murky online underbelly, mostly made up of men, that shares and trades pirated adult content. However, as the adult creator economy has boomed in recent years, individual OnlyFans models and other adult creators have increasingly joined Hollywood, music studios, and publishing houses in the fight against pirated content.

Content creators have filed millions of requests under copyright laws, with successful requests under the Digital Millennium Copyright Act resulting in pages hosting stolen pictures and videos being removed from search results. “If you are not running a DMCA service, then you might as well probably not even be bothering doing the job, because it will be everywhere,” Lux says.

However, these DMCA requests, which are often made by companies representing adult content creators, have also collided with one of the internet’s long-standing problems: insecure government and university websites. More than 2,000 domains belonging to governments and education institutions, across 80 countries, have received copyright takedown requests linked to adult content creators over the past 15 years, indicating the sites may have been compromised, according to a new analysis from cybersecurity company UpGuard and shared with WIRED. Many of the sites have been repeatedly compromised amid a “dramatic” increase in hijackings related to individual adult creators and their “leaked” OnlyFans content since 2020, UpGuard’s research says.

For years, scammers have hijacked official websites, which have authoritative .gov and .edu domain names that often appear high in Google search results, to upload malicious pages and PDFs pushing claims of free movie downloads, iPhones, porn, and Fortnite skins. These pages then often link to scams or malware downloads. Increasingly, the fraudsters behind the schemes have been using the names of adult content creators to draw victims to their compromised pages.

“The OnlyFans models are not setting out to help government websites, but in order for them to police their copyright ownership, they wind up sending a lot of notices to Google about those sites,” says Greg Pollock, the director of research at UpGuard. “In some ways, because of the way the attack works, having Google remove the search result is extremely effective, because there’s no real visibility of the asset outside of Google.”

Some of these recent copyright takedown requests seen by WIRED include government and university websites in Bangladesh, Colombia, India, Nigeria, the United States, and Peru. The infected pages are common. Search results viewed by WIRED show .gov and .edu domains with pages titled “biggest leak yet” and “leaked OnlyFans” videos alongside the names of adult content creators who have millions of followers.

If clicked, the URLs in search results do not show leaked pictures or videos and often redirect visitors to scammy URLs that advertise online dating and other suspicious pages—potentially earning fraudsters money through complex advertising schemes. To upload the malicious content, scammers may exploit weaknesses or vulnerabilities in the publishing systems of websites.

Pollock’s analysis says there have been 384,286 takedown requests, covering 631,193 URLs, from adult content creators to government and education websites since 2011. The vast majority have been sent in the past few years. Of these requests, Google appears to have removed around 130,000 of these URLs, with no action being taken against 460,000, Pollock’s analysis says.

The researcher analyzed DMCA takedown data using Google’s transparency reports and Harvard University’s Lumen Database, which archives copyright notices. Pollock says he identified adult content creators by analyzing requests to known pornography “leak sites,” as well as those stemming from companies that represent adult content creators and scan the internet for their content being pirated. These were then cross referenced with requests made to .gov and .edu domains. The DMCA requests are a minuscule fraction of the total 17,917,574,286 requests, across more than 6 million domains and all types of content, made to Google since 2011.

A Google spokesperson says its anti-spam protections are “highly effective” at stopping hacked webpages from appearing in its top search results, and it has multiple methods in place to detect and warn people about sites hosting malicious content. The spokesperson says that its Chrome browser may warn people if they are about to click on a page that may be hosting “dangerous” content and that, broadly, DMCA takedown requests apply to individual pages, not entire domains.

“A compromised .gov page ranking for a trending creator’s name is a near-perfect funnel” for scammers, says Dan Purcell, the founder and CEO of Ceartas, a firm that helps creators remove pirated content online. Purcell says the company has seen compromised government and university websites that have used adult creator names as a “lure” to game search results. People looking for this content, he says, may be “primed to click recklessly” and could end up on the malicious pages. He adds, however, that copyright laws are the wrong tool for cleaning up hacked official sites.

Purcell says sending DMCA requests to compromised government and education websites is excessive and inappropriate, as the websites are clearly not intentionally advertising or hosting the content, and it is likely not a violation of copyright laws. “Just because it smells funny and looks funny doesn't mean that you just execute the most aggressive law possible to remove the content,” Purcell says. In instances where his company has come across content creators’ names being used on hacked websites, Purcell says it contacts the site’s security or administration team to alert them directly.

“The DMCA has long been attractive for complainants who have SEO, privacy, and other issues with content or links posted online,” says Jennifer Urban, a clinical professor of law at UC Berkeley. The DMCA, which was created in 1998, has been criticized for its broad implementation and potential abuse. “When takedown notices go outside copyright, the notice is questionable under the DMCA—though complainants, as here, might be very sympathetic,” Urban says.

The surge in requests to government and education websites appears, at least in part, to have largely been driven by one company, Estonia-based Rulta, that makes requests on behalf of creators, according to UpGuard’s analysis. It has made around 90 percent of the requests in the past couple of years, Pollock says. Rulta did not immediately respond to WIRED’s request for comment. However, overall, in Pollock’s analysis there are 11,000 adult-content-linked copyright owners, represented by 554 organizations, that have made requests to government and education websites.

“We file only on a good-faith belief that the page hosts our client’s copyrighted work,” says Alexander Small, a cofounder at Fanlock, a creator-founded removal company. “If a page just uses the name as bait without the content actually being there, that’s not a copyright issue, and we don't file on it.”

“It’s really important to defend government and education websites,” Pollock says. Monitoring for the names of popular models could provide a warning signal for small security teams that their infrastructure has been compromised, he says. “When that unwanted content is injected, you can often catch it with these kinds of adult content keywords.”

Lux, the OnlyFans creator who uses Rulta and whose name has been used on domains in Vietnam, South Africa, Bangladesh, Somalia, and Brazil, says she is not shocked that her brand could be abused in this way. “It’s just crazy that our names and stuff are used in that capacity,” Lux says. “It doesn't surprise me at all, because I’ve found my stuff on so many random websites.” When asked what she makes of the compromises potentially indicating to website administrators that they’ve had a breach, she says: “I guess sex workers save the world again.”