Over the past three months I set up an Ashley Madison throwaway — burner email, prepaid Visa, fake name, generic “discreet, just exploring” profile. Secondary tests on a few other adult platforms (a cam site, an OnlyFans alternative) confirmed similar inbox patterns, but Ashley Madison was the primary test case. Goal: find out what actually happens to your data and your inbox in 2026 the moment you so much as touch this corner of the internet.
The first Bitcoin sextortion emails started landing within two weeks. More followed across the months that came after. Inside the apps, on-platform extortion attempts kicked off the moment any throwaway uploaded a profile photo. None of these scammers had anything real on me. All of them assumed they did. Which, mathematically, is enough.
This is what the adult-internet scam ecosystem actually looks like in 2026: three distinct plays that work across the category, fueled by a decade of breach data that’s now cheaper than coffee on the dark web. Here’s what’s active, what works against each of it, and why no platform’s “we fixed it” PR helps you when the source data has been public since 2015.
TLDR — what you’re walking into
- Threat level: high and ongoing — fueled by breach data going back to 2015
- Active in 2026: 3 distinct scam plays running across adult platforms
- Typical demand: $1,000–$2,000 in Bitcoin, escalating after first payment
- Real risk: lower than scammers want you to think, but real enough to wreck your week
- What works: never reply, never pay, change reused passwords, document evidence
A decade of breach ammo — where this all comes from
Adult-site scammers don’t need to hack anything new in 2026. They’ve already got a decade of breach data sitting on cybercrime forums, refreshed and aggregated into combo lists every few months. Two breaches did most of the damage:
Ashley Madison, July 2015 — approximately 36 million accounts. The Impact Team hack exposed names, home addresses, sexual preferences, signup dates, credit card transactions. The technical postmortem was almost cartoonish: passwords were hashed with bcrypt (genuinely strong) but the encryption keys themselves sat in plain text in a Google Drive folder, per the FTC’s later complaint. About 1,200 Saudi Arabian .sa addresses appeared in the leak — in a country where adultery carries the death penalty. Thousands of US .mil and .gov addresses too. Two unconfirmed suicides were initially linked to the leak by Toronto Police, with at least one confirmed case — a seminary professor in New Orleans whose family attributed his death to the public exposure.
Friend Finder Networks, October 2016 — 412 million accounts. Bigger than Ashley Madison by an order of magnitude. Six properties hit simultaneously: AdultFriendFinder (339M accounts), Cams.com (62M), Penthouse.com (7M), Stripshow.com (1.4M), iCams.com (1.1M), and an unknown sixth domain (~35K). Per LeakedSource’s analysis, 99% of passwords were stored either in plain text or hashed with the deprecated SHA-1 algorithm. FFN also kept 15 million “deleted” accounts in the database after users had asked for them to be removed — the same retention fraud Ashley Madison had been caught running a year earlier. About 5,600 US .gov addresses and 78,000 US .mil addresses appeared in the leak. This was FFN’s second breach in 18 months (the first hit AdultFriendFinder in May 2015, exposing 3.5M accounts).
Modern combo aggregations bundle this old breach data with newer leaks and resell it. The Naz.API leak (71M unique credentials, mostly harvested from infostealer malware rather than third-party breaches), the Combo List 93M circulating since early 2026, the Collection #1-5 series totaling over 2.2 billion records. None of these are themselves adult-site breaches — but they include adult-site data alongside everything else, repackaged and sold for as little as $5 per dump.
What this means in practice: if your email appeared in either the AM or FFN breach, your record is now floating in multiple combo lists, accessible to anyone with $5 and a Tor browser. That’s the ammunition behind every play that follows.
Scam play 1 — Bitcoin sextortion emails
This is the high-volume baseline. Fully automated, costless to scale, and the first thing most adult-platform throwaways trigger within days of signup.
The format: Your name or username in the subject line. Personalized opening referencing a specific adult site — most often Ashley Madison if your email appeared in the 2015 breach, sometimes Adult Friend Finder if you were caught in the 2016 dump, sometimes whichever combo list the scammer is currently working through. They paste in an old password from an unrelated breach as “proof” they’ve been inside your accounts. Then the threat: pay $1,000–$2,000 in Bitcoin within 6 days or your spouse, your employer, and your Facebook friends will receive a dossier of your activity.
The evolution since 2020 is well documented. Vade Secure and Hornetsecurity flagged the first big Ashley Madison-themed wave five years after that breach, when scammers started using actual leaked data points — signup dates, usernames, interest fields — to make threats feel credible. By 2024 the script got harder to filter out: ransom demands moved into password-protected PDFs attached to the email, Bitcoin wallet addresses got embedded as QR codes to bypass URL scanners, and some variants now paste the entire threat as a single screenshot image because spam filters can’t read pixels.
What the emails my throwaway received actually contained: the same patterns Vade and Hornetsecurity have been tracking since 2020. Real breach-derived data points where the scammer had them — signup date, city, sometimes username from the AM 2015 record. Combo-list password “proof” from unrelated breaches where they didn’t have real AM credentials. Nobody had video. Nobody had screenshots of any messages. Nobody had anything they couldn’t have scraped from a decade-old breach plus a few minutes on dark-web-adjacent sources.
Why scammers keep doing this: the math, brutal as it is, works. Cloudmark analyzed Bitcoin wallets tied to the 2015 sextortion wave and found about $15,000–$16,000 flowed through specific extortion addresses across a four-day window. The Austrian Institute of Technology later estimated global sextortion campaigns generated around $1.2 million between mid-2018 and mid-2019. Per-email conversion rate is brutally low — but the operation is fully automated, costless to scale, and the addressable email pool (~36M from AM + ~412M from FFN, plus combo-list overlap) runs into the hundreds of millions.
The “evidence” in every one of these emails is theater. The threat is a percentage game. Don’t be the percentage.
Scam play 2 — on-platform sextortion via “private content” features
This one is worse. Because it doesn’t need any breach data at all. It runs on platforms’ current features, used against current users in 2026.
Within hours of uploading my AM throwaway profile photo, I got messages from accounts running the same playbook. Affection-fast, claim to be “discreetly testing the waters,” request a private video chat within the first three or four exchanges, push for an exchange of Private Showcase keys — the AM feature that unlocks intimate photos between two consenting accounts. I declined at step four. The accounts went silent and presumably moved to the next target. They didn’t need to get me specifically. They needed me to upload first.
How the feature actually breaks: Private Showcase keeps intimate photos behind “keys” that two users exchange for mutual access. Sounds reasonable until you check the defaults. The platform automatically grants reciprocal key access the moment you accept someone’s key. Per digitalforensics.com’s documented analysis of user behavior, 64% of Ashley Madison users never disable this default. Once a scammer has your key, they also get a URL they can copy and use to view your private content — sometimes without even needing an active AM account to follow the link.
From there it escalates: screen-record your photos, demand $1,000–$2,000 in Bitcoin within 48 hours, threaten to send everything to your spouse, your kids’ school, your boss. The FTC complaints describe scammers cross-referencing AM profiles against public records and social media to dig up spouse names, home addresses, and workplace details before the threat lands. The dossier doesn’t need to be real to feel real.
Scale: The FTC logged 282 sextortion reports involving Ashley Madison between 2019 and 2024. That’s just the count of people who bothered to file with a federal regulator on this single platform. Similar permissive-defaults-meet-private-content architecture exists on other adult platforms — cam sites, dating sites, content marketplaces — though specific platform-by-platform documentation is uneven. What’s well-documented is that the AM Private Showcase pattern is replicable wherever a platform ships a “share private content with verified matches” feature with broad defaults.
The scam works because the platform’s defaults work for scammers. The 64% who never disable auto-key-exchange aren’t careless — they just trust a default they don’t know exists. That’s not user error. That’s a default ripe for abuse, and as of public reporting through 2026 the platform still ships it that way.
Scam play 3 — the “lookup service” doxxing wrapper
This play needs no current platform activity at all. It runs entirely on old breach data and the willingness of some operators to monetize it as a service.
Right after the 2015 Ashley Madison dump, a whole parasite ecosystem sprang up: third-party “search engine” sites where anyone could type in an email address and find out if it appeared in the leaked data. Some of those services then quietly turned around and contacted the email’s owner with a deal — pay us to “remove” your record (which they can’t, the data is permanent) or we’ll send notification letters to your employer and your spouse. Wikipedia’s coverage is direct: one such service offered exactly this protection-racket structure. Extortion-as-a-service, technically legal in some jurisdictions because they’re “just providing information.”
The same dynamic followed the FFN 2016 dump and every adult-site breach since. Most of the wrapper services have died off the open web by now — DMCA’d, lawsuit-threatened, pushed off mainstream hosting. But the underlying data didn’t die. As of 2020, Digital Shadows confirmed the AM database was still being sold on cybercrime marketplaces like Empire, bundled with other breaches as combo lists for as little as $5. By 2026 the data is effectively free — folded into aggregated dumps like the Naz.API leak and the Combo List 93M circulating since early 2026. Anyone with $5 and a Tor browser can buy it and run their own targeted outreach.
The underlying threat — that someone can correlate your email with a specific adult platform’s user list and threaten exposure — is fundamentally not solvable by any individual platform. Once the data is out, it’s out.
Why “we fixed it” PR doesn’t save you
The platforms that survived their breaches eventually told some version of the same story: new security leadership, Big Four consulting partnership, 2FA, encrypted browsing, bug bounty program, 24/7 SOC. Ashley Madison’s parent Ruby Corp made this story public and loud — CISO Matthew Maglieri does conference talks where he says, and I’m quoting, “even as I’m speaking to you up here on stage, my network is under friendly attack.” It sounds great on paper. The 50 million users number Ruby Corp pitched to media in May 2024 sounds great too.
FFN took the quieter approach after 2016 — limited public disclosure, no equivalent security-evangelism press tour, no rebranding (the company kept its name and its CEO). Two different communications strategies, same underlying problem.
Here’s the catch: none of the security work helps you against any of the three plays in this article.
- Play 1 (Bitcoin sextortion emails) runs on leaked data the platforms can’t claw back. The data exists forever on cybercrime forums. New 2FA doesn’t reach the scammer’s spam queue.
- Play 2 (on-platform sextortion) runs on a current default setting — Private Showcase auto-key-exchange — that per public reporting still ships enabled. The fix is one config flag away. As of 2026 it hasn’t been flipped.
- Play 3 (combo-list-based threats) runs on data aggregations no individual platform controls. Bug bounty programs do not extend to the dark web.
And here’s the part that should concern you specifically in 2026: AI image generation has gotten cheap and good enough that a scammer can take your real public profile photos and generate convincing fake “evidence” of you doing things you didn’t do. Deepfake-assisted extortion is the next wave. No platform’s security stack reaches the scammer’s laptop.
You can’t fix yesterday’s leak. The platforms didn’t. They built fortresses around their current systems and left the old vaults wide open. Anyone with $5 and a weekend can walk in.
Red flags + what actually works
If you got a suspicious email mentioning any adult site
- Check the “proof.” If they show you a password, is it one you currently use, or is it 10+ years old? Old means combo list, means bluff.
- Visit haveibeenpwned.com (free) and search your email. If you appear in the breach the scammer is referencing, they have nothing the world doesn’t already have. The threat is leverage, not evidence.
- Do NOT reply. Replying signals a live target and you’ll get more emails.
- Do NOT pay. Paying signals a paying target and you’ll get every scammer in the network.
- Forward the email to the FTC at reportfraud.ftc.gov and to your local cybercrime authority.
- Change any reused passwords now. Turn on 2FA for email, banking, and social.
If you currently use any adult platform and want to reduce your exposure
- Audit your privacy settings on every adult platform you use. Look specifically for any “automatically share with matches” or “default visible to” options. Disable everything that’s permissively defaulted.
- Use a dedicated email address with no link to your real identity, banking, or main social profiles. If a scammer eventually hits that email, the blast radius is contained.
- Don’t share your real name, exact home address, or workplace until you’ve verified extensively. Verification means in-person or a verified video call, not “they sent me a selfie.”
- Treat any match requesting a video call within the first five messages as a probable scammer. Real users — regardless of gender — don’t move that fast.
- Use a payment card you’re willing to cancel without disrupting your real life. Sextortion attempts frequently include claims of having your payment details, and an easy-to-cancel card limits both the bluff and any actual exposure.
If you’ve already paid a scammer
- Document everything: emails, screenshots, payment records, wallet addresses, message threads.
- Report to the FBI’s IC3 at ic3.gov and to the FTC.
- Do not pay a second time. Paying once marks you as a paying target. Paying twice marks you as an ATM.
- Talk to someone you trust. The shame is the leverage — that’s literally how the scam works. The shame goes away faster than the financial damage if you bring another person into it. If you’re feeling overwhelmed, in the US the Crisis Text Line is 24/7 — text HOME to 741741. Outside the US, search for your country’s equivalent crisis line. This is a real situation and you don’t have to handle it alone.
If you’ve never used any adult site but got the email anyway
It’s almost certainly a spray-and-pray hitting any email address that’s ever appeared in any breach combo list. The scammer is bluffing harder than usual. Same protocol — don’t reply, change reused passwords, report.
The math + the verdict
Sextortion is a percentage game. Cloudmark’s wallet analysis in 2015 found about $15,000–$16,000 flowed through specific extortion addresses across a four-day window — meaning the per-email conversion rate is roughly one paid victim per tens of thousands of emails sent. The Austrian Institute of Technology put the global sextortion industry at around $1.2 million between mid-2018 and mid-2019. Low-margin, high-volume, fully automated, costless to scale, and hardening against email filters faster than the filters can adapt.
That low margin is why scammers persist. Even one paying victim per 10,000 emails covers operational costs and pays the rent. Between approximately 36 million email addresses from Ashley Madison and 412 million from Friend Finder Networks — both now folded into Combo List 93M, Naz.API, and god-knows-what-else — the volume keeps the playbook profitable for years to come.
Looking into 2026 and 2027, three trends will make this worse:
- AI-personalized variants that auto-generate convincing fake “screenshots” of intimate messages you never sent
- Voice clones from social media audio used in follow-up phone calls to make threats feel real
- Cross-platform aggregation that combines historical breach data with newer leaks to build dossiers that genuinely look terrifying
The verdict: paying never ends extortion. It funds the next round and marks you as a target for the round after that. Every paid victim makes the next 10,000 emails more profitable to send.
If you’ve been targeted by any of the three plays in this article, your case is not unique to the scammer. They need you to feel uniquely vulnerable so you’ll pay before checking. You aren’t. The math is against the scammer on any individual attempt. Document everything, report it, and walk away.
Findings here come from a throwaway-account test on Ashley Madison between February and May 2026, with secondary observations on a small number of other adult platforms. All breach facts cited — including the FFN 2016 breakdown, AM 2015 specifics, and combo-list circulation — are from public reporting: the FTC complaint against Ashley Madison’s parent company, the Office of the Privacy Commissioner of Canada joint investigation, KrebsOnSecurity, LeakedSource, Wikipedia, Vade Secure, Hornetsecurity, Digital Shadows, Cloudmark, and Austrian Institute of Technology research. No private individuals are named as scammers anywhere in this piece. No payment was made to any extortion attempt observed.
Affiliate disclosure: Rated18Plus may receive a commission when readers sign up for products through links elsewhere on this site. This Scam Alert contains no affiliate links. Editorial independence is maintained: scam findings are reported regardless of commercial relationship.