A cyber threat actor advertised a purported database of 340 million OnlyFans-linked user records on a well-known cybercrime forum, asking for 0.313 BTC, or roughly $76,000, according to U.K.-based cybersecurity news site HackRead.
The alleged "340 million OnlyFans user mega leak" narrative ran rampant on X this past holiday weekend, garnering millions of views from several accounts, which were described as nothing more than an engagement trap.
HackRead pointed out that "conversations with the seller and a review of sample data suggest that the collection did not result from a direct breach or scraping of OnlyFans systems."
HackRead noted that:
The seller advertised the database as containing usernames, names, email addresses, phone numbers, follower counts, likes, uploaded content statistics, account types, and linked social media profiles. The claims initially gave the impression of a direct platform breach or scraping incident.
However, the story changed after Hackread.com contacted the threat actor directly on Telegram. In private messages, the seller clarified they did not hack or breach OnlyFans. Instead, they claimed the database was built using information collected from previous data leaks and public sources, including breached records from platforms such as Twitter, Instagram, and Spotify.
"We didn't breach or hack OnlyFans," the seller said in a message shared with Hackread.com. "We used existing breaches and leaks databases and matched with users of the OnlyFans platform."
But that didn't stop some X users from pushing the "OnlyFans is hacked" narrative.
As one X user pointed out, the hack story is "100% fake news," and the "manufactured hoax is a masterclass in clickbait."
The person said the "real trap" is that "hackers spreading these fake leaks are trying to panic you into downloading 'leak checkers.' The second you run those tools, they install infostealer malware, like Lumma Stealer, to steal your actual passwords."
The timing of the alleged OnlyFans "hack" narrative is notable. The panic cyber campaign comes just weeks after the Financial Times reported that the platform, widely used by sex workers, is selling a minority stake to San Francisco-based Architect Capital.
From an information operations view, this creates a window for threat actors to exploit and leverage privacy fears to drive users to malware-laced leak-checker tools under the guise of helping them verify exposure.