Where to report CSAM.

The primary US reporting channel. Reports route to law enforcement automatically. Also reachable by phone at 1-800-843-5678. Anonymous reporting is available.

UK-based; accepts reports of CSAM hosted anywhere. Operates the IWF Hash List used by 200+ platforms. Anonymous and confidential.

Canada's national tipline. Operates Project Arachnid, the automated CSAM crawler and takedown service, and a survivor-support program.

Connects 50+ national CSAM hotlines across the world. Use this to find the right hotline for your country if you are outside the US/UK/Canada.

Australia's regulator; accepts reports of illegal and restricted content including CSAM, and issues legally enforceable transparency notices to platforms.

For online enticement, sextortion, and child exploitation. The FBI has a dedicated sextortion intake. IC3 (ic3.gov) handles internet-crime complaints. Call 1-800-CALL-FBI for emergencies.

US-based ESP; reports to NCMEC and is consistently the single largest source of CyberTipline reports. Primary report path is the in-content Report button; the Safety Center page explains the confidential child-exploitation reporting flow.

US-based ESP owned by Meta; governed by the same Community Standard on Child Sexual Exploitation, Abuse, and Nudity as Facebook and reports to NCMEC. Report via the in-app Report flow on the post or account.

US-based ESP; Meta states Facebook, Instagram, and Threads are covered by the same child-safety policy and CyberTipline reporting (Threads CyberTip volumes are reported jointly with FB/IG). Report via the in-app Report flow.

Operated in the US by TikTok Inc. (parent ByteDance); reports CSAM to NCMEC. Dedicated US Sexual Exploitation and Abuse report form (Zendesk) does not require an account; in-app Report is also available. Does not allow images/video in comments or DMs as a CSAM-mitigation design choice.

US-based ESP (X Corp.); reports to NCMEC. Has a dedicated standalone Child Sexual Exploitation (CSE) report form that does not require an X account, in addition to in-app reporting. Report URL and policy page return 403 to automated fetchers but are the canonical published links.

US-based ESP; reports all identified child sexual exploitation to NCMEC and uses PhotoDNA/CSAI Match. Fastest path is press-and-hold in-app Report; the linked support article also exposes web report forms for users who cannot use the app (including EU DSA and UK OSA illegal-content forms).

US-based ESP (Microsoft subsidiary); reports to NCMEC. No dedicated CSAM-specific report flow surfaced publicly. Professional Community Policies ban child exploitation and CSAM triggers permanent restriction after a single violation; report via the three-dot menu on the content or member.

US-based ESP; reports to NCMEC and prohibits sexualization of minors beyond illegal CSAM. The child-exploitation help article instructs in-product reporting (ellipsis menu on a Pin) and also links NCMEC, INHOPE, and IWF for external reports.

US-based ESP (owned by Automattic); reports CSAM to NCMEC and other child-protection bodies. No standalone CSAM-only form; reporting is via the three-dot menu (Harm to Minors category) or the general abuse flow. Every report is human-reviewed per Tumblr.

US-based ESP (Bluesky Social PBC); subscribes to CSAM hash-matching and submitted 1,154 NCMEC reports in 2024. Primary path is the in-app Report flow on a post/account; Community Guidelines (Section 1.3 Child Safety) prohibit real and AI-generated CSAM. Federated atproto design means some content lives on third-party instances.

Federated: no central operator. Reports go to the admin of your home instance, with an option to forward to the origin server's moderators. There is no built-in mechanism to report CSAM to NCMEC; whether any § 2258A duty applies depends on the individual instance's operator and jurisdiction. Stanford research (2023) documented significant CSAM across instances. The public should report CSAM directly to NCMEC/IWF.

Russia-domiciled (VK Company Ltd.); no US § 2258A duty, does not report to NCMEC. In-product reporting via the menu next to a post (abuse / violence-extremism categories). Known weak external CSAM reporting; for content viewable in the US, report directly to NCMEC at report.cybertip.org.

China-domiciled (Weibo Corp.); no US § 2258A duty and reports to Chinese regulators (CAC), not NCMEC. Reporting is via the in-app complaint flow and the account-service complaint center, with content rules driven by Chinese law. For US-viewable content, report directly to NCMEC.

Owned by Meta (US); reports apparent CSAM to NCMEC under 18 U.S.C. 2258A. End-to-end encrypted by default, so detection relies on user reports (the most recent decrypted messages are sent to WhatsApp when a chat/contact is reported), unencrypted profile/group data, and metadata. Bans roughly 300,000 accounts/month for child sexual exploitation. report@support.whatsapp.com is the documented email escalation; in-app: Report contact/group.

Owned by Meta (US); mandatory NCMEC reporter and historically the single largest source of CyberTipline reports. Default end-to-end encryption rolled out across Messenger in late 2023, reducing server-side scanning; reporting is in-app via the Report flow (select 'Involves a child' under Nudity & Sexual Activity, which is prioritized). No dedicated public CSAM web form beyond the in-app flow.

Foreign-domiciled (operated out of Dubai/UAE; not a US ESP). Dedicated CSAM email channels: abuse@telegram.org and stopCA@telegram.org. In-app: tap/hold/right-click a message and select Report. Only 'Secret Chats' are end-to-end encrypted; default cloud chats, groups and channels are server-side accessible, and Telegram scans public content against a CSAM hash database. Subject of UK Ofcom and Australian eSafety scrutiny over CSAM transparency; began sharing data with authorities more broadly after the 2024 arrest of founder Pavel Durov.

