Adult Supervision: How OnlyFans takedowns quietly police compromised domains

Greg Pollock
Greg Pollock
Published Jul 08, 2026

Note: this article includes discussion of adult content.

Armed with copyright law and internet-scanning software, OnlyFans adult content creators are defending universities and governments of the world from hackers who would exploit their vulnerable websites. 

For years, bad actors have targeted weaknesses on high-authority sites to sneak unwanted results into search engines, using black-hat advertising techniques to funnel users into various online scams. With the rise in popularity of OnlyFans models, their names and likenesses have become the lures used in this tactic. But as the primary rights-holders to the content they’ve created, these models have fought back using the DMCA to remove the illegitimate, malicious results from Google. 

Thanks to Google’s DMCA Transparency Report and the Lumen Database (which provided research access for this project), we have an archaeological record of thousands of government and education domains that adult content creators have saved from further exploitation. 

Traffic distribution systems and parasite SEO

The collision between OnlyFans models and hackers begins with the development of traffic distribution systems (TDS), the complex infrastructure used by bad actors to find and monetize web users. These systems have three parts: a broad set of entry points for capturing web traffic, a routing system for deciding where to send it, and the destination sites that monetize the users through scams and malware. One major player, VexTrio, has operated for decades, receiving traffic from over 40% of compromised domains. 

Like any ad network, traffic distribution systems, as the name implies, depend on getting lots of traffic. One of the strategies employed to do so is through what Google calls parasite SEO–identifying sites with good search authority, tampering with their content, and using those sites to surface one’s own content. There are many means to this end, including identifying open redirects, reflected search poisoning, vulnerability exploitation, and more. This strategy favors targeting domains that Google considers high authority, like government and education institutions, and injecting offers for adult content because the target audience likes it.

Unwanted search results for adult content on government and education sites are a constant nuisance. At a minimum, they are bad for brand reputation. Worse, they may indicate the presence of vulnerabilities that could be exploited for more nefarious purposes, such as serving malware. Searching for strings associated with adult content, like the names of popular models, can be an effective way to identify vulnerable sites. 

Google search results for an adult content creator's name in the .edu domain space

On any given day, Google searches in the .edu and .gov domain space will surface some unwanted adult content, but it is difficult to know how pervasive this problem really is across such a wide surface area. The content itself may be a shock, but a few dozen results across such a broad surface area is not really a systemic problem. The research challenge to measure the parasite SEO across trusted digital institutions is being able to scale this detection across the internet and all adult content keywords. Both of those problems have been tackled head-on by an entirely different group. 

The rise of OnlyFans and individual copyright owners

Founded in 2016, OnlyFans grew rapidly from 2020 onward to become a part of the cultural consciousness (relax, that’s a link to a reference on SNL’s “Weekend Update”). In theory, the platform can be used to share and monetize any kind of content. In practice, a large portion of that content, with which the brand is now commonly associated, has been on the spectrum of adult content. (For our purposes, “adult content” can be defined as something that gets a clickwrap warning. In terms of our threat model, it is content from human content creators useful for parasite SEO attacks. To paraphrase Justice Stewart, we don’t have to define adult content, but attackers know it when they see it). 

OnlyFans is a platform: it provides individual content creators with software to distribute and monetize their content, but does not itself employ the creators or own the created content. Whereas similar content would previously have been largely financed and owned by studios, under a gig economy model the individuals who produce the content retain the ownership. 

With the rise of OnlyFans-like content creators, the number of copyright owners of adult content has grown from hundreds of studios to thousands of individuals, which can be seen in the DMCA takedown requests sent to Google. Since 2020, the number of unique adult content copyright owners filing DMCA takedown requests has grown to tens of thousands of entities, almost all of them individual creators. With that, the number of copyright owners filing against unique domains, including government and education domains compromised for TDS use, has also grown. 

The number of copyright owners filing DMCA requests has exploded in the OnlyFans era

Those individuals are also filing meaningful numbers of takedown requests. While Pornhub parent company MG Premium is among the top all-time reporters of infringing content when measured by URL, their reports tend to focus on millions of URLs on a small number of domains—useful for defending their IP, but not for illuminating domains compromised for parasite SEO. When measuring the number of reports issued by a reporting organization, the top reporters are brand protection agencies, followed by a few adult content holding companies, and then individual content creators. The long tail of ~10,000 individuals comprises the vast majority of filings for adult content when counted by report, and even more so when evaluating the number of unique domains each one references. 

That shift in decentralized copyright ownership created a new need in the market: tens of thousands of individuals whose work was being pirated and who needed a vendor to identify and issue takedowns. That market demand led to companies laser-focused on identifying the unlicensed use of individual models’ copyrighted content. TDS capture mechanisms promising leaked OnlyFans content would find themselves squarely within that scope. 

