Dynamic Securities Analytics, Inc.
Dynamic Securities Analytics, Inc.
Financially Motivated Sextortion Sextortion

Disrupting Sextortion Financial Mechanisms

by |Published

Part 5: “Disrupting Sextortion Financial Mechanisms” focuses on measures that financial institutions — primarily P2P and payment apps — can take to disrupt victim ransom payments fueling this crime.

Read the entire series on the Financial Mechanisms of Sextortion here.

How Can Financial Institutions Disrupt Financially Motivated Sextortion of Minors?

Safety by Design provides an overarching framework to disrupt the ability of teen victims to pay and extorters to receive sextortion ransom payments. The general idea of Safety by Design is to consider and design safety into user-facing tech (including fintech) products.

General principles of Safety by Design include:

  1. Holistic: Safety across entire system, at the inception of product.
  2. Proactive: Safety efforts should target prevention of harms, rather than respond to safety incidents.
  3. Empowering: Safety features allow users to control their experience and should reflect their user base (ex. kids and their parents). User controls should be intuitive and widely accessible. At a minimum, safety features should include privacy settings, sensitive media, blocking and muting.
  4. High Default settings for privacy and security. Defaults set at max, not minimum. Defaults on, not off.
  5. Cross-functional. Within App, FAQs, Help Center, Parent Settings, etc. Includes links to resources and education information, in addition to features for reporting safety incidents.

Safety by Design & Teen P2P Accounts

P2P and payment apps have many legitimate uses and have been widely adopted by both adults and teens. However, a variety of bad actors — including perpetrators of financial sextortion of minors — have also adopted P2P payments.

Two studies conducted by Thorn reveal that P2P and payment apps account for about 75% of ransom demands.

Bar chart of how sextortionists demand payments from victims.

P2P and payment app providers should consider the following in applying Safety by Design principles to Teen Accounts.

Privacy

Default privacy settings for teen P2P accounts should be high.

There are a range of privacy issues in P2P accounts including:

  • Can a user search for a teen’s account by the teen’s phone number, email address, username / handle, or name?
  • If a teen adds a user as a Contact/Friend, does that expose additional information about the teen to the new contact such as real name or phone number?
  • If a teen sends a payment, does the payment disclose additional information about the teen to the recipient (ex. name)?
  • Are the teen’s transactions public?
  • Can a teen block a user? Can a parent?

P2P teen account providers can significantly improve teen privacy.

Here’s why:

First, most P2P apps allow users to look up other users by name, email, phone number, and/or username. Many P2P apps don’t allow teens or parents to exclude teen accounts from search results. Therefore, teens are not empowered to control the privacy of their account.

Secondly, some P2P apps automatically disclose additional information about a teen when the teen adds a user as a contact, and/or after the teen makes a ransom payment.

Finally, most apps only allow a teen or parent to block users on a one-off basis. However, blackmailers (and other scammers) typically have multiple accounts at the various apps. If a teen blocks one account, then the extorter simply pops up under a different account name or on a different P2P app demanding payment.

Parental Transactional Controls

Parental transaction controls can empower parents to regulate their teen’s P2P experience.

Parental transactional controls on P2P apps would include checks on:

  • WHO a teen can send or receive money
  • WHERE a teen can send or receive money
  • HOW MUCH money a teen can send or receive
  • WHAT TYPE of transaction can a teen conduct (crypto, investing, other embedded products)

P2P teen account providers can better empower parents through transactional controls.

Most P2P apps do not by default allow parents to limit who their children send or receive money. Nor do the apps allow parents to limit the how much money their children can send or receive (aside from the general app limit).

Next, P2P apps do not allow parents to control where their children can send funds (apart from the apps being limited to other U.S. account holders). For example, a 14-year-old living in Ohio can send $500 to a user geolocated in California. Finally, while the Apps do allow parents and teens to block transactions with other specific users it is often after an initial transaction or payment demand has been made.

In addition, many P2P apps have additional embedded products such as investing in stocks, crypto, and payment applications. Often the ability of teens to access these additional, embedded products is turned ON by default or there is no way to turn OFF access.

Proactive Parental Notifications

Parental notifications can proactively alert parents to concerns regarding teen’s P2P experience.

