Child safety experts and the UK's National Crime Agency warn that criminals are using AI to manipulate photos of children found on school websites and social media to create sexually explicit images for blackmail purposes.
UK schools should remove pictures of pupils' faces from their websites and social media accounts, according to child safety experts and the National Crime Agency (NCA).
Criminals are exploiting publicly available photos of children to generate sexually explicit deepfakes, then using these images to extort money from families.
The threat represents a significant shift in how AI technology is being weaponized against vulnerable populations. Rather than creating new imagery from scratch, blackmailers are targeting existing school photos—many published with parental consent—and manipulating them using artificial intelligence tools.
The Process
Schools typically post photos of pupils on official websites and social media for promotional purposes, sports events, and academic achievements. These images are often readily accessible to the public. Criminals download these photos and use AI technology to create fake sexually explicit content featuring the children.
Once the deepfakes are generated, perpetrators contact families directly or through social media, threatening to distribute the images unless money is paid.
Risk Assessment
The NCA and child safety organizations have flagged this as a growing threat. The ease of accessing AI manipulation tools and the availability of high-quality photos on school platforms creates a low-barrier entry point for criminal activity.
Experts stress that families often have no way of knowing deepfakes exist until they are contacted by blackmailers, leaving them in distressing situations with limited options.
Recommended Actions
Schools are being advised to:
- Remove or pixelate pupils' faces from website photos
- Restrict social media access to current students and staff only
- Review privacy policies for photo usage
- Educate parents and pupils about the risks
The guidance reflects broader concerns about the intersection of AI technology, readily available personal data, and criminal exploitation. Schools are now weighing the benefits of online visibility against emerging security risks.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.