Deepfake Sextortion Scam Using Facebook Profile Photos
Scammers harvest publicly available Facebook profile photos to generate AI deepfake intimate images of real people, then threaten to share the fabricated images with the victim's Facebook friends unless a payment is made.
Part of: Deepfake Sextortion Scams
Last reviewed: 8 June 2026
Facebook profiles frequently contain high-quality photos of real people — including images shared with friends, tagged in family albums, or posted publicly for networking. Criminals have developed deepfake tools that can take these benign profile photos and generate realistic-looking fabricated intimate images.
The victim then receives a message — often via Facebook Messenger, WhatsApp, or email — claiming the attacker has obtained intimate images and threatening to distribute them to the victim's Facebook friends list unless a payment is made, typically in cryptocurrency.
What makes this especially distressing is that the images never truly existed in the victim's control. They were created entirely by the scammer using the AI tool applied to legitimate photos. The threat is manufactured, but the psychological impact and the reputational risk to the victim are very real.
How this scam works on the Meta/Facebook brand
Meta and Facebook are victims in this scenario — the platform's photo-sharing infrastructure was designed for legitimate social connection, not for harvesting images for deepfake creation. Meta has invested in detection and removal tools for non-consensual intimate imagery, but the initial attack originates outside the platform.
The extortion message typically arrives via Facebook Messenger from a new account or through a secondary platform. It may include a sample of the fabricated image to prove the threat is credible. The attacker demands a payment amount — often hundreds to a few thousand dollars in cryptocurrency — within a short window, threatening to tag the victim's friends and family directly on Facebook if payment is not received.
In many cases the 'proof' image is a heavily blurred or cropped thumbnail, making it difficult for the victim to assess authenticity. The ambiguity is intentional — it creates uncertainty and fear even when the full image would be clearly identifiable as a deepfake.
Common red flags
- A message claims to have intimate images of you and threatens to send them to your Facebook contacts.
- The sender demands cryptocurrency payment within a tight deadline.
- The 'proof' image shown is blurred, cropped, or low-resolution — making it hard to assess whether it is genuine.
- The message comes from a new Facebook account with no mutual friends and a recently created profile.
- You have never shared intimate images with anyone, yet the threat appears.
- The message escalates if you do not respond, with increasingly specific threats about tagging specific friends.
How to protect yourself
- Do not pay — payment does not guarantee the attacker will stop and typically invites further extortion.
- Review your Facebook privacy settings at facebook.com/settings/privacy and limit who can see your photos to friends only.
- Screenshot all extortion messages as evidence before blocking the attacker.
- Report the account to Facebook immediately using the in-app Report function on the message or profile.
- Use Facebook's Take It Down tool (takeitdown.ncmec.org) if intimate images — real or fabricated — have been distributed.
- Contact a trusted adult, a counsellor, or a support organisation such as the Cyber Civil Rights Initiative at cybercivilrights.org.
How to report it
- Report the sextortion account and message to Facebook at facebook.com/help/reportlinks.
- Report to the FBI IC3 at ic3.gov (US), the National Crime Agency at nationalcrimeagency.gov.uk (UK), or your national cybercrime unit.
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- Use the NCMEC's CyberTipline at cybertipline.org to report non-consensual intimate images.
Frequently asked questions
If I never shared intimate images, can the attacker really have them?
No genuine intimate images exist if you have never shared them. The attacker is using AI deepfake tools applied to your public profile photos to generate fabricated images. The threat is designed to create fear — the fabricated image would be identifiable as fake by anyone who sees it clearly.
Should I pay the ransom to stop the images from being shared?
No. Law enforcement and support organisations universally advise against paying. Payment does not stop the attack and often encourages further demands. Report to Facebook and law enforcement immediately.
How can I protect my Facebook photos from being used this way?
Set your profile photos to 'Friends only' or 'Only me' visibility in Facebook's privacy settings. Consider limiting your audience for all photos. While no setting fully eliminates risk from someone who can see your photos, limiting public exposure significantly reduces it.