Parental notifications in P2P apps could encompass alerts for:

  • Real-time transactions
  • New contacts
  • Transactions with new contacts
  • Transactions over a certain dollar value
  • When a teen adds a new payment method (ex. adding a debit card)
  • High-risk transactions (ex. coerced into serving as a money mule and forwarding sextortion payments made by other victims to the perpetrator)
  • Impermissible transactions based on teen’s age (ex. gambling or adult content)

The default setting for parental / sponsor notifications of activities in teens accounts varies across P2P apps. Take for example, transaction notifications. Venmo’s default setting alerts parents in real time of every transaction. In contrast, Cash App and Apple Cash require parents to turn ON real-time notifications.

Reduce Harms by Detecting Ransom Recipient P2P Accounts

When a teen sextortion victim makes a ransom payment via a P2P account, that means that the P2P platform also hosts an account for the perpetrator (or money mules). Ransom recipient accounts need to be detected, linked (as perpetrators will have multiple accounts), and reported. See the FATF section below for indicators of recipient accounts.

Ease Teen Reporting of Financial Sextortion

While Safety by Design seeks to prevent harm, the principles also include measures to reduce and remediate harm. Safety by Design allows for the surfacing of harmful interactions like sextortion ransom demands.

P2P apps should also have a simple, age-appropriate way for minors to report safety concerns, including financial sextortion. With the exception of Cash App discussed below, most P2P apps do not have clear routes for teens or parents to report financial sextortion of minors to the app.

For example, one major P2P app has a “report” function that leads to FAQs without an actual way to report sextortion or other inappropriate content. Meanwhile the app’s Help Center instructions for reporting inappropriate content contradict the actual flow of steps within the app.

Disrupting Sextortion Financial Mechanisms by Identifying and Reporting Financial Sextortion & Online Exploitation of Children

In addition to surfacing victim reports of financial sextortion, financial institutions should incorporate suspicious activity monitoring tailored to financial sextortion of minors.

FATF

FATF released in March 2025 a report titled “Detecting, Disrupting and Investigating Online Child Sexual Exploitation: Using Financial Intelligence to Protect Children from Harm.” Financial institutions should incorporate FATF’s insights into their detection scenarios.

FATF provided the following indicators of financial sextortion of minors:

General Indicators of Transactions Related to Financial Sexual Extortion of Children

  • Transactions conducted between two individuals where there is no apparent relationship (i.e., no common surname, no clear business purpose).
  • Transactions generally of less than 500 EUR, but sometimes ranging up to 1500 EUR in even-dominated amounts.
  • Initial transaction between remitter (victim) and receiver (perpetrator) generally less than 250 EUR.
  • Multiple transactions from a remitter to a receiver over a short period of time and then stopping entirely.
  • Transactions conducted to a common country of operation of perpetrators of FSEC (i.e., Cote d’Ivoire, Nigeria, Philippines etc.). Obliged entities should take note of the shifting trend of countries where this is predominantly taking place over time.
  • Transaction purpose refers to social media or social media usernames, sexual or pornographic terms, threatening/ pleading language or date/time that material was received.
  • The transaction recipient is not local to the remitter.
  • Payment details appear like a charitable donation.
  • Transaction linked to an individual on a public registry of sex offenders

Transactions Conducted by Victims

  • Transactions that are conducted by a teenage or young adult male and to a lesser degree teenage or young adult female.
  • Transactions originating in primarily English-speaking countries, if international. Obliged entities should note that this will become less of a marker over time as facilitators become more sophisticated.
  • Receipt of complaints from individuals about transaction links to sexual extortion.
  • Payments typically occurring between 7pm and 7am (usually as the sexual extortion is happening in real time).
  • The remitter (victim) does not enter a payee name (i.e., only enters a general label for recipient) or enters a payee name that does not match the actual account holder.
  • Diminishment of funds in the remitter’s accounts within a matter of hours (usually less than 24 hours).
  • Uncharacteristic purchase of digital gift cards or gaming credits.
  • Uncharacteristic uses of individuals’ P2P platform accounts.
  • Uncharacteristic purchase of Virtual Assets (cryptocurrency).
  • When questioned by bank staff, the remitter is evasive or offers an implausible explanation for the activity.
  • Victim purchasing multiple gift cards (for example, Amazon, PlayStation or other gaming providers)