Identifying compromised domains using adult content DMCA requests 

Those two macro trends–TDS operators compromising reputable domains to advertise their sites, and specialized takedown vendors hunting for anyone using unlicensed creator content–have led to increased requests to Google to de-index unauthorized use of OnlyFans creators’ content. Thanks to Google’s Transparency Report, we have a record of who sent those requests and what domain hosted the allegedly infringing URL. This allows us to identify likely compromised sites: government and university domains advertising unlicensed adult content. 

Each Google request record includes a few key data points: the copyright owner, requesting organization, and allegedly infringing URL. To work out which requests were sent from adult content creators, we started with lists of known leak sites and known OnlyFans models. From the known leak sites, we derived the copyright owners and reporting organizations sending them requests. From known copyright owners, we derived all domains to which they were sending requests. Between these two methods, we could recursively discover new reporting organizations and copyright holders being infringed upon by leak sites. 

This process was generally effective, with two caveats. First, it turned out that many pieces of copyrighted but non-adult content appeared on sites otherwise focused on adult content. These included Hollywood movie studios, European football leagues, even the American Mathematical Society. Ultimately, we wound up using an LLM for a small number of cases to sift out non-adult content. 

Second, the massive increase in DMCA requests does come from a huge variety of copyright owners, but there are a small number of reporting organizations sending those on their behalf. Today, virtually all such requests are sent on behalf of individual models by a handful of software vendors focused on adult content creators, making it easy to identify them via reporting organization. 

Defending education and government websites

The vast majority of takedown requests sent on behalf of content creators were for URLs on sites where the owners intentionally redistribute unlicensed adult content. A small–but growing–percentage of those requests targeted URLs on government and university domains. When this happens, it most likely indicates a compromised domain. This happens frequently; since 2011, over two thousand unique government and education domains have been affected, many of those repeatedly, and mostly in the recent past. 

  • Scope: identified adult content requests against government or education domains
  • Date range: 2011-09-27 to 2026-05-04
  • Total takedown requests: 384,286
  • Total URLs reported: 631,193
  • Unique compromised domains: 2,167
  • Government domains: 646
  • Education domains: 1,521
  • Countries affected: 80
  • Unique copyright owners: 11,046
  • Unique reporting organizations: 554
  • URLs removed by Google: 132,266
  • URLs - no action taken: 468,407
  • URLs not in index: 20,312
  • % requests with any removal: 21.6%

The number of unique domains compromised to distribute adult content has grown dramatically since 2020. The spike in requests in 2017 should be ignored; out of 609 domains reported that year, all but 16 were part of a blast from Multi Media LLC that included many specious reports.  Skipping 2017, the trend is clear: the number of compromised domains detectable through DMCA requests from adult content owners has nearly doubled every two years. 

Unique domains referenced in takedown requests for adult content on .gov and .edu domains

While the compromise of government and education sites has grown at a steady rate, the capabilities for detecting and reporting infringement have grown much faster. The introduction of specialized vendors serving this market segment has driven such a massive increase in DMCA reports as to blow prior years off the graph. Here it is worth distinguishing the existence of the problem from visibility of the problem: actual compromise of legitimate domains has grown, but the visibility of that problem through the lens of the DMCA has grown much faster.

Count of takedown requests for adult content on .gov and .edu domains. Almost non-existent prior to 2023, now growing rapidly.

The increasing detection of compromised government and education sites, then, is driven in part by growth in attacker behavior, but also by improvements in the detection technology—built and operated specifically for individual adult content creators. More individual adult models (more copyright owners) means more keywords to search for, each of which contributes toward finding compromised sites. Indeed, more individual copyright owners filed requests against government and education sites in 2025 than all copyright owners against all sites in years prior to 2020. As more models seek to protect their content, more infringing URLs are detected. 

This problem affects countries all over the world, from top-ranked American universities to the website for the president of South Africa. Any website vulnerable to automated content tampering attacks is in scope; which websites meet that criterion vary depending on regional differences. What kinds of entities are most likely to create but not adequately maintain web presences shifts between the two groups. Universities in America have large attack surfaces that are complicated to defend; governments in Africa have their own challenges. 

Number of DMCA requests for adult content on .gov and .edu domains by region

Conclusion

The evolution of attacker behavior on the internet has led to the systematic compromise of education and government websites. At the same time, the evolution of adult content online has created a powerful detective engine for identifying those compromised sites and removing them from view of would-be victims. Thanks to the work of Google, Lumen, and their participating partners to share DMCA requests, there is a full and public archive of the intersection of those trends. 

This method of detecting website weaknesses comes with a grain of irony. Universities and governments work hard to defend their perimeters, and yet another party has proven more effective at detecting this vector entirely by accident. For lean security teams, this quizzical situation is an opportunity. The names of popular models are not hard to find–if nothing else they can be derived from the Google transparency data–and with a little search engine automation, provide excellent keywords for detecting potential brand risks on one’s own attack surface. 

UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.

Related breaches

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up for our newsletter

UpGuard's monthly newsletter cuts through the noise and brings you what matters most: our breaking research, in-depth analysis of emerging threats, and actionable strategic insights.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating