Trends in Financial Sextortion: An investigation of sextortion reports in NCMEC CyberTipline data

Introduction

Sextortion – threatening to expose sexual images of someone if they don’t yield to demands- has been a source of harm to youth for some time. In the last several years, concerns about a unique type of sextortion – financial sextortion – have been on the rise. Reports of financial sextortion revolve around demands for money and predominantly target boys, and young men. In addition, financial sextortion marks the emergence of new organized offenders leveraging technology to target and extort minors at scale. 

In partnership with the National Center for Missing & Exploited Children (NCMEC), this research examines more than 15 million reports made to the CyberTipline from 2020 to 2023 to pinpoint cases of sextortion and examine the evolving scale and nature of financially motivated sextortion. Importantly, while sextortion can affect all ages, this report focuses explicitly on the sextortion of minors.

This page reviews several key findings from Thorn’s report on trends in financial sextortion and identifies opportunities for action to safeguard young people from this growing threat effectively. To read the complete research report and explore its findings in greater detail, please download the PDF.

Unlike historical sextortion reports, this surge of cases targets new groups, with 90% of victims detected in NCMEC reports being male, aged 14 to 17.

Tactics

Although, historically, sextortion has often involved more time developing a relationship with the victim and more subtle forms of coercion and manipulation (at least in the earlier phases of the abuse), the tactics seen in reports of financial sextortion to NCMEC often featured aggressive, rapid exchanges highlighting potential life-altering outcomes if victims fail to pay.

Catfishing

In the majority of cases, victims appeared to share a picture in response to images initially sent by the perpetrator, who often appeared to be impersonating another young person (usually an attractive, similarly-aged child). This approach using “catfishing” could serve to lower the victim’s inhibitions to engage while helping to evade platform policies limiting interaction between adult and minor profiles.

Of the 31% of cases where specific methods are indicated for getting imagery from the child, 70% of reports had signs of reciprocating images in response to the perpetrator sharing imagery.

However, threats were not always reliant on a victim sharing imagery. In 11% of reports with information about how images were acquired, victims report that they did not send sexual imagery of themselves but were threatened with images that were in some way fake or inauthentic. An additional 6% describe accounts being hacked or images stolen from another account.

While generative AI technologies may be involved in cases of fake or inauthentic imagery, these reports also include less technically advanced tactics. Other descriptions included using another person’s explicit imagery and threatening to say it was that of the victim, and examples of less photorealistic instances of deepfake imagery, including the child’s likeness in a sexual manner.

When these tactics show up in conversations, they are often formulaic; perpetrators use extremely similar or even identical threats against different victims as if operating off of a script designed to quickly and efficiently coerce victims to pay.

These tables showcase threats that perpetrators have repeated in this exact form four or more times over different reports:

Countdowns & Constant Contact

Perpetrators seem to employ a range of methods to attempt to make sure that their victims are required to make quick decisions, attempt to pay quickly, and do not have an opportunity to seek help from their caregivers or other sources of support.

We coded two ways in which perpetrators imposed such urgency: firstly, the use of countdowns and deadlines to make the victim rush to pay, and secondly, the demand for constant communication and access.

With countdowns and deadlines, perpetrators would give children fixed periods to encourage payment or to extract a promise of a method and amount of payment.

For the second method in which perpetrators demanded constant communication from the child, perpetrators would threaten to expose a child’s imagery if children simply disconnected from the video chat or did not respond in text chat quickly enough. 

Platforms

Sextortion does not happen in a vacuum; how children (and perpetrators) interact with platforms and specific design features can facilitate these sextortion events. We can see this by examining which platforms were used to initially contact children and which were used as a secondary location to which perpetrators would move the conversation. 

To avoid bias introduced by platform reporting behaviors, we analyzed how platforms were used in sextortion events via explicit platform mentions in the report text. Any platform mentions were coded to capture how the platform was being discussed.

Initial contact

Of the 3,276 reports that explicitly discussed how platforms were used, 576 had an “initial contact” label; a few core platforms dominate the studied reports as places used for that initial point of contact, as shown in the chart below.

Secondary contact

Thorn surveys have found that 65% of children had experienced someone attempting to get them to “move from a public chat into a private conversation on a different platform.”

This is a common event in sextortion situations, with perpetrators moving children to secondary platforms, possibly because a platform may be less likely to detect the abusive behavior and/or where the child may be more likely to share content.

When we look at platforms that were coded as being used as a “secondary location,” where a report identified that the victim was moved from one platform to another (869 reports mention such a secondary location), we found that the most common platforms to which these interactions were moved are Snapchat and GChat, as shown in the chart below. Other prominent platforms mentioned included WhatsApp, Telegram, Instagram, iMessage, Facebook, and Discord.

Private messaging environments are popular among young people sending intimate images. A recent survey of youth found that 41% of teens who shared nudes did so via  “Texting or messaging apps like WhatsApp”, 39% did so via “DM (Direct Message) in apps where the content disappears, like Snapchat”, and 30% did so via “DM (Direct Message) in the messaging feature of a social media app like Instagram or Twitter.” The next most common channel was via FaceTime or other video call/chat.

Image Dissemination

Threats often focused on the victim’s imagery being leaked in a highly public fashion, fueling fears of lasting consequences and embarrassment. A wide list of platforms were named in threats of distribution, including some with broad public reach. However, the platforms named explicitly as the location of distribution tended towards more direct network distribution rather than a general public audience.

While any experience of distribution increases the harm to the victim, fewer public points of initial distribution offer the hope of limiting the extent of exposure of the material and increase the potential to stifle wide dissemination with resources like NCMEC’s Take It Down.

The chart below shows a comparison of threatened versus actual reported sites of image leaks. When looking at reports where victims stated that their images were actually leaked, the most common distribution platform mentioned was Instagram. Additional platforms named in reports of image dissemination, but at lower volumes, included YouTube, Facebook, Snapchat, Twitter, and TikTok.

Payment

Chats frequently involve mention of payment methods or platforms. We measured named payment platforms and more general payment approaches such as gift cards or cryptocurrencies. 

The most common payment methods were CashApp and gift cards, followed by other easy-use payment apps such as PayPal and Venmo. The dominance of gift cards and Cash App has slightly increased over time relative to other payment services.

Reporting Landscape

Reporting activity across Electronic Service Providers (ESPs) relating to sextortion is widely varied, both in terms of reporting frequency and report contents. ESP reports of sextortion are currently the overwhelmingly leading signal into NCMEC that a child is being sextorted, making up 85% of the total reports of sextortion during the sampled timeframe.

Dominant reporters

Three platforms stand out as the driving force behind these numbers: reports from Instagram constitute a large percentage of all ESP reports coming in where sextortion is reported, followed by Facebook and Snapchat.

There are a number of notable changes in the trends over time for reporting platforms, shown in the chart below (these trends are purely about the reporting platform itself and thus are not necessarily proportional to where the sextortion took place).

The first is a sharp increase of cases submitted by ESPs starting in the middle of 2022; that increase could reflect the actual increase in sextortion at that time but might also reflect work that NCMEC did in raising alarms about financial sextortion to the platforms in June of 2022.

This data shows a dip in reports in the first half of 2023, but is followed by a return to this high rate by the last period studied, August 2023. This is reflected in increases both in Instagram and Snapchat data in August of 2023.

As Instagram reports constitute the majority of all reported sextortion, those changes in Instagram reports can dwarf all other trends in order to define the overall trends in sextortion.

Reporting timeframes

The time it takes for an ESP to become aware of a sextortion event (either through proactive solutions or user reporting) and subsequently assess and report the event to NCMEC impacts how closely the overall volume of reports to NCMEC reflects the volume of sextortion events over time. 

Put another way, the data suggests the dip in reports by Instagram and Facebook in May 2023 is less a reflection of a drop in sextortion activity on these platforms and more likely a reflection of changes in the content moderation pipeline submitting these reports to NCMEC.

Several things may influence the time between the event and a report to NCMEC by an ESP, not all of which are in control of the ESP submitting the report. Among them are the existence and efficacy of proactive detection practices, changes in offender tactics, dependence on user reporting, and efficiency of content moderation pipelines.

