No, OnlyFans Was Not Hacked

OnlyFans was not breached.

A seller using the handle Euphoric_Reply_5727 posted on a cybercrime forum over Memorial Day weekend claiming to have 340 million OnlyFans user records — usernames, email addresses, phone numbers, payment card details, linked social profiles, the works. The asking price: 0.313 BTC, roughly $76,000.

The post exploded on X. Millions of views. Accounts with large followings pushing it hard.

When cybersecurity outlet HackRead contacted the seller directly via Telegram, the seller admitted it plainly: "We didn't breach or hack OnlyFans." Their words, not ours. They said the database was assembled by cross-referencing old breach data from platforms like Twitter, Instagram, and Spotify, then matching those records to apparent OnlyFans users.

They took garbage from other people's dumpsters, reorganized it, slapped an OnlyFans label on it, and tried to sell it as something explosive.

The Data Itself Is Junk

HackRead reviewed sample data the seller provided. The findings, according to IBTimes UK's coverage, were damning. Multiple entries had empty or placeholder fields marked "None." Email addresses couldn't be confirmed as actually linked to OnlyFans accounts. The "card" field — supposedly containing last four digits of payment cards — could not be independently verified at all.

This is not a sophisticated breach. It's a cobbled-together collection of old leaked data dressed up to look scary.

But the panic it generated was very real.

The Real Trap: Malware Disguised as a Leak Checker

When a story like this goes viral — "Am I in the OnlyFans leak?" — millions of people go searching for tools to check if their data was exposed. Cybercriminals know this. They build for it.

ZeroHedge flagged what cybersecurity researchers identified as the actual play: threat actors spread malware-laced "leak checker" tools designed to capitalize on exactly this kind of panic. You're scared your data is out there. You download a checker. You just installed a keylogger.

Separately, ReliaQuest documented a surge in fake Cloudflare CAPTCHA attacks specifically targeting OnlyFans users, according to Daily Security Review. The mechanics are straightforward and nasty: a fake website mimics a legitimate security verification page, a user completes what looks like a normal CAPTCHA, and a malicious script is silently copied to their clipboard. The site then instructs the user to paste it into their terminal. If they comply, they've handed attackers a remote access trojan, credential-stealing software, or ransomware.

The people most likely to be nervous about an OnlyFans data leak aren't going to stop and scrutinize every step of a "verification" process.

CRPx0: The More Sophisticated Threat Hiding Behind the Noise

While the fake hack hoax was dominating feeds, SecurityWeek and Aryaka Threat Research Labs documented a separate and genuinely serious malware campaign called CRPx0 — and it's using OnlyFans as its lure too.

The attack starts simple: someone searches for free OnlyFans account credentials online — already a legally and ethically questionable move — and finds a zip file called OnlyfansAccounts.zip. Inside is a shortcut file that appears to deliver what was promised: a text file titled "50 working Onlyfans account" with what looks like real credentials.

Behind the scenes, CRPx0 installs itself, phones home to a command-and-control server, and begins doing three things.

First: cryptocurrency theft. It monitors your clipboard constantly. If you copy a crypto wallet address to paste somewhere — to receive funds, to send — it swaps it out silently for one controlled by the attackers. You never notice. The money goes to them.

Second: data exfiltration. Documents, images, emails, code files, engineering files — whatever the attackers specify via their C2 — gets quietly copied out.

Third: ransomware. Once your data is stolen, it gets encrypted. Pay up or lose everything. Classic double extortion.

CRPx0 currently targets macOS and Windows. According to Aryaka Threat Research Labs' analysis, Linux capabilities appear to be in development. This campaign is not going away.

What Mainstream Coverage Is Getting Wrong

Most tech media covered the "OnlyFans hack" story as a standalone embarrassment — fake news debunked, move on. The hoax and the malware campaigns operate within the same ecosystem. The viral panic creates demand. The demand creates victims. The victims get malware.

Also overlooked: the people most at risk aren't just OnlyFans users worried about their private data. Anyone who searched for a "leak checker" tool after seeing those viral posts — regardless of whether they even have an OnlyFans account — could have exposed themselves.

What This Means for You

Do NOT download any tool claiming to check if you're in the "OnlyFans leak." There is no leak. There is malware waiting for you.

Do NOT complete any CAPTCHA on a site you navigated to from a social media link. Do NOT paste anything into your terminal that a website hands you.

Enable multi-factor authentication on every account that matters. Keep your antivirus updated. If you use cryptocurrency, verify wallet addresses through a channel you control — not your clipboard.

The people running these campaigns are counting on you being scared, curious, or embarrassed enough to skip those steps. Don't give them the win.