Sextortion: What to Do First, the FBI Numbers, and 5 Variants

A scammer (often part of a Nigerian cybercrime network) creates a fake teenage-girl peer profile, builds rapport with a 14–17 year-old male target, requests an intimate image, then immediately switches to threats — pay or the image goes to the victim's friends, family, school, or sports team. Per Thorn's 2025 research, 90% of financial-sextortion victims are boys ages 14–17. NCMEC has documented at least 36 teen-boy suicides linked to financial sextortion since 2021. The FBI's Operation Artemis (April 2025) resulted in 22 Nigerian arrests connected to roughly $65M in U.S. losses across approximately 3,000 identified victims.

A composite case drawn from FBI Sacramento and DOJ EDPA filings illustrates the script's tempo. A 16-year-old male receives an Instagram follow request from a profile that looks like a teenage girl from a neighboring high school. The profile is two weeks old, with eight photos and a bio referencing two local landmarks. After three short DM exchanges over an evening, the "girl" suggests moving to Snapchat, sends an intimate photo, and asks for one back. Within seconds of the victim's image landing, the conversation pivots: a screenshot of the victim's Instagram friends list (scraped during the rapport phase), a list of his mother's coworkers (cross-referenced from her LinkedIn), and a demand for $400 in Apple gift cards within fifteen minutes. Refusal triggers an immediate "preview send" to two of the friends in the screenshot — sometimes real, sometimes bluffed. The pressure is engineered for adolescent reasoning: small enough demands to feel survivable, fast enough timing to prevent reflection, and shame-based pressure that works hardest on the demographic with the least experience handling it.

The r/Sextortion subreddit (5+ years old, 200K+ members) is the most consistent public archive of the script's actual feel and the protective steps that work. The 206-upvote thread "I was a victim of sextortion, here's what happened and how I got through it" documents one teen's full arc: the initial DM, the image exchange, the demand, the panic, the report, and the recovery. The 119-upvote thread "I Survived Sextortion — Please Read this if your scared" emphasizes the same point survivors converge on: "the threats end once you stop replying and report." The 99-upvote thread "Sextortionist fucked with the wrong guy" documents a victim who refused to pay, blocked, reported, and watched the threats deflate within 48 hours. The recovery pattern is consistent across hundreds of survivor posts: stop replying, screenshot, report to NCMEC + FBI IC3, use Take It Down, tell a trusted adult, and within days to weeks the threats stop and the survivor's life returns to a recognizable shape.

What stops the script is the protective sequence. If you or someone you know is being sextorted: do not pay, stop replying, save the messages, and file at report.cybertip.org (NCMEC CyberTipline, free, primary path for under-18 victims) and tell a trusted adult. Use NCMEC's free Take It Down service to remove intimate images from participating platforms (Instagram, Snapchat, TikTok, Facebook, OnlyFans, Reddit, X) — the service generates a hash on the user's device, so the image itself never leaves; the platforms then block any matching uploads. Federal prosecution is real and accelerating: Operation Artemis arrests, two 17-year sentences in the Michigan case, multiple extraditions to Pennsylvania. The protective rule for parents and trusted adults: pre-empt the shame. If something happens, you will not be in trouble — come to me, no questions, no consequences, we will report it together.

A scammer matches with an adult on a dating app, moves the conversation off-platform within days, escalates to a video chat or intimate-image exchange, then immediately switches to extortion — pay or the recording goes to the victim's employer, family, social network, or in some cases the victim's spouse. The threat works because the victim's calculation centers on professional consequences, marital damage, or family exposure rather than peer shame. The FBI 2024 IC3 report logged 54,936 sextortion-and-extortion complaints with $33.5M in losses; a substantial share of adult complaints map to this variant.

A composite case from r/Sextortion adult survivor threads and FBI field-office advisories illustrates the adult-target version. A 38-year-old professional matches on Hinge with what looks like a local woman in her early 30s. After three days of friendly messaging, she suggests moving to WhatsApp because Hinge "isn't very private." Two days later she initiates a video call, gets him to expose himself on camera, and the recording is in her hands within minutes. The next message is a screenshot of his LinkedIn page, a list of his five most senior coworkers, his employer's HR contact, and a demand for $2,500 in Bitcoin within twenty-four hours. If he does not pay, the recording goes to his manager and the company's executive team. The scammer's research is light — LinkedIn for the professional contacts, the dating-app bio for the personal context — and the threat is designed to make the calculation feel rational: pay $2,500 to keep a job versus risk a career.

The structural feature is the same as the teen variant: the scammer's power depends on the victim's belief that distribution would be socially or professionally catastrophic. r/Sextortion adult survivor threads — including the 140-upvote "for other female survivors" and dozens of male-survivor narratives — converge on the protective sequence working the same way for adults as for teens. "The threats stopped within 72 hours of me reporting and blocking. He sent two more messages and then nothing." The protective steps work because the scammer's economics depend on volume — the perpetrator running this script is targeting dozens or hundreds of victims simultaneously, and a non-paying, non-replying, reporting victim is a deadweight loss. The scammer moves on to the next live target; the silent, blocked victim drops off the priority list within days.

What stops it is the same four steps: do not pay, stop replying, save the evidence, report. For adult victims: file at ic3.gov (FBI Internet Crime Complaint Center) and at reportfraud.ftc.gov (FTC). Use StopNCII.org to remove intimate images from participating platforms (Facebook, Instagram, TikTok, Reddit, OnlyFans, Pornhub, X, Bumble, and dozens more). StopNCII.org generates a hash of the image on the user's device — the image itself never leaves the device — and submits the hash to participating platforms, which then block any matching upload. The TAKE IT DOWN Act (signed May 2025) gives federal-law backing to nonconsensual intimate-image takedown requests, including AI-generated content. If your spouse, partner, or family is being threatened with disclosure, the federal answer is now: report, remove, and recover — not pay.

A bulk email claims the sender has hacked the recipient's webcam, recorded compromising material, and will release it unless a Bitcoin payment is sent within 24–48 hours. The email frequently includes a real password the recipient has used in the past — harvested from a public data breach — to make the threat look credible. There is no actual recording. The scammer sends the same template to millions of addresses. Per Krebs on Security and Have I Been Pwned investigations dating to 2018, payment compliance is well under 1% but the volume keeps the campaigns profitable. The Federal answer: do not pay, do not reply, change the password if it is still in use anywhere, enable two-factor authentication, and delete the email.

A representative case: a 45-year-old receives an email with the subject line "Your password is [actual-old-password]." The body claims the sender has installed malware on the recipient's computer, recorded webcam footage of the recipient watching adult content, and will release the footage to the recipient's email contacts unless 0.05 BTC (~$3,000 at 2026 prices) is sent to a Bitcoin address within 48 hours. The password is real — used by the recipient on LinkedIn in 2012 — and is now in the public domain via the LinkedIn 2012 breach republished on Have I Been Pwned. There is no malware. There is no recording. The scammer harvested the email address and password from the breach data, stitched them into a template, and sent the same email to millions of addresses with the password substituted in. Payment compliance on these campaigns is well under 1% — but at scale, even 0.1% is profitable.

The federal guidance on this variant has been consistent since the FTC and FBI flagged it in 2018: do not pay, do not reply, change the password everywhere it is still in use, enable two-factor authentication, and delete the email. The diagnostic that the threat is empty: the scammer never produces the actual footage, never names a specific webcam session, and never demonstrates platform-specific access. If the threat were real, the scammer would have a strong incentive to prove it; the bulk-email variant cannot prove it because there is nothing to prove. Have I Been Pwned (Troy Hunt's free service) lets users check whether their password is in any of dozens of public breach corpora — if your password from this email is listed, that explains where the scammer found it.

What stops it is recognition. If you receive a "your password is X" email demanding Bitcoin, do not reply. Do not pay. Change the password anywhere you still use it. Enable two-factor authentication on every account that supports it. File at reportfraud.ftc.gov and at ic3.gov. Delete the email. The protective sequence is the same as the high-severity variants — only the threat is hollower. r/Scams thread "Phishing/sextortion email sent with my supposed own mail" (3 upvotes, but representative of dozens of similar posts) documents the everyday volume of this campaign; victims who paid almost universally report follow-on demands within weeks, while victims who ignored the email reported nothing.

A scammer takes a clothed, public-facing photo of a victim from social media, runs it through an AI nudification tool, and sends the AI-generated nude image back to the victim with the standard sextortion demands — pay or the image goes to family, friends, school, or employer. The victim never shared an intimate image at any point. Per Thorn's 2025 research, 13% of sextortion victims now report that the perpetrator used AI-generated deepfake imagery rather than real intimate content. The federal response: the TAKE IT DOWN Act, signed May 2025, explicitly criminalizes the nonconsensual online publication or threat of online publication of intimate images including AI-generated ones, and gives federal-law backing to platform takedown requests.

A representative case from r/Sextortion's AI-deepfake survivor threads (including the 70-upvote "(F 20) Someone used my Instagram photo to make a fake AI nude and is threatening me — really worried"): a 20-year-old college student finds an anonymous Twitter / X DM in her requests folder. The DM contains an AI-generated nude image of her — the face is clearly hers (taken from her public Instagram), the body is fabricated. The DM demands $1,000 in Bitcoin within 24 hours or the image will be sent to her professors, her family, and posted on a public revenge-porn site. She has never shared an intimate image with anyone, online or off. The scammer has no real material; the AI-generated image is the only material. The image was generated by feeding her public Instagram photo into one of the dozens of AI nudification tools that proliferated on the open internet between 2023 and 2026.

The protective sequence is the same as the real-image variants — and arguably stronger, because the AI-generation is itself a federal crime under the TAKE IT DOWN Act. The image is fake; the protections are real. StopNCII.org and NCMEC's Take It Down service both accept hashes of AI-generated intimate imagery for removal from participating platforms — Instagram, Snapchat, TikTok, Facebook, OnlyFans, Reddit, Pornhub, X, and dozens more. The TAKE IT DOWN Act requires participating platforms to honor takedown requests within 48 hours. The FBI's IC3 portal accepts AI-deepfake sextortion reports as a sub-category of sextortion. The Department of Justice has begun prosecuting AI-deepfake sextortion under the new federal statute as of late 2025.

What stops it is the same four steps plus one additional protective practice: lock down social-media privacy settings so public photos are not available to scrape. Set Instagram, Facebook, TikTok, and X profiles to private; remove photos that show identifying features (clear face, full body) from public profiles; disable photo tagging by strangers; review and prune followers and friends. The scammer's economics depend on the photo being scrapable; private accounts deny the input. For victims of an existing AI-deepfake threat: do not pay, stop replying, screenshot, report at ic3.gov (or report.cybertip.org if under 18), and use Take It Down (under 18) or StopNCII.org (adults) to hash and remove the AI-generated image from participating platforms. The TAKE IT DOWN Act's 48-hour mandatory-removal window kicks in once the takedown request is submitted.

A scammer impersonates a victim's spouse, family member, or close friend via a spoofed or lookalike email or messaging account, then asks the recipient for intimate photos — framed as an intimate-couple exchange, a romantic-emergency, or in some cases a faked-medical-context request. The recipient sends images to what they believe is their partner; the scammer extracts the images and pivots to extortion against either the recipient or their actual partner. The 294-upvote r/Scams thread "Scammer posing as my wife with a proton e-mail and asking her friends for breast pictures" documents the script's most common tempo.

A representative case from the r/Scams thread above and FBI BEC-adjacent advisories illustrates the script. A 35-year-old woman receives a Proton Mail email from what appears to be her husband's address — close lookalike, one extra letter that is easy to miss on mobile. The email asks if she would be willing to send him an intimate photo for "a special anniversary surprise I'm putting together." She sends one. The next day she receives a separate email from a different address demanding $5,000 in Bitcoin or the photo will be released to her social-media followers and her workplace. The husband never sent the original request; the scammer harvested her email address from his contacts (compromised in a years-old breach), set up a lookalike domain, sent the request, harvested the response, and pivoted. The variant exploits the trust default in spousal communication — the recipient does not verify the request because it appears to come from someone they trust.

The structural defense is the same defense that works against Business Email Compromise: verify any unexpected request through a separate channel before acting on it. If an email purports to be from your spouse and the request is unusual (intimate photos, a money transfer, a sudden change in behavior), call them on the phone number you already have, walk into the next room, send a Slack DM you initiate yourself, or use any channel other than the one the suspicious email arrived on. The scammer cannot intercept a separate channel they did not anticipate; the verification kills the script. The same protective sequence applies if the script has already succeeded: do not pay, stop replying, save the evidence, report to FBI IC3, and use StopNCII.org to remove the image from participating platforms.

What stops it is the verification habit. If a spouse, family member, or close friend asks for something unusual by email or DM — intimate photos, money, a sudden change in plans — verify on a different channel before responding. A real partner welcomes a verification call; a scammer cannot fake one. If the script has already succeeded and you sent images you now regret, the recovery path is the same as the adult dating-app variant: ic3.gov, reportfraud.ftc.gov, StopNCII.org for adult intimate-image removal, and 988 if you need to talk to someone. Tell your actual partner. The scammer's power is the secrecy framing; pre-empted shame loses its power.