Transactions Conducted by Perpetrators

  • An account receiving multiple apparently unlinked transactions.
  • Receiving account having multiple unlinked rationales identified for the transactions being received by the account.
  • Amounts received quickly removed from account.
  • Payments to online services offering privacy and/or anonymity (i.e., encryption, VPN, virtual phone numbers, etc.).
  • Payments associated with multiple pre-paid credit cards or gift cards.
  • Receipt of funds from multiple online file hosting marketing services (e.g., pay-per-download models) across different jurisdictions.
  • Purchase of goods (vehicles, real estate, household appliances) in a short period of time, subsequent to receiving money, without justification for the means used.
  • Persons with a lifestyle and consumption that is not consistent with the income earned from their work activity.

FinCEN

Certain financial institutions are required to file suspicious activity reports with FinCEN.

In September 2021, FinCEN published Notice FIN-2021-NTC3 titled “FinCEN Calls Attention to Online Child Sexual Exploitation Crimes [OCSE].” The Notice provided financial institutions with OCSE-specific SAR filing instructions and highlighted financial trends related to OCSE.

The Notice identified:

Another trend is the rise in sextortion of minors, who are coerced or exploited into exchanging sexual images via the internet, mobile devices, and social media platforms.

FinCEN explained that production of child pornography includes sextortion, where offenders use deceit or non-physical forms of coercion, such as blackmail, to acquire child pornography depicting the targeted minors.

In February 2024, FinCEN released a Financial Trend Analysis regarding Online Child Sexual Exploitation that provides cryptocurrency-related typologies of OCSE that may also be indicative of financial sextortion.

NCMEC

The National Center for Missing & Exploited Children (NCMEC) CyberTipline is a designated reporting mechanism for the public and electronic service providers (ESPs) to report instances of suspected child sexual exploitation.

Per NCMEC:

U.S.-based ESPs are legally required to report instances of apparent child sexual abuse material (child pornography), online enticement of children and child sex trafficking when they become aware of them, but there are no legal requirements for proactive efforts to detect this content or what information an ESP must include in a CyberTipline report. As a result, both the volume and content of reports can vary greatly.

Online enticement of children includes financial sextortion. In 2024, financial institutions Block and PayPal reported 1,176 and 868 leads respectively to the CyberTipline.

 

Actions Taken by Financial Institutions to Disrupt Financial Sextortion of Minors

Some financial institutions have already taken steps to counter the financial mechanisms of sextortion.

User Education & Prevention

Santander Bank created a 2-minute micro-course delivered within its banking mobile app on Blackmail and Sextortion after being inspired by Paul Raffile’s ground-breaking research into financial sextortion.

Santander Bank course on Blackmail and sextortion. Disrupting Sextortion Financial Mechanisms
Source: Santander Bank

Education within financial apps may prevent teens from being victimized by financial sextortion. Social media companies like SnapChat and Meta provide a variety of resources for users and parents that could serve as a model for financial institutions.

SnapChat Safety Series Video on Sextortion
Source: https://www.snapchat.com/p/9e8a90a8-897f-474b-8d65-e29797b3aa40/2953490508382208?lang=en-US

The Cross-Functional approach advocated in Safety by Design suggests that multiple avenues to resources should be offered to consumers across the entire system (i.e. not siloed in Trust & Safety or Reporting).

Cash App Actions

Cash App was identified as the leading payment platform mentioned in NCMEC reports of financially motivated sextortion of minors between November 2021 and August 2023.*

Platforms used for payment
Source: Thorn Study “Trends in Financial Sextortion: An investigation of sextortion reports in NCMEC CyberTipline Data,” June, 2024.

 

Cash App has taken numerous steps in 2024 and 2025 to disrupt sextortion.

1) Reporting to NCMEC

Cash App began reporting suspected child exploitation to the National Center for Missing and Exploited Children CyberTipline in the fall of 2024. NCMEC reported that it received 1,781 reports from Block Inc. (Cash App’s parent company) in 2024. The reports include suspected instances of CSAM, online enticement (including financial sextortion), and child sex trafficking. Cash App states that it has submitted an average of 450 reports per month to the CyberTipline.

