Non-consensual intimate imagery (NCII) is an incident, not a content problem. The harm comes from distribution, reuploads, and impersonation, and the response that works looks like incident response: evidence discipline, consistent takedowns, and closing the access paths that produced or leaked the images.
| Immediate sequence | Do this | Why |
|---|---|---|
| 1 | Preserve evidence privately (URLs, screenshots, timestamps) | Content and accounts disappear quickly, and reports go faster with direct links |
| 2 | Report on the platform where it is hosted under the NCII category | Platform moderation is the fastest path for many sites |
| 3 | Secure the accounts that could be the access path (email, cloud photos, social) | Takedown is unstable if the attacker can steal or repost more material |
| 4 | Reduce reuploads using hash-matching services where available | Blocking duplicates is often more effective than chasing links one by one |
| 5 | Escalate when there are threats, extortion, or physical safety risk | Some situations require law enforcement and crisis support, not only platform reports |
Safety note: if someone is threatening to share content unless you pay or comply, treat it as extortion. Do not negotiate, do not send more content, and preserve the messages.
Preserve evidence without amplifying the content
Evidence is what makes takedown workflows and escalation work. Preserve it quietly and do not repost the content to “warn others”.
- Screenshot the post, including the address bar, the account name, and the timestamp.
- Copy direct URLs for the content and the profile.
- Keep a private list of mirrors and reuploads you find.
- Keep a private timeline of reports submitted and responses received.
Close the access path (do this in parallel with takedowns)
Many NCII incidents are fueled by account compromise, shared albums, leaked links, or device compromise. Stabilize the control plane so new material does not keep leaking.
- Secure email and enable 2FA. Remove suspicious forwarding rules and sign out unknown sessions.
- Secure cloud photo accounts and review shared links, shared albums, and signed-in devices.
- Check devices for spyware before rotating more passwords: how to detect spyware.
If you are unsure whether you are dealing with broader compromise, start with immediate steps after being hacked and how to check if you have been hacked.
Key idea: takedown is unstable if the access path stays open. Secure accounts and devices in parallel.
Takedown workflow that scales
Most people fail here because they expect one report to end the problem. In practice, you want a repeatable workflow.
1) Report the content on the hosting platform
- Use the most specific category available: “non-consensual intimate imagery”, “sexual content posted without consent”, “explicit deepfake”, or equivalent.
- Report both the specific posts and the account distributing them.
- Provide direct URLs, not only screenshots.
2) If the platform response is slow, report the hosting provider
Some sites ignore user reports but respond to host or CDN abuse reports. This works best when you have direct URLs and a clear description of the harm. Keep your evidence packet tight.
3) Reduce discoverability through search where eligible
Search removals do not remove the source, but they can reduce the spread. Use dedicated workflows for explicit imagery where eligible, and include both the source URL and the search result URL.
4) Reduce reuploads with hash matching where available
Chasing reuploads link-by-link is exhausting. A better approach is to block duplicates when a service supports it.
- StopNCII is a victim-support service that can create a hash of images and help participating platforms block reuploads without sharing the images themselves.
Extortion and threats: what not to do
Attackers rely on urgency and shame. A few rules keep you from making the situation worse.
- Do not pay. Payment often increases pressure and does not stop distribution.
- Do not send more images or “verification content”. That is a common escalation pattern.
- Do not move the conversation to a new platform because the attacker asked.
- Preserve evidence and use official reporting channels.
Escalation paths (US)
If there are threats, extortion, stalking, or physical safety concerns, escalation can be appropriate. Requirements vary by jurisdiction, so treat the following as informational.
- Report internet-enabled extortion or scams to FBI IC3.
- If minors are involved or you suspect CSAM, do not investigate yourself. Use the National Center for Missing and Exploited Children CyberTipline immediately.
- If you need immediate emotional support in the US, the 988 Lifeline is available.
Harassment response structure
NCII incidents often include harassment, impersonation, and coordinated abuse. A structured response reduces chaos.
- Use: what to do about online harassment.
- If the content is deepfake-based, review: reduce deepfake misuse risk and the evidence workflow above.
Successful removal is a process, not a single form. When you preserve evidence, close the access path, and run consistent takedowns, the problem becomes more controllable: fewer reuploads, fewer active distribution accounts, and less leverage for attackers. The stable endpoint is secure accounts, a clean report timeline, and a smaller set of places the content can surface. That is how the harm stops compounding.