Operated by the Signal Technology Foundation (US non-profit). End-to-end encrypted for all messages with deliberately minimal metadata retention, so Signal has essentially no server-side ability to detect CSAM and files few/no CyberTipline reports. No dedicated public CSAM flow: abuse@signal.org is published for IP infringement, the support request form is the general contact, and users can Report+block an account in-app. Reporters should escalate decrypted content directly to NCMEC or the IWF.

US-based; mandatory NCMEC reporter and permanently bans users who share CSAM. Not end-to-end encrypted for text/images, so Discord proactively hash-scans uploads with PhotoDNA. Report via the in-app Report Message/Report User Profile flow (child-safety reports are high-priority, reviewed in 24-48h); discord.com/report hosts the web report form including the TAKE IT DOWN / non-consensual intimate imagery flow that also routes CSAM to NCMEC.

Apple is a US ESP and reports apparent CSAM to NCMEC. iMessage is end-to-end encrypted; Apple abandoned its on-device CSAM-hashing proposal in 2022, so detection is limited. Communication Safety (on by default for child accounts) blurs nudity on-device and lets the child report the sender to Apple from within Messages/FaceTime; Apple reviews and 'may forward reports to the relevant authorities, including law enforcement.' Apple has been criticized for filing comparatively few NCMEC reports.

Google (US) is a mandatory NCMEC reporter (over a million CyberTipline reports in a recent half-year). RCS chats between Google Messages users are end-to-end encrypted; SMS/MMS are not. Spam/abuse can be flagged in-app (Report spam); CSAM and broader illegal-content reports go through Google's 'Report content' legal troubleshooter. Google detects CSAM across its products using hash matching and classifiers where content is not E2EE.

Owned by Rakuten (Japan); not a US ESP. End-to-end encrypted by default for one-to-one and group chats and calls, so detection of CSAM is limited to user reports and public Communities/Channels. Report via in-app: long-press a message > Report, or report a Community/Channel from its info screen; reported user is not notified. (Help page is served behind a bot-filter that blocks automated fetchers but resolves in a browser.)

Owned by Tencent (China); not a US ESP (the China-market Weixin and international WeChat are operated separately). Not end-to-end encrypted; Tencent moderates content server-side. policy@wechat.com is published for Acceptable Use Policy breaches and in-app reporting is available, but WeChat's own Minor Safety page explicitly directs CSAM reporters to the Internet Watch Foundation's portals and local INHOPE hotlines rather than a WeChat CSAM flow.

Operated by LY Corporation (Japan, formerly LINE Corporation); not a US ESP. Default chats are not end-to-end encrypted ('Letter Sealing' E2EE is optional), so LINE's patrol team can review reported private content and moderates public posts. Policy explicitly bans sexual images of minors ('up to high school students'); report via the in-app report feature / Help Center inquiry form. Users are told to contact police for criminal conduct.

Owned by MediaLab (US); a US ESP that reports to NCMEC and runs a Child Exploitation Prevention Team. Uses Microsoft PhotoDNA (marketed as 'SafePhoto') to detect known CSAM in images sent on the platform. Report a user in-app (block/report from chat or New Chats), or email the Trust & Safety team at safety@kik.com. Kik has a long-documented history as a vector for child exploitation and sextortion.

Owned by Amazon/AWS (US ESP). End-to-end encrypted. The consumer app 'Wickr Me' shut down at the end of 2023 after being heavily documented as a CSAM-trading venue with minimal proactive detection; only the enterprise/government 'AWS Wickr' product remains. There is no dedicated consumer CSAM flow; abuse is reported through the AWS abuse channel (abuse@amazonaws.com). Historic enforcement gap: Wickr self-reported only a handful of CSAM instances while thousands of third-party reports were filed.

US-domiciled (San Francisco). OpenAI's Child Safety Team reports all CSAM/CSEM (including prompt uploads and generation requests) to NCMEC and bans associated accounts; uses Thorn hash-matching and classifiers. Public report flow: openai.com/form/report-content/ (covers illegal content / safety-legal concerns) and in-product thumbs-down -> 'Safety or Legal concern'. Help-center article: help.openai.com/en/articles/10245791. Reporting form is bot-protected (403 to automated fetch) but is the live, documented channel.

Critical model/image distribution chokepoint. US-operated. Files reports with NCMEC for confirmed AIG-CSAM (filed 178 reports in one reporting period; reports include the model used to generate the image when known). Zero-strike policy on minors; prohibits all photorealistic minors and loli/shotacon. In-app Report button on images/models; logged-out Content Removal Request form at civitai.com/content/content-removal-request; moderators reachable via Discord. Uses Amazon Rekognition + Clavata classifiers.

Critical model-distribution chokepoint (US-domiciled, NYC/Paris). Content Policy restricts 'underage nudity or any sexual content involving minors' and requires uploaders to minimize risk that ML artifacts can generate CSEM. Report via in-repo flag button or email safety@huggingface.co (Australian residents: aus-online-safety@huggingface.co). Policy does not state NCMEC reporting; enforcement of CSAM-capable fine-tunes/LoRAs has been criticized as inconsistent. Reporting URL == policy URL (content policy contains the report instructions).

US-domiciled (San Francisco). Prohibits content that sexualizes children and any illegal-activity content/uploads. No dedicated public CSAM report form found: reporting is in-product (Discord: right-click -> Apps -> Report Job; website: Options -> Report). takedowns@midjourney.com is for IP/takedowns, not a CSAM-specific channel; privacy@midjourney.com for privacy. Gap: no published NCMEC statement or dedicated child-safety report flow. Docs pages are bot-protected (403 to automated fetch).

US-domiciled. AUP bans CSAM, grooming, trafficking, and suggestive depictions of minors. States it reports CSAM to NCMEC's CyberTipline; partners with Thorn, All Tech Is Human, IWF, and Tech Coalition. Report misuse to safety@stability.ai. Note: open-weight models can be run offline with no provider in the loop, so the report channel only covers Stability's own APIs/hosted services.

Maker of FLUX models. German-rooted founders (ex-Stability) with US operations; ESP duty ambiguous given mixed domicile. Usage policy bans CSAM and minor exploitation. Filters prompts + uploaded images + outputs on the FLUX API using Hive and Microsoft tooling; filtered training data with IWF; maintains reporting relationship with IWF and NCMEC. Report violations to legal@blackforestlabs.ai; community/safety feedback to safety@blackforestlabs.ai. Open weights distributed via Hugging Face can be run offline outside these controls.

US-domiciled. Generative AI Prohibited Use Policy bars generating/distributing CSAE content (first listed prohibition). Detects, removes, and files CyberTipline reports to NCMEC, including computer-generated imagery indistinguishable from a real minor and modified imagery of identifiable minors. Public reporting routes through Google product report flows and directly to NCMEC (report.cybertip.org); transparency-report help page explains the process.

US-domiciled. Trust & Safety human-reviews matches before reporting confirmed CSAM to NCMEC (802 CyberTips in FY2024). Firefly uses GenAI prompt blocking and CSAM-seeking-query deterrence messaging. Report via in-product flows, abuse@adobe.com, or Adobe's Illegal Content Reporting Form (EU-facing but open to others); can also report directly to CyberTipline. Reporting how-to and child-safety pages are heavily bot-throttled (timeouts to automated fetch) but are the canonical live pages.

Sydney, Australia-based; acquired by Canva (also Australian) in 2024, so non-US domicile. ToS prohibits child nudity, child pornography, and any child exploitation. Two-layer moderation (prompt-level + output-level). No dedicated public CSAM report form or NCMEC statement found; general contact via support/help center. As an Australian provider it falls under eSafety/Online Safety Act obligations rather than the US § 2258A duty. ToS page is bot-protected (403 to automated fetch).

US-domiciled (San Francisco) model-hosting/inference platform. Terms 2.7(d)(ii) prohibit 'solicitation, creation, acquisition, or dissemination of child exploitative content.' Report violations via replicate.com/support; legal/DMCA notices to legal@replicate.com. Terms do not state an explicit NCMEC reporting commitment, though as a US ESP the § 2258A duty applies to detected CSAM.

US-domiciled GPU cloud frequently used to self-host image/video models (incl. ComfyUI workers). ToS explicitly states it reports suspected violations to the CyberTipline as required by 18 U.S.C. § 2258A; child-pornography content removed on notice/detection and accounts terminated. Report child exploitation to legal@runpod.io with file name/URL/victim info, or directly to CyberTipline. One of the clearest § 2258A acknowledgements in this category.

Comfy Org (US) operates Comfy Cloud/API/Enterprise plus the node registry; the ToS explicitly prohibits 'child sexual abuse material, non-consensual intimate imagery' and illegal content, with reports to legal@comfy.org. Important caveat: the core ComfyUI is open-source software run locally by users with no provider moderation in the loop – the ToS and report channel only bind the hosted Comfy Cloud/API and registry, not self-hosted installs. No published NCMEC statement.

US-based (San Francisco). Reports apparent CSAM to NCMEC under § 2258A; uses PhotoDNA and is a Tech Coalition member. Dedicated child-safety/CSAM reporting available via in-app/inline report and the report flow; logged-out users can also report. Help article 'How does Reddit fight Child Sexual Exploitation' (10654543840276) explains the program.

US-based (San Francisco). Reports CSAM and grooming to NCMEC; proactively scans images with PhotoDNA. Primary path is in-app reporting (right-click message/user). The discord.com/report webform handles non-consensual intimate imagery under the Take It Down Act; intimate imagery of anyone under 18 is treated as CSAM. High-harm child-safety reports are prioritized.

US-based imageboard. Global rules bar content violating US law; CSAM is prohibited even on otherwise-unmoderated boards. Reporting is via the per-post report button (triangle/arrow next to a post) only - no dedicated CSAM flow, form, or published abuse email. Under active Ofcom investigation (UK Online Safety Act) over illegal-content protections and has been fined. Encountered CSAM should be reported directly to NCMEC CyberTipline.

US-based (Mountain View). Platform Policies prohibit sexualization of minors and grooming; states CSAM is removed, reported to authorities, and accounts permanently banned. Reporting is via the in-product '...' menu Report option; safety/underage concerns can also be raised through the contact form ('I have a safety concern'). No dedicated CSAM-only flow or published abuse email.

