Cybersecurity

Copyright Requests Help Remove Malicious Content from Hacked Government Sites

More than 2,000 government and university websites worldwide, compromised by scammers exploiting them to host fake OnlyFans leaks and other malicious ads, have been driven offline through copyright takedown requests, according to a new analysis by cybersecurity firm UpGuard. Adult content creators and their representatives have been instrumental in reporting these hijacked domains to Google, triggering removals of infected pages that funnel visitors to scams and malware.

What Happened

Scammers have increasingly exploited vulnerable government (.gov) and education (.edu) websites across 80 countries to upload malicious content falsely claiming to provide “leaked” OnlyFans videos and other pirated media. These compromised official domains rank highly in Google searches, making them effective conduits for fraudsters targeting individuals seeking adult content and free downloads.

Adult content creators and companies representing them have filed hundreds of thousands of copyright takedown requests—using the Digital Millennium Copyright Act (DMCA)—to Google and other platforms, seeking removal of unauthorized use of their content. UpGuard’s research shows that between 2011 and 2026, around 384,286 takedown requests covering more than 631,000 URLs were sent relating to content hosted on hacked government and educational sites.

Many of these requests surfaced in the past few years, coinciding with a spike in website hijackings linked to counterfeit OnlyFans leaks. A notable proportion of these requests have resulted in Google removing suspicious pages from its search results, helping to reduce exposure to fraudulent sites.

Key Facts

  • Over 2,000 government and education domains have been compromised and linked to takedown requests from adult content creators.
  • These compromised sites span more than 80 countries, including the United States, India, Colombia, Nigeria, and Peru.
  • From 2011 onwards, 384,286 DMCA takedown requests have targeted 631,193 URLs on these official domains.
  • Approximately 130,000 URLs have been removed from Google search results; 460,000 remain without action.
  • The majority of takedown notices have been made since 2020, driven in large part by Estonia-based company Rulta, which accounts for about 90% of recent requests.
  • Google employs anti-spam and browser warnings to help prevent users from accessing harmful hacked pages.
  • Scammers use compromised sites to redirect users to scammy URLs proposing online dating or other fraudulent offers, often monetized through advertising schemes.

What This Means

This widespread abuse of government and education websites highlights ongoing security challenges faced by many public institutions, whose outdated or vulnerable publishing systems are exploited by cybercriminals. The involvement of adult content creators in seeking takedown of hijacked pages represents an unexpected but effective line of defense, reducing the visibility of malicious content on trusted domains in search engines.

For internet users, this means that while such compromised pages can appear credible due to official domain names, successful copyright enforcement can help prevent exposure to scams and malware. However, the reliance on DMCA notices to police hacked government sites points to an underlying issue: these institutions often lack dedicated cybersecurity resources to detect and remediate breaches promptly.

Beyond protecting creators’ rights, monitoring for hijacked pages featuring adult content-related keywords could serve as an early warning system for administrators to identify security breaches. This demonstrates how copyright enforcement mechanisms can unintentionally support broader cybersecurity efforts, though they are not a perfect or intended solution for compromised official infrastructure.

Background

Government and university websites have long been targets for cybercriminals due to their authoritative domains and typically high search engine rankings. Historically, such hijackings have been used to push scams, malware downloads, and fraudulent offers, leveraging the trust users place in official sites. The surge in references to OnlyFans-related counterfeit content coincides with the platform’s growth and the heightened attention paid by adult creators to content piracy.

What Remains Unclear

The exact methods scammers use to breach government and education websites have not been disclosed in detail. It is also not confirmed whether all administrators of compromised domains are aware of the breaches or have been notified by either copyright holders or cybersecurity firms. Additionally, the adoption rate of security patches or remediation measures among affected websites remains unknown.

What Comes Next

Cybersecurity experts advocate for greater monitoring of official domains, especially for suspicious content featuring popular adult creator names, to provide early breach detection. Meanwhile, UpGuard and similarly positioned firms continue to analyze copyright takedown data as a proxy for uncovering compromised assets. Google has reaffirmed its commitment to removing harmful hacked pages from search results and alerting users via browser warnings.

Sources

This article is based on reporting and publicly available information from the following source:

Read more Cybersecurity stories on Goka World News.

Ethan Clarke
About the editor

Ethan Clarke

Ethan Clarke Role: Cybersecurity Editor Ethan Clarke covers cybersecurity incidents, data breaches, online threats, ransomware, software vulnerabilities, and digital safety. His reporting focuses on confirmed details, affected systems, official advisories, and practical context without making unsupported accusations.

View all posts by Ethan Clarke