The chart below presents the median time between sextortion events and their reports for the main three sextortion-reporting platforms over the last two years, showing variable referral speeds during the studied window of reports. 

Facebook and Instagram report referrals accelerated at the beginning of the study window, stabilizing with report referrals within days of the incident for the second half of 2022. However, in 2023, report referral time increased, arriving at a median period of more than a month by August 2023.

Initial analysis of Facebook and Instagram reports from November 2023 indicates shorter report referral times. This suggests the dip followed by an increase in reporting volume may be due to slower reporting rather than an actual dip and increase in sextortion activity. 

Similarly, the data suggests the spike in report activity in late 2022 is not a result of a reporting backlog, as the time between event and report is relatively short, but may point to improved detection and/or increased sextortion activity. 

Although increasing time lags in reporting are concerning, it is important to recognize the inherent difficulties in detecting and responding to sextortion cases. We do not know if these delays are primarily due to changes in content moderation, advances in detection technology, or shifts in user or perpetrator behavior. Furthermore, we should acknowledge the positive impact of periods where platforms were swiftly responding to sextortion events and focus on how platforms can be encouraged to maintain such responsive reporting to NCMEC.

Report Contents

When an ESP observes signals suggesting immediate risk to a minor, they may utilize an “ESP escalation” field in which a report can be flagged to NCMEC for more urgent study, with a summary characterizing the event such as “This account is sextorting an apparent minor.”

Historically, Facebook and Instagram have frequently escalated sextortion cases and provided additional context, such as chat information. Snapchat had typically provided basic report information but had seldom escalated cases and rarely included chat information or child victim information.

However, reports from Snapchat have seen some increase in report detail with the addition of small chat excerpts or other information about the victim.

The timeliness and detail provided in NCMEC reports impact how quickly and effectively we are combating financial sextortion and safeguarding victims. Changes to platform design and content moderation policies, particularly when evaluating the implementation of encryption, must account for this to mitigate unintended impacts on child safety.

Gaps in reporting

The number of platform reports of sextortion is not directly equal to the number of sextortion events on that platform. In fact, higher volumes of reports can also signal increased platform investment in detecting and combating this harm type on their service. 

By examining the number of times specific platforms are mentioned in public reports (as compared to the volume of reports made to NCMEC by the individual ESPs), we can offer one tentative way to estimate how many reports one might expect. 

The chart below shows a distribution over how often platforms are mentioned in sextortion cases submitted to NCMEC by the public (via public form or hotline) over the last three years, as logged by NCMEC analysts. It shows that Snapchat is mentioned almost as often as Instagram and that there are a range of platforms that are mentioned more than 20 times in any direct reports to NCMEC.

In this data, we see gaps between how many reports of sextortion an ESP submits to NCMEC, compared to how often that ESP is mentioned in public reports. For example, while Snapchat was mentioned nearly as often as Instagram and far more than Facebook in public reports, report volume directly from the platform is almost half that of Facebook and a quarter as much as Instagram. However, the latest report period in August showed an uptick in Snapchat reports, indicating possible improvements in reporting workflows.

Similarly, Discord was mentioned in public reports at a somewhat similar pace to Omegle or Wink (all being mentioned in sextortion reports roughly once every two weeks) and half as often as WhatsApp or Wizz, but Discord submitted more reports of sextortion to NCMEC in the periods we sampled than all of those platforms combined (although some platforms such as WhatsApp may relay reports to other platforms.)

Lower rates than anticipated by comparing public and ESP reports could occur for several reasons. Some platforms may be better at proactive detection, and some parts of the sextortion experience may be more likely to be reported by the victim. In addition, some platforms may not have reporting flows that allow victims to easily convey that sextortion is occurring or may fail to pass along the data clearly to NCMEC. 

Financial payment platforms may also report to NCMEC. We observe sextortion reports from PayPal Inc., which includes both Venmo and PayPal. Other financial service companies are not registered to report to NCMEC, or do not make substantive reports, for example, Block Inc., which includes CashApp, the most commonly mentioned payment platform in sextortion reports we examined.