2) Enhanced Reporting Tools for Victims

Cash App rolled out a new reporting mechanism for Teen Accounts. The reporting mechanism has clear options to report inappropriate behavior including “Nudity or Sexual Activity.” The language could be clearer that sextortion (blackmail involving nude images) is included in this category.

Source: https://block.xyz/inside/empowering-sponsors-and-teens-with-enhanced-reporting-tools

The new reporting mechanism helpfully also includes links to NCMEC’s CyberTipline, Take it Down, and a Crisis Helpline.

3. Parental Notifications & Controls

A new parental alert functionality alerts parents after a child-sponsored account receives or sends funds to a new contact. Previously, parents did not receive such an alert by default. Now the parent can turn off the ability of the child to send or receive funds with the counterparty after receiving the alert. This is not preventative, but it can alert parents to a problem and/or prevent further payments.

4. Required Transaction Notes

P2P and payment apps often include an optional note or comment section for users to indicate the reason for the transaction.

Sextortion-related payment notes have included:

  • delete video
  • “$50 for blackmail”
  • release,” and
  • please I don’t want to die.

In addition, perpetrators have directed victims to provide false or misleading memo lines.

Cash App instituted a new requirement for all accounts (not just teen accounts) to include a transaction note for every transaction. Cash App will use the transaction notes in machine learning to detect suspicious transactions and for other uses.

Cash App’s announcement states:

For Sponsors overseeing teen accounts, Required Notes adds an essential layer of transparency to their oversight role. Parents and guardians can now see not just when and how much their teens are spending, when their teen transacts with a new contact, but also understand the nature of each transaction… The added context makes it easier to distinguish between routine expenses like school supplies or lunch money and potentially concerning transactions that may require attention.

Cash App described the impact and results of Required Notes as:

The introduction of Required Notes has improved the identification and removal of bad actors, enriched payment data for risk management systems, and provided valuable context to support investigations into potentially high-risk activity—all without negatively impacting good customers.

That said, this feature is more than a safety enhancement — it’s a foundation for future innovations. As we deepen our use of AI and machine learning capabilities, the rich contextual data from Required Notes opens up exciting possibilities for more personalized experiences. 

Chase Bank Blocks Zelle Payments Originating Through Social Media

As background, most financial sextortion begins through social media and Zelle was mentioned in 7.5% of NCMEC sextortion reports. Several sextortion-related indictments include descriptions of Zelle sextortion victim payments.

In February 2025, Chase Bank instituted a new policy:

Alert: For your protection, Chase will not allow you to send Zelle payments identified as originating from contact through social media. We’ll decline those transactions because Zelle is meant to pay friends, family and other trusted recipients you know, not for others you meet on social media.

It is unclear how Chase will identify Zelle payments as originating from social media. It is also unclear whether this new policy is limited to “fake ads for things like merchandise, cars, property rentals” as noted on the announcement webpage.

While Chase’s policy may not be directed at financial sextortion it could potentially block some ransom payments given that financial sextortion utilizes both social media and Zelle.

Conclusion: 3 Steps for Disrupting Sextortion Financial Mechanisms

  1. Incorporate Safety by Design principles for teen financial accounts including preventing safety issues instead of only responding, empowering users through tailored controls, surfacing safety concerns, and high default privacy settings.
  2. Recognize indicators of financially motivated sextortion and report to the appropriate authorities.
  3. Learn from industry peers regarding best practices, new approaches and course-correction measures to improve teen safety on financial platforms.
* Venmo is owned by PayPal. Taken together PayPal & Venmo accounted for 27.2% of NCMEC reports, greater than Cash App's 25.7%.

Read the five-part series on the financial mechanisms of financially motivated sextortion of minors:

Part 1 – Financially Motivated Sextortion of Minors: Introduction

Part 2 – Teen Sextortion Victim Payments

Part 3 – Consolidating and Laundering Sextortion Proceeds

Part 4 – Sextortion International Money Laundering

Part 5 – Disrupting Sextortion Financial Mechanisms

Dynamic Securities Analytics, Inc. provides litigation consulting to help clients successfully navigate disputes involving securities, cryptocurrency, and money laundering. 

You may also like