A coordinated extortion scheme is hitting creators with phishing DMs sent from already compromised friend accounts, then reposting the stolen feeds with MAGA propaganda when victims refuse to pay.
Patrick Bewley spent two years building a 132,000-follower X audience the way most creators do, one post at a time. His handle advertised leather three-ways and poolhouse clips under the name Daddy Patrick, and the feed read like the work of a 60-year-old gay man who had figured out the platform. Then on April 9, according to WIRED's reporting, his account flipped. By morning the Bannon banner was up, the bio had been rewritten, and the timeline was pushing pro-Trump oil claims. None of it was his.
Bewley had not clicked an obvious phishing link or handed his password to a stranger. The DM that cost him his account came from Jasun Mark, a porn director and editor he knew, asking him to nominate Mark for an award. Mark's account had already been compromised. The link inside the message was dressed up to look like an X login page, and once Bewley typed his credentials in, the attackers moved faster than the platform's recovery process. They changed the handle, the email, and the phone number tied to the account, and the real owner was locked out before he could reset anything.
WIRED spoke to multiple gay OnlyFans creators who describe the same sequence: a friendly DM from a coworker or collaborator whose account was already in attacker hands, a fake X page, a credential capture, an immediate pivot of the handle and recovery details, and then a flood of posts the original creator never approved. The political content is the loudest part of the feed, but the report's framing is that the loudness is the point. The attackers are running a crypto-scam extortion scheme. When creators refused to pay to get their accounts back, the hijacked handles were repurposed to push ideological or crypto content, often sold downstream to whoever wanted a 100,000-plus-follower account they could post anything from. The political spam is the resale product, not the motive.
That targeting is structural rather than accidental. Gay OnlyFans creators tend to grow audiences quickly, monetize those audiences directly, and live in platforms where a single compromised login can mean a lost income stream overnight. That pressure is exactly what an extortion scheme wants. WIRED's reporting also points to a quieter failure on the platform side: after Bewley was locked out, his partner tried to report the takeover from her own personal X account, and got no useful response. The account that was actively being used to push political propaganda stayed in attacker hands because the recovery path treated a third-party report as a stranger complaint.
The red flags for other creators are now legible. A DM from a coworker you actually know, sent at an odd hour, asking you to click a link and "nominate" them for something you have never heard of, is the entry point. A login page that looks right but lives at the wrong domain is the credential capture. A handle, email, or phone number that changes while you are still logged in is the lockout. The MAGA banner that appears a few hours later is the resale signal, not the crime.
The defensive moves are the boring ones: hardware-backed two-factor authentication, a recovery email and phone number stored somewhere other than the device that runs the account, and treating any link inside a DM, even from a friend, as suspicious enough to verify out of band. The harder fix is the platform's, and it is the part creators cannot do for themselves. Account recovery that treats a partner or a manager reporting a takeover from a known device as a stranger complaint is the gap the attackers are walking through, and it is the gap that turns a one-user phishing hit into a 132,000-follower propaganda account overnight.