This investigation is a collaboration between Bellingcat and New Zealand news site The Press. You can read The Press’ piece here.
Content warning: This article discusses non-consensual sexually explicit content and child sexual abuse material.
In 2024, a former track and field coach in Boston, Massachusetts, was sentenced to five years in jail for attempting to trick and extort more than 100 women, including student-athletes he coached, into sending him intimate photos.
According to the 2021 criminal complaint, Steve Waithe stole photos from some of the student-athletes’ phones under the pretence of “filming their form” at practices and meets. He also approached some victims via fake online accounts, telling them he had found their images on a forum site called “leakedbb.com” (“LeakedBB”) and offering to help them remove these photos if they provided more images for “reference”.
Authorities said Waithe also hired and paid another man in October 2020 to hack into the Snapchat accounts of women he coached or had other relationships with in an effort to steal and distribute nude images online.
In one post, according to the US Attorney’s Office, Waithe wrote: “Does anyone want to trade nudes? I’m talking girls you actually know. Could be exes or whatever. I have quite a few and [am] down to trade over snap[chat] or something.”
Legal documents do not name the sites on which Waithe distributed these images, but Bellingcat found a cached version of a November 2020 post with that exact wording on LeakedBB – the same site he allegedly used to try to trick victims. Another cached LeakedBB thread posted a few months later shows the same user offering to trade nudes of athletes, including “a lot that I actually know”.

Such posts were not unusual on the site: multiple archived pages show the forum’s users either requesting Snapchat hacks or offering to help others hack Snapchat accounts, sometimes for a fee.
In the criminal case against Waithe, the ownership of LeakedBB is never discussed, but a Bellingcat investigation can reveal that payment streams, company records and website domain information appear to lead back to one individual: Jitendra Maharaj, a Christchurch-based former pilot and co-founder of a cryptocurrency start-up, Pay It Now (PIN), which reportedly billed itself as the “Stripe of crypto payments”.

Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.
Our New Zealand publishing partner The Press sent an email to Maharaj on June 4 outlining our findings in detail and inviting him to respond. Maharaj did not reply to this.
However, by June 6, LeakedBB was down. As of publication, the website remains inaccessible.
The Press later received an email from a Christchurch-based lawyer representing Maharaj, who said their client was in Fiji for a family member’s funeral. The lawyer requested that we wait until his return on June 23.
When The Press visited his residence – a two-storey family home in Christchurch’s affluent Aidanfield suburb – on June 25, Maharaj said he did not know who was behind LeakedBB or operated it and that he was not sure if the website was down.
He said he did not respond to the email queries and had not spoken to his lawyers about them because “all the evidence against me just sounded really weird” and it seemed like there was “some kind of targeted attack out on me” based on “manufactured evidence or something that’s pointing me to this garbage”. However, he refused to comment on the record about most of the specific evidence linking him to the site and referred these questions to his lawyer.
He also claimed that he had been contacted by people “trying to harass me to get me to send them money”, but declined to provide details on the record.

Despite a further extension of the deadline until July 6 – more than a month after we first reached out – Maharaj and his lawyer had not provided any statement directly addressing the specific evidence linking him to the site as of publication.
PIN, the company Maharaj co-founded, did not respond to The Press’ requests for comment. However, there is no suggestion that PIN has any knowledge of or involvement in LeakedBB.
LeakedBB was set up in 2019 and built a sizeable following over the next seven years, averaging an estimated two million visits a month from March to May this year. The board statistics shown on LeakedBB’s homepage in May displayed 2.2 million registered users and more than 2.6 million posts.

Google’s Transparency Report shows it received more than 95,000 individual requests for over 350,000 pages on LeakedBB to be delisted from search results. This resulted in Google de-listing more than 169,000 pages from its search results, according to the report.
Shortly after the site went offline, a Reddit post noting the outage and asking for alternatives trended in the “hot” section of a piracy subreddit, accumulating almost 700 votes in a week. In response to a question by one commenter asking what the site was, another person replied: “Not only did it have ‘onlyfans’ content, also amateur, asian, arabic, celebrity and other hacked phone/icloud content from other sites.”
This comment accurately summarised some of the content on the site. In LeakedBB’s early days, it had sections for other types of “leaked” content such as computer programmes and eBooks. But within months, the forum’s discussions were almost exclusively about pornographic images and videos that members claimed had been leaked – implying that it was non-consensual, hacked or stolen content.
The most popular section on the forum contained content that claimed to be from sites such as OnlyFans and Fansly, which, if shared without the original creators’ consent, would be a violation of their intellectual property.
Reba Rocket, co-owner and chief operating officer of Takedown Piracy, a company that helps both adult performers and private individuals remove non-consensually shared explicit media, said sites like LeakedBB cause financial harm to legitimate content creators.
“People would not shove a DVD into their coat pocket and walk out of the store – that’s something tangible that they know they’re doing something wrong, whereas watching something on the internet for free doesn’t have that same connected moral,” she said.
Other sections on LeakedBB featured threads requesting or promoting content that often appeared to show women who did not have anything to do with the adult industry, which the posts claimed were leaked, hacked or even obtained through blackmail.
One post advertised images of girls from 29 US states: “There’s names and Facebook information if you want that,” the member, “Master Leaker”, posted. “There’s also two girls that got blackmailed into sending more nudes as well!”

