Technology

Norwich home behind one of the biggest deepfake rings in the world

Ryan Brothwell 5 min read
Norwich home behind one of the biggest deepfake rings in the world

Key Points

  • ISD identified 181 nudify websites drawing over 40 million unique visitors a month
  • 163 sites were accessible from the UK; only two verified users' ages
  • Card payments on many sites secretly settle in cryptocurrency
  • Requesting a non-consensual intimate image became a UK criminal offence on 6 February 2026
  • App stores remain outside the Online Safety Act's main duties

Somewhere in Norwich, on an ordinary residential street, sits the registered address of one of the most visited deepfake pornography businesses in the world.

The company is one of 181 websites identified in a new report by the Institute for Strategic Dialogue, produced with funding from the UK’s AI Security Institute, which together map what the researchers call the “nudify” ecosystem.

Nudify apps are tools and websites that let users upload a photograph of a real person – a colleague, an ex, a stranger, a teacher – and generate sexualised images or video of them without their consent.

Between them, these sites drew more than 40 million unique visitors a month between December 2025 and March 2026. The most popular attracted 9 million on its own.

Of the 181 sites, 163 were accessible from the UK on 1 April 2026. Notably, just two made any genuine attempt to verify that users were adults, a requirement for every pornographic website in the UK since 2025.

The report shows that these websites are not sitting on the dark web and users do no need to look particularly hard to find them.

Half of all traffic to the ten biggest sites arrived directly; a quarter came from ordinary search engines, where the tools surfaced on the first page of results across Google, Bing and Yahoo.

Another 5.7 million visits over three months flowed in from mainstream social media – 1.8 million from YouTube, 1.3 million from X, hundreds of thousands more from Reddit, Facebook and Instagram – platforms whose own policies prohibit exactly this content.

ISD found more than 600 identical adverts for nudify tools shown to UK users on Facebook and Instagram between April and July 2025, despite Meta’s public commitments against them.

A system of workarounds

The sites run on a freemium model similar to a free iPhone game. Users are offered a few free generations (nudifies) to hook the user, then credits or subscriptions, with images available for as little as a dollar each.

The checkout screens typically display Visa, Mastercard, and PayPal as payment options, but when ISD’s researchers traced the payment flows on 28 of the sites, they found the familiar card screen was often a front with transactions routed through cryptocurrency intermediaries.

There is no evidence the mainstream payment firms know their branding is being used this way, and historically Visa and Mastercard have put blocks in place to prevent being associated with pornographic purchases.

The workarounds grew stranger the deeper the researchers went. Several sites and most of the Telegram bots that generate this material accept Telegram Stars, the messaging app’s in-app currency, purchasable through the Apple App Store and Google Play.

One high-traffic site operates a network of human intermediaries, effectively “dealers”, who accept cash payments through Venmo, Cash App, and Revolut on the operation’s behalf, recruited through a public Google Form advertising earnings of $1,000 to $5,000 a month.

Another site’s affiliate programme claims to have paid out more than $2.6 million in commissions, offering promoters up to 40% of the revenue they bring in. It’s difficult to verify these claims, but they support the idea that these are large-scale, complex operations.

Cloudflare hosts 58% of the domains and through shared server fingerprints, matching support emails, and overlapping ownership records, ISD identified at least a dozen clusters of sites run by the same operators – portfolios built to serve different audiences and to hedge against takedowns.

This would explain why the company is registered in Norwich, but also has ties to Belize and Estonia. Of the 14 corporate entities the researchers managed to identify behind these sites, not one was registered in a single jurisdiction with transparent ownership.

An act of humiliation

Analysing nearly 110,000 posts across more than 30 platforms, the researchers found that sexual gratification was only part of the story. Requests routinely targeted women the users knew – girlfriends, exes, family members, a teacher whose job one user hoped to destroy – and were framed in the language of punishment, revenge, and public humiliation.

This was dragged into the mainstream when Grok, the AI tool built into X, prompted users more than 428,000 times over five months to alter images of women, typically by replying directly beneath photographs the women had posted themselves.

xAI restricted the feature in January and added safeguards, but the the requests have kept coming, tens of thousands a month, even after the tool stopped complying.

The researchers’ conclusion is that this content functions less as pornography than as a weapon, a means of asserting control over women’s public presence.

Since 6 February 2026, under provisions introduced by the Data (Use and Access) Act, it is a criminal offence in England and Wales not only to create a non-consensual intimate image of an adult but to request that one be created.

This means that the person asking a forum, a bot or a friend to “nudify” a photo is now committing a crime, whether or not the image ever materialises.

The Crime and Policing Act, which received royal assent in April, goes further still, criminalising the provision of nudification tools themselves and imposing a 48-hour deadline for removing flagged imagery.

The law is catching up

Whether the law can reach an industry structured like this one is another question.

The report’s biggest concerns were around app stores, which sit outside the Online Safety Act’s main duties as “ancillary services”.

Ofcom’s guidance on protecting women and girls remains non-statutory, with a progress review not due until mid-2027.

ISD’s researchers are calling for enforcement across the whole lifecycle – search, platforms, payments, hosting, app stores – and note, pointedly, that the infrastructure concentration cuts both ways.

A handful of provider-level decisions by companies like Cloudflare, Namecheap and Google could disrupt a disproportionate share of the ecosystem overnight.

Now read: UK to cap concert ticket resale prices and platform fees