US-based (Stack Exchange, Inc., New York). States it reports apparent child exploitation and CSAM detected on its services to NCMEC. No dedicated CSAM report form; on-site content is flagged via the 'flag' control, and out-of-band reports go to legal@stackoverflow.com (DSA matters: dsa-legal@stackoverflow.com). Public Network Terms cover acceptable use.

Owned by Automattic (US). Community Guidelines prohibit any sexual/suggestive content involving minors, including illustrations, animation, and text, and state CSAM is reported to NCMEC and other child-protection bodies. In-app/web reporting routes 'Harm to Minors' / child-exploitation through the abuse form under 'Report something else'; no single dedicated CSAM button on the main report menu.

US-based (A Medium Corporation, San Francisco). Medium Rules prohibit content promoting the sexual exploitation of minors, including sexualization of fictional minors. Report via the 3-dot menu on any post/account, a detail form, or email trust@medium.com. Rules text does not name NCMEC, but Medium is a US ESP subject to § 2258A. No dedicated CSAM-only flow.

US-based (Substack, Inc., San Francisco). Content Guidelines prohibit CSAM and use of Substack for child sexual exploitation. Reports apparent child exploitation to NCMEC (per Law Enforcement Request Guidelines). No dedicated CSAM report form - violations go through the content-violation/profile/publication report flows or the support/TOS contact. Law-enforcement CSAM requests should use subject line 'CHILD SAFETY MATTER'.

US-based (San Francisco). Community Guidelines state zero tolerance for real or animated CSAM/sexualized minors and that incidents of minor sexual exploitation, sextortion and grooming are reported to NCMEC. Partners with Thorn, the Tech Coalition, and runs an INHOPE trusted-flagger escalation. Reports go through the Trust & Safety report flow/help-center form.

US-based (Fandom, Inc., San Francisco). Child Safety Policy prohibits sharing, offering, or requesting CSAM and states CSAM is reported to appropriate authorities using industry-standard detection. Reporting is via on-wiki/in-product report tools and the Trust & Safety contact referenced on the policy page; no standalone CSAM webform URL or published abuse email confirmed.

US-based nonprofit (San Francisco). Removes apparent CSAM and reports it to NCMEC; Trust & Safety uses PhotoDNA. Report CSAM/material links to legal-reports@wikimedia.org; report grooming/child-safety conduct violations to ca@wikimedia.org; imminent physical harm to emergency@wikimedia.org. No web form - reporting is by email.

US-based (Twitch Interactive / Amazon, San Francisco). Community Guidelines prohibit CSAM and youth sexual exploitation/grooming; reports illegal content to NCMEC. Report via the in-app/web report flow using the 'Child Endangerment' report reason; reviewed 24/7 by Safety Operations. Salesforce-hosted safety pages render poorly to automated fetchers but resolve in-browser.

Operated by Kick Streaming / Easygo group, Australia (not a US ESP). States it reports CSAM to relevant authorities and permanently bans CSAM, grooming, and minor-exploitation. Report via in-app report feature or email support@kick.com (grooming of a minor should be reported immediately). Under Ofcom investigation (UK Online Safety Act) after failing to respond to an illegal-content risk-assessment request.

US-domiciled (Roblox Corporation, San Mateo CA). Very high under-13 user base. Primary path is the in-experience Report Abuse flag (flag icon); reports route to Roblox moderators. Roblox reports suspected CSAM, abuse material, and grooming to NCMEC. Also runs jurisdiction-specific CSAM forms, e.g. the California AB 1394 form at roblox.com/ca-1394-report. Subject of multiple 2025-2026 state AG investigations over child exploitation.

Owned by Microsoft (Mojang Studios). In-game player reporting (social menu, red caution icon) for chat/behavior on Java Edition; Bedrock/console reporting routes through Xbox. CSAM and child-exploitation concerns are reported by Microsoft to NCMEC. For account-level or platform-level concerns, Microsoft's central Report a Concern portal (microsoft.com/digitalsafety/report-a-concern) is the escalation path.

US-domiciled (Epic Games, Cary NC). In-client reporting plus a web report form. Voice reporting is always on in voice chats that include players under 18; players can submit audio/text as evidence. Epic reports child sexual exploitation and abuse content to NCMEC. Paid a $275M FTC penalty in 2022 over children's-privacy (COPPA) violations.

US-domiciled (Valve Corporation, Bellevue WA). Report content via the in-client Steam Community report tool (profiles, content, chat). Store products can be reported with a dedicated 'Child Exploitation' category. Steam hosts a large minor user base; reporting is decentralized and there is no single dedicated public CSAM web form, so direct NCMEC reporting is advised in parallel.

US-domiciled (Twitch Interactive, an Amazon subsidiary, San Francisco CA). In-platform user reporting plus web report flow. Prohibits CSAM and the sexual exploitation/grooming of youth (under 18) and reports illegal content to NCMEC. Known enforcement gap: 2024 reporting found the Clips feature was used to capture and redistribute abuse material and was among the least-moderated surfaces.

US-domiciled (Discord Inc., San Francisco CA). Primary path is in-app reporting (report a message/user/server); discord.com/report is the web form (also used for TAKE IT DOWN Act NCII removals as of May 2026). Zero-tolerance child-safety policy; confirmed CSAM is reported to NCMEC. Heavily implicated in grooming/exploitation cases; widely used for off-platform grooming linked to other games.