In the “Requests” section, users shared clothed images of women or social media handles of potential victims, and asked if others had leaked content of them. In one recent post looking for a “Florida Milf”, a user wrote: “She may go by the name [redacted]. Looks like the daughter graduated from [redacted]. Anyone have content of her? Sex tapes?”
Some users also posted nude or intimate images of women they had found elsewhere, asking for help finding out their real identities. “Who is she?” or “Can anyone ID?” were some common questions in the posts.
Non-consensual intimate image sharing (NCII), colloquially referred to as “revenge porn”, is far from new. It is a known problem on Reddit, where, in 2022, a BBC investigation found “thousands” of such images being shared despite the platform’s attempts to crack down on the issue.
LeakedBB, however, seemed to take the opposite approach: instead of trying to moderate or prevent users from posting what appeared to be NCII, it sought to profit from and reward it.
Except for preview images, most of the content users shared in the “leaks” section was behind a paywall and could only be accessed with memberships costing up to US$99.99 or by redeeming credits.
The site rewarded members with credits for posting “leaked” content, as well as when other members spent credits to “unlock” their content. These credits could be used to access links that users could otherwise only view with a paid upgrade, or redeemed for cryptocurrency at varying rates (the most frequent contributors had the option to cash out the equivalent of up to $0.15 for each thread they posted).
There was also an annual Christmas contest, with last year’s total prizes worth over $4,000 in cryptocurrency for users who posted or liked the most threads.

Rocket said LeakedBB had “damaged many people”, including clients of her company. “Those specific clients are not in the adult industry,” she said, “but LeakedBB seemed more than happy to share their non-consensual content”.
The “leaks” were often posted with women’s purported real names, locations and social media accounts, as well as preview images showing their uncovered faces. One poster said sharing a woman’s social media details “adds to the experience”.
“For me, it makes my jerk-off sesh feel more personal, as if she’s an actual person I know rather than a moviestar/pornstar,” the post said.

There were more than 80 responses to this thread, mostly thanking the original poster for sharing the content. One of them, however, claimed to be the woman shown in the images: “Please remove this link. These photos were illegally stolen from me. This constitutes revenge porn and violates US law. Police are already involved. Not only is it illegal but just gross.”
Allison Mahoney, the founder and managing attorney at ALM Law in New York and Colorado, told Bellingcat she received calls about cases involving NCII “all the time”.
“It kind of amazes me, given the amount of media attention this has gotten over the years, that people are still engaging in this type of abuse so cavalierly,” said Mahoney, whose firm specialises in providing legal services for abuse survivors and children harmed in welfare systems.
Mahoney and Rocket agreed that sites sharing NCII often had real-world implications for victims, especially when images were posted alongside personal information, including names, contact information and professions.
“We have clients who … their children were kicked out of Catholic school, or they lost their mainstream job, or relationships ended, or families cut them off simply because content was posted online without their consent and viewed by others,” Rocket said.
Mahoney said online abuse can turn into offline abuse when victims have their personal information, like their name, profession and contact information, posted with their images. She has seen clients who had strangers show up at their homes or places of work, threatening their physical safety – a situation she said was “really terrifying”.
In July last year, LeakedBB closed a marketplace it had hosted for more than five years, which allowed users to sell leaks and services to each other. Lucifer NightStar, the administrator account on the site, said there were allegations of people selling “UA [underage] material”, which was “not something we want on [LeakedBB]”.