US-domiciled (Rec Room Inc., Seattle WA). Social VR platform with a young user base. In-game report tools plus Zendesk tickets; high-risk harms are auto-detected and escalated to Trust & Safety. Joined NCMEC in 2023 and files CyberTip reports. Under-13 users get 'Junior' accounts with no voice or text chat. Law-enforcement contact: lawenforcement@recroom.com (recroom.com/information-for-law-enforcement).

US-domiciled (VRChat Inc., California). Social VR with significant minor presence despite a 13+ minimum. Preferred path is in-app reporting; the web ticket form (vrchat.zendesk.com/hc/requests, 'Moderation Report/Appeal') is for reports with attached screenshot/video evidence. States that CSAM, grooming, and illegal content involving minors are reported to relevant legal authorities. In-app reporting guidance was revised January 2026.

US-domiciled (Innersloth LLC, Redmond WA). In-game reporting via the chat/Kick menu (categories include Harassment/Misconduct covering sexually suggestive comments and illegal activity); reports go to the player-support moderation team. Among Us 3D adds AI-assisted voice-chat toxicity detection. No publicly documented dedicated CSAM web form; serious child-safety reports should also go directly to NCMEC.

US service operated by Microsoft (Redmond WA). In-product 'report a player' on console/app for the incident; Microsoft's central Report a Concern portal (microsoft.com/digitalsafety/report-a-concern) handles CSEAI and other illegal-content reports across Microsoft services. Microsoft reports CSEAI to NCMEC and pioneered grooming-detection tooling (Project Artemis). Paid a $20M FTC settlement in 2023 over children's-data (COPPA) violations.

US service operated by Sony Interactive Entertainment LLC (San Mateo CA), subsidiary of Japan's Sony Group. In-console reporting (including PS5 voice-chat clip submission) reviewed by a global human moderation team. Confirmed CSAM is reported directly to NCMEC; Sony uses hash-matching plus ML to detect previously unreported CSAM. May escalate to law enforcement for threats to life/safety.

Parent company is Japan-domiciled (Nintendo Co., Ltd.); US service is run by Nintendo of America (Redmond WA). Reporting is via in-game/in-app features and the console (e.g. C Button report in GameChat on Switch 2; per-title report flows). Whether Nintendo files US CyberTipline reports to NCMEC is not clearly documented publicly, so ESP duty is marked unclear; child-safety reports should also go directly to NCMEC.

Owned by Aylo (formerly MindGeek), domiciled in Cyprus/Luxembourg with Montreal operations. Dedicated content-removal portal covers non-consensual content, CSAM/child-safety, performer consent withdrawal, and consent-agreement violations with confidential/anonymous reporting. Voluntarily reports CSAM to NCMEC CyberTipline; uses PhotoDNA, CSAI Match, Safeguard (proprietary), Safer/Thorn, StopNCII and Take It Down; performer uploads ID-verified via Yoti. Subject to 2025 FTC/Utah settlement over historic failure to remove CSAM/NCM and 2026 EU DSA preliminary breach finding on age verification.

Aylo (parent of MindGeek brands) operates a shared trust-and-safety and content-removal infrastructure across its tube sites and paysites. The Pornhub content-removal form is the network's primary intake; the same NCMEC reporting, hash-matching (PhotoDNA, Safeguard, Safer) and Yoti uploader verification apply network-wide. Foreign-domiciled (Cyprus/Luxembourg/Montreal). General office contacts at aylo.com/contact (e.g. info.montreal@aylo.com); no dedicated public trust-and-safety email published.

Operated by Fenix International Ltd, a UK-domiciled company. Zero-tolerance CSAM policy; reports to NCMEC CyberTipline (60 reports H1 2024; 347 in 2023) using Safer/Thorn, Microsoft PhotoDNA, Sight Engine and proprietary tooling plus human review. Per-post Report button plus a Non-Consensual Intimate Images reporting flow; all creators age/ID-verified. Help-center reporting URL is high-confidence but could not be machine-fetched (bot protection), so not independently confirmed.

Operated by Select Media LLC; corporate domicile is not clearly published (commonly cited as US-linked but ambiguous), so ESP duty is unclear. Acceptable Use Policy forbids minors, CSAM and actual non-consent; in-product Report button on content. Published contact for legal/DMCA and content issues is legal@fansly.com. No dedicated public CSAM-specific reporting page located; legal@ and the in-app report flow are the intake. URLs not machine-confirmable due to JS-rendered/auth-gated pages.

Operated by WGCZ Holding / WebGroup Czech Republic, domiciled in the Czech Republic (Prague). Published abuse and takedown contact is abuse@xvideos.com. Historically criticized for weak moderation of non-consensual content and CSAM; preliminarily found in breach of the EU Digital Services Act in 2026 (with XNXX, Pornhub, Stripchat) over age verification. Reporting handled largely via the abuse email and DMCA agent rather than a granular CSAM web flow; legal pages live on the info.xvideos.net host but were not machine-fetchable.

Operated by Technius Ltd, a Cyprus company (reg. HE349515); governing law Cyprus. Terms provide a Report Form plus on-broadcast report buttons, and a separate Digital Services Act illegal-content reporting path for EEA users. DMCA/copyright handled via help@stripchat.com and notice@dmcanow.io (DMCA Now LLC, West Palm Beach FL). No dedicated abuse@/compliance@ address published separate from help@. Preliminarily found in breach of the EU DSA in 2026 over age verification.

Operated by Multi Media LLC, headquartered in California – a US-domiciled ESP with a 18 U.S.C. 2258A duty to report apparent CSAM to NCMEC. Rules prohibit minors, bestiality and non-consensual acts; in-product reporting via the broadcaster username menu, and a DMCA/content-removal flow through the support center (dmca@chaturbate.com is the standard takedown intake). Support pages are Cloudflare/bot-protected and were not machine-fetchable; no dedicated public CSAM web form located beyond NCMEC referral.

Montreal, Canada-based marketplace. Requires performer age/ID verification; content rules prohibit minors, bestiality and real non-consent. Primary intake is the in-product Report button on each Vid/post/profile plus a consent-based takedown request flow documented on the MV Support (KnowledgeOwl) help site. No dedicated public CSAM-specific portal beyond general moderation/report; DMCA handled via support. Pages are high-confidence from search but not directly machine-verified.

UK-domiciled creator platform (notable for AI-generated creators, which adds prompt-and-output moderation obligations). Content Moderation & Protection Policy states Fanvue cooperates with law enforcement on CSAM and human trafficking, scans uploads pre- and post-publication via the Hive tool with human review (urgent CSAM cases within hours), and removes/blacklists under-18 accounts. Reporting via support@fanvue.com, in-app live support, and help.fanvue.com; Complaints Policy commits to review within 5 days. Policy does not name NCMEC or IWF specifically. Content-moderation policy page confirmed; help-center root listed as general intake.

Owned by Google LLC (US). Report via the in-product 'Report abuse' link on shared Drive/Docs content, which routes to the abuse form; CSAM is a selectable category. Google scans non-E2EE content with hash-matching and a CSAI classifier and files CyberTipline reports to NCMEC (1.47M+ reports in 2023). A general content-removal path also exists at support.google.com/websearch/contact/content_removal_form.

Dropbox, Inc. (US). Dedicated CSAM policy page at safety.dropbox.com/csam links to the web-based report tool / abuse form. Uses PhotoDNA, YouTube CSAI Match, plus NCMEC and IWF hash lists and an internal classifier; removes content, disables the account, and reports to NCMEC under US law.

Microsoft Corp (US). In-product 'Report a concern' (right-click file) plus an anonymous Digital Safety 'Report a concern' web form; 'Child sexual exploitation or abuse' is an explicit category. Microsoft created PhotoDNA and reports CSAM to NCMEC.

Apple Inc. (US). No dedicated public CSAM report form; the iCloud Terms direct users who encounter content 'illegal or harmful to children' to email abuse@icloud.com. Apple shelved its 2021 on-device NeuralHash CSAM-detection plan and files comparatively few NCMEC reports (250 in 2024 vs ~1.2M each from Google and Snap), a gap now the subject of state litigation (West Virginia, 2026). iCloud content is not E2EE by default unless Advanced Data Protection is enabled.

Mega Limited, New Zealand-domiciled; not a US ESP. Zero-knowledge end-to-end encryption means Mega cannot scan stored files, so reports rely on the public share link plus its decryption key. Report objectionable material to abuse@mega.nz or via the takedown page; Mega states zero tolerance for CSAM, voluntarily discloses account details to authorities, and reports the bulk of its account terminations are CSAM-related. (mega.io/mega.nz block automated fetching; contact verified via Mega's official statements.)

Box, Inc. (US). No dedicated public CSAM flow; the Fair Use Policy (Section 3(f), illegal content) links to a Google Form (forms.gle/gnC9xPrfgxBDcLBR9) framed around EU/DSA illegal-content reporting. Box prohibits illegal content and reviews reports internally. As a US ESP it carries the § 2258A NCMEC reporting duty; primarily an enterprise platform.

pCloud International AG, Switzerland-domiciled (HQ Baar); not a US ESP. No dedicated CSAM form – report abuse/illegal content to abuse@pcloud.com. pCloud offers optional client-side 'Crypto' encryption (zero-knowledge) which would block scanning of those files; non-Crypto files are server-accessible.

MediaFire, LLC (US, Texas). Dedicated child-exploitation reporting page: email abuse@mediafire.com with a direct link to the content (the address is pig-latin obfuscated on-page as anti-spam). States it submits all child-abuse incidents to NCMEC by law and choice and commits to a 15-minute response with manual verification. General ToS abuse uses a support ticket (submit_a_ticket.php?type=abuse).

WeTransfer / operated by Bending Spoons; WeTransfer is Netherlands-domiciled – not a US ESP (reports CSAM to police rather than mandatory NCMEC filing). Use the 'Report this transfer' link present on every transfer and in transfer emails. The Good Behavior / Content Moderation Policy strictly prohibits CSAM and states detected CSAM is reported to the police immediately.

Proton AG, Switzerland-domiciled; not a US ESP. Report-abuse form lists 'Child sexual abuse material' as a reason; or email abuse@proton.me. Proton Drive is end-to-end encrypted and Proton cannot decrypt stored files, names, or thumbnails – but it CAN access content shared via a public link if the reporter supplies the sharing URL and password. ToS explicitly bans CSAM and offending accounts are disabled.

Amazon Web Services, Inc. (US). Report content hosted on S3/AWS resources via the 'Report abusive activity from AWS resources' form (aws.amazon.com/forms/report-abuse, also reachable at support.aws.amazon.com/#/contacts/report-abuse) or email AWS Trust & Safety at trustandsafety@support.aws.com; no AWS account required. AWS partners with NCMEC, IWF, INHOPE and the Tech Coalition. Note: AWS is infrastructure – the customer operating the bucket is the responsible provider, and AWS warns reporters not to attach the illegal material itself. A separate anonymous CSAM-specific intake exists at compliance-central.amazon.com/report-csam.

Backblaze, Inc. (US, public company). No dedicated CSAM report form – report via abuse@backblaze.com (general abuse); a separate reportphishing@backblaze.com handles phishing. The Acceptable Use Policy prohibits storing or transmitting CSAM and allows immediate suspension without notice. As a US ESP it carries the § 2258A NCMEC reporting duty; B2 buckets can be public-shared.

US-domiciled CDN/DNS/registrar. CSAM is a dedicated category on abuse.cloudflare.com (general form: abuse.cloudflare.com/csam); email complaints are auto-rejected and routed to the form, except registrar-specific issues which go to registrar-abuse@cloudflare.com. Built the CSAM Scanning Tool (fuzzy-hash detection for customers) and runs a trusted-reporter program for ~60 child-safety orgs; reports confirmed CSAM to NCMEC and terminates even pass-through/DNS service to CSAM-dedicated domains (1,475 domains terminated H1 2025). As a non-hosting layer it can usually only act at the whole-domain level.

US-domiciled IaaS (Amazon). Report via the abuse form or trustandsafety@support.aws.com; AWS Trust & Safety forwards/acts and maintains relationships with NCMEC and the IWF. Amazon filed ~1.12M suspected and 26,500 confirmed CyberTipline reports in 2025. Thorn's Safer CSAM-detection tooling is offered via AWS Marketplace. As infrastructure, AWS typically notifies the customer or suspends resources rather than removing individual files.

US-domiciled IaaS (Google/Alphabet). The 'Report suspected abuse on Google Cloud Platform' form is the intake for content hosted on GCP; abuse handling docs at cloud.google.com/docs/security/respond-to-abuse-misuse. Google-wide CSAM detection uses hash-matching plus AI with human review and reports to NCMEC. Note this is the Cloud/infrastructure channel, distinct from consumer-product reporting (e.g. support.google.com/.../15300563).

US-domiciled IaaS (Microsoft). Abuse originating from Azure / Microsoft-hosted properties is reported through the Microsoft Security Response Center abuse portal (msrc.microsoft.com/report/abuse). Microsoft's Digital Safety CSEA policy bans child sexual exploitation/abuse and, as a US company, it reports apparent CSEAI (including grooming) to NCMEC via the CyberTipline; it developed PhotoDNA. No CSAM-specific Azure intake form found – the MSRC portal is the general abuse channel.

US-domiciled CDN/edge/security and (since 2022) owner of Linode/Akamai Cloud. The abuse hub (akamai.com/legal/abuse) lists a dedicated 'Child sexual abuse material (CSAM)' form and states all information submitted will be sent to the U.S. National Center for Missing & Exploited Children. Separate DSA reporting flow exists for EU.

US-domiciled CDN/edge cloud. AUP prohibits using services to exploit or harm minors. Reports go to abuse@fastly.com (or the abuse.fastly.com / compliance.fastly.com forms); Fastly states it promptly forwards reports to the responsible subscriber rather than removing content itself, consistent with its pass-through role. No CSAM-specific form found – uses the general abuse channel.

US-domiciled IaaS. Abuse on DigitalOcean-hosted sites is reported via the abuse web form (routed to its SOC team) or abuse@digitalocean.com. No dedicated CSAM form found; CSAM would be filed under the general abuse flow. As infrastructure, it acts at the droplet/account level and notifies/forwards to the customer.

US-domiciled IaaS, acquired by Akamai in 2022 and now branded Akamai Cloud; linode.com/legal-abuse serves the same Akamai abuse portal. Includes a dedicated CSAM reporting form with the statement that submissions are sent to the U.S. National Center for Missing & Exploited Children.

French-domiciled IaaS/hosting (largest EU host); no US § 2258A duty. The abuse form has an explicit 'CSAM (Child Sexual Abuse Material)' category; OVHcloud cooperates with NCMEC and law enforcement and generally forwards CSAM reports to the impacted customer to remove and self-report. Report confirmation requires clicking a validation link. abuse@ovh.net exists but the form is the primary channel.

German-domiciled IaaS/dedicated-server host (Hetzner Online GmbH); no US § 2258A duty (operates under German/EU law and the GDPR). Abuse and illegal content are reported via the abuse.hetzner.com form (issue intake at abuse.hetzner.com/issues/new); the form has violation-type, evidence, and contact sections but no explicit CSAM category surfaced. Frequently appears in abuse databases for hosting bulletproof/Tor-adjacent traffic.

US-domiciled (Phoenix, AZ) registrar and host. Report content/abuse to abuse@namecheap.com; customer/legal escalations (suspensions, locked or trademarked domains) go to legalandabuse@namecheap.com. As a registrar it can only act at the domain level and typically directs reporters to escalate hosted-content complaints to the underlying hosting provider via WHOIS. No dedicated CSAM form found.

US-domiciled (Tempe, AZ) registrar and host. Dedicated 'Report CSAM' form (supportcenter.godaddy.com/abusereport/csam; general abuse at /abusereport) plus childabuse@godaddy.com. A Child Safety Team within GoDaddy's Digital Crimes Unit investigates and files verified CyberTipline reports with NCMEC. Reporters are told they will not receive outcome updates.

US-domiciled IaaS (The Constant Company, West Palm Beach, FL). Acceptable Use Policy prohibits content harmful to minors including child pornography; report violations to abuse@vultr.com. Vultr cooperates with law enforcement. No dedicated CSAM form or published abuse webform found – email is the documented channel; the policy page is the only public reference.

Apple (US, Cupertino) has no dedicated web CSAM report flow; the iCloud Terms of Service name abuse@icloud.com as the abuse-reporting address. Apple abandoned on-device CSAM hashing in 2022 and reported only ~250-267 CyberTipline reports in 2023-2024 (vs millions from Google/Meta), a widely documented detection-and-reporting gap; sued by West Virginia in Feb 2026 over alleged failure to detect/report iCloud CSAM. App Store apps can be reported via the per-app 'Report a Problem' link.

Google (US) reports confirmed CSAM to NCMEC via report.cybertip.org and removes offending apps immediately. The Play 'Child Endangerment' developer policy explicitly requires apps to have a CSAM reporting process and a designated point of contact; the linked account/search webform is Google's cross-product CSAM report path. Filed ~1.47M CyberTipline reports in 2023.

Amazon (US) operates a dedicated, anonymous CSAM reporting portal at compliance-central.amazon.com/report-csam covering Marketplace, AWS, Twitch, and devices. Confirmed CSAM is reported to NCMEC; Amazon and subsidiaries submitted ~1.12M CyberTipline reports of suspected CSAM in 2025. The report-csam page is JavaScript-rendered (title confirmed; form not statically scrapable).

eBay (US) provides on-listing reporting (question-mark icon > Submit report) and a regulatory 'Reporting content' page; its Protecting Minors policy bans any imagery of minors in compromising or body-focused contexts and directs serious exploitation reports to NCMEC at report.cybertip.org. eBay consistently blocks automated fetches (403/socket close); URLs confirmed via search result metadata.

Etsy (US) reports sexually explicit content involving minors to NCMEC and scans messages/listings for CSAM risk. Public reporting is via the per-listing 'Report this item to Etsy' link or the Help Center (article above); the separate etsy.com/ipreporting portal handles intellectual-property infringement ONLY, not CSAM. Help Center returns 403 to bots; URL is the canonical published path.

Craigslist (US) has no in-house CSAM intake; its exploitation-of-minors page directs users straight to NCMEC's CyberTipline (cybertipline.com, 1-800-843-5678) for the US and Cybertip.ca/NCECC for Canada, plus per-post 'flag' for removal. Operates under a 2008 agreement with NCMEC and 43 state AGs. Removed its Adult Services section in 2010.

PayPal (US) Acceptable Use Policy prohibits transactions involving child exploitation and 'certain sexually oriented materials or services,' and explicitly lists child exploitation among reportable AUP violations. There is no dedicated CSAM flow; reports go through the standard 'report a violation of our Acceptable Use Policy' contact link. As a money-services business PayPal files SARs to FinCEN rather than CyberTipline reports.

Stripe (US). Its Prohibited & Restricted Businesses list bans pornography/sexual-gratification content but contains NO explicit CSAM or child-exploitation language -- a notable published-policy gap; enforcement relies on the general adult-content ban plus card-network rules. No public CSAM report form; misuse is reported via Stripe Support/complaints. Files SARs to FinCEN as a payment processor.

Visa (US) is a card network, not a content host -- it acts by defunding. The Visa Integrity Risk Program (VIRP, launched 1 May 2023, replacing the Global Brand Protection Program) requires merchants in high-risk/adult categories to run a visible complaint/takedown link, resolve complaints within 7 business days, remove illegal content immediately, and bars search terms implying child exploitation. Visa states it investigates tips of illegal activity but publishes no public consumer report form; complaints route to the acquirer/merchant.

Mastercard (US) card network; defunding lever, not a content host. Its 2021 adult-content standards (reinforced 2022) require merchants/acquirers selling adult content to verify age and consent of all depicted persons, pre-publication content review, and a clear complaint/takedown process -- explicitly aimed at preventing CSAM and nonconsensual content on the network. Prohibited content is defined in the Mastercard Rules; no public consumer CSAM form, reports go via acquirers. Pages 403 to bots; confirmed via search metadata.

Chainalysis is a blockchain-analytics firm, NOT a public reporting hotline -- it has no consumer CSAM tip line and works exclusively with law-enforcement and compliance partners, tracing crypto payments to CSAM operations from law-enforcement leads (e.g. its July 2025 darkweb-CSAM cluster tracing). Members of the public with crypto-CSAM leads should report to NCMEC, IWF, or the FBI, not Chainalysis. (Listed here because payment-rail/crypto defunding is a CSAM lever, not as a report destination.)

US Treasury bureau. The SAR/BSA E-Filing system is for FINANCIAL INSTITUTIONS only, not the public. FinCEN guidance (Notice keyword 'OCSE-FIN-2021-NTC3', referenced in SAR field 2 with field 38(z)) directs banks, money-services businesses, and crypto exchanges to flag transactions tied to online child sexual exploitation. Relevant because SAR data feeds law-enforcement defunding of CSAM payment networks; individuals should use NCMEC's CyberTipline instead.