On one section of the forum, which was specifically for sharing content from other sites that hosted leaked pornographic content, LeakedBB had a disclaimer: “Please note that posting any content on any one below the legal age of 18 is against the law. We have a zero tolerance policy on such things and your account will immediately be banned / reported.”
But this warning did not appear on other sections of the forum, including those featuring threads of “amateur nudes” described as having been leaked. Some threads on the forum, which remained accessible shortly before the entire site was taken down, also described images of “young teens”.
While it is not known if those descriptions are accurate, in a recent post on Reddit a person asked for help taking down non-consensual photos they said were taken when they were a minor, hacked from Snapchat, and posted on LeakedBB, among other sites.
“I am in school to become a teacher and searched my name on google. If you go down a bit these websites come up,” they wrote. “I am so devastated and can’t believe this has happened to me.”
While speaking to The Press outside his residence on June 25, Maharaj said that when it came to publishing non-consensual pornography and child sexual abuse imagery, “It should be obvious anyone’s against that.”
Lucifer NightStar was the username for the only account with the title of “Administrator” on the LeakedBB forum. This user posted FAQs for the site and almost every forum announcement throughout its history.
The URL of this account’s profile page shows the user ID (UID) of “1”. According to documentation for MyBB, a free and open source forum software that LeakedBB has credited for powering the site, the first user of the forum is assigned the UID “1” and has super administrator privileges – meaning their account cannot be deleted, banned or otherwise altered by regular administrators.
While the profile did not state the user’s location, it did show a local timestamp based on the user’s timezone settings, which matched GMT+12 – a timezone used in several countries in Oceania, including New Zealand and Fiji.
Lucifer NightStar’s recent posts generally avoid mentioning non-consensual intimate imagery, focusing on administrative updates and issues, troubleshooting and the annual Christmas contest. However, in the first few months of the forum’s existence, the user posted a thread with a “LeakedBB Exclusive” of “leaked Kiwi girls”.

In another discussion thread from 2020, Lucifer NightStar vouched for a user’s ability to “influence” another member’s ex-girlfriend to share nudes.

Maharaj did not respond to The Press and Bellingcat’s question about whether he was Lucifer NightStar. However, one of the administrator’s posts led us to a clue pointing to Maharaj’s possible connection with LeakedBB.
In one post in May 2021, responding to a user reporting problems paying with Apple Pay, Lucifer NightStar shared a screenshot of what the payment screen should look like. A company name was visible in this image: “Logica LTD”.

New Zealand company records show that Logica Limited was registered by Maharaj in February 2021, just months before this post. The company address is also in Christchurch, where Maharaj lives.
(Note: This is a different company from Logica Partners Limited, based in Auckland, which has no apparent connection with Maharaj or LeakedBB and is unrelated to this investigation.)
The records from the New Zealand Companies Office show that Maharaj has been the sole director of Logica Limited since its incorporation. He stated on his LinkedIn profile that he was self-employed as the CEO of Logica NZ from May 2020 to August 2021.
(Maharaj’s LinkedIn profile appears to have been deleted between June 13 and June 15, after The Press and Bellingcat’s initial enquiries and during the period his lawyer said he was in Fiji attending a family member’s funeral.)

But that was not the only connection to Logica Limited. On May 4, 2022, a YouTube user with the display name “LeakedBB” uploaded a video on how to pay for memberships on the site. This video was also embedded on LeakedBB’s homepage.
The video showed how users could pay by credit card. When they clicked to purchase a membership, LeakedBB would redirect them to another website to buy a digital avatar pack with a price corresponding to their selected membership tier.
After purchasing this “referral product”, users were encouraged to leave a comment and a positive rating to receive an “extra bonus month”. Archived versions of the website show view counts in the tens of thousands for some of these avatar packs.
The thumbnails of the “digital avatars” as well as their price and description, as shown in the video, were identical to those shown on the archived version of a site, logica.nz, which is recorded as Logica Limited’s website on OpenCorporates. This site also lists “Logica LTD” in its copyright information at the bottom of its landing page.
(Bellingcat last accessed a live version of the video on June 15. By July 1, we noticed that the video had been removed by the uploader.)

In a forum thread on LeakedBB dedicated to explaining alternative ways to pay for membership, hundreds of users posted that they had just purchased the “Mystic Avatar Pack” or the “Pixel Avatar Pack” to gain access to the site. One user included screenshots of their purchase, showing the site URL to be “logica.nz”. Other users also stated that they had made the purchase on this website and were waiting to receive their upgrades.

This website’s landing page now displays only a note stating that it is under maintenance. However, according to archives captured by the Internet Archive, it was still selling “digital avatar packs” in March 2025.
This type of payment structure not only conceals the nature of the transaction from the payment processor (as non-consensual content violates most platforms’ terms of service), but it also hides the transactions for the user, as payments are not described as being made to “LeakedBB” on bank statements.
When asked about the links between LeakedBB and Logica Limited, Maharaj only told The Press at the doorstep interview on June 25 that “Logica was my company. I cannot say what happened there right now”.
According to the New Zealand Companies Register, Logica Limited is in good standing, with its most recent annual filing submitted by Maharaj in March 2026.
The Domain Name System (DNS) records of LeakedBB revealed another connection that seems to point back to Maharaj. Using online investigations tool DNSlytics, we viewed DNS records for the website and found that in 2020, the MX (mail exchange) record for LeakedBB.com was set to LeakedBB.net. An MX record is the mail server set up to accept emails for that domain. For LeakedBB.com, this was later changed to ProtonMail.
While the WHOIS ownership of LeakedBB.net is obscured, we found it on a list of sites that had DNS certificates issued by another site, mybbplugins.com. A DNS certificate is used to prove ownership of a domain and requires an administrator to validate that certificate.
According to WHOIS records from cyberthreat intelligence platform DomainTools, mybbplugins.com was publicly registered to Maharaj from December 2011 to February 2019, after which the registrant information was redacted.
The same site also issued a DNS certificate for a domain bearing Maharaj’s name (jitendramaharaj.com) as well as two domains that include part of his first name, jit-pay.cc and thejitshow.com. DNS certificates for these domains were issued between 2016 and 2021, according to free Certificate Transparency monitoring site crt.sh. Both “leakedbb” and the domain names linked to Maharaj’s name (i.e. “jitendramaharaj”, “jit-pay” and “thejitshow”) were also used as subdomains for mybbplugins.com, records from DomainTools show.
Another link appeared when we inspected the code of the oldest saved archive of the payment screen on LeakedBB, from November 2019, which showed a ProtonMail address associated with the PayPal form at the time with a string of seven digits as the username.
This string of seven digits is an exact match for what appears to be part of a Fiji-based phone number listed on WHOIS records for websites registered to Maharaj’s name including mybbplugins.com, from 2008 to 2011. It is unclear whether Maharaj was using this phone number in 2019, by the time LeakedBB was set up, and a different Fiji-based phone number was used with his name when the registration for mybbplugins.com was renewed in 2016.

Explore some of the links between Maharaj and LeakedBB:

Bellingcat also found several other apparent connections between Maharaj and other applications hosting adult content.
An account with the username “Jitendra M.” has been posting on the MyBB community forum since 2008, with the account ID originally using the username “Darkmew”. An archived capture of this account’s profile information showed a date of birth and a location in Fiji.
This date of birth matches the one listed on a Facebook profile Bellingcat found under Maharaj’s name. His LinkedIn profile also shows that prior to moving to Christchurch, he worked in Nadi, Fiji, and he has listed addresses in the city for some of the domains registered to his name, as well as an email with a Fijian domain. This user also mentions that they are a pilot.
Jitendra M.’s profile bears a “former staff” label, indicating that he used to work for MyBB. A previous commit (save) of a file containing details of MyBB team members shows that the full name associated with this account’s user ID and username was “Jitendra Maharaj”, and his website was listed as jitendra-maharaj.com.
Archived versions of this site show photos and details that match those from Maharaj’s public social media profiles and interviews. For example, a 2011 capture shows that he mentioned being a pilot at a company called Pacific Sun. Pacific Sun was later rebranded as Fiji Link, and Maharaj’s LinkedIn profile, before it was deleted, stated that he worked for Fiji Link from 2009 to 2015. A blog post on the site also refers to mybbplugins.com as the author’s “newest endeavour”.

Very shortly after joining the MyBB community forum in Feb 2008, Jitendra M. asked about using MyBB for “warez” (an internet slang term for pirated digital content) and/or adult content. He stated that he was “interested in using it for a [sic] adult forum”.
During this time, he also posted asking about streaming videos from a server and how to use a PayPal account without a credit card for “people putting money into my account for services I provide”. In late 2008, Jitendra M. purchased a web domain, reaperscrypt.info, which Wayback Machine archives show hosted pornographic content while it was online in 2009. This domain was publicly registered to Maharaj from November 2008 to January 2010.
In 2013, he posted about selling the mybbplugins.com domain. However, as previously mentioned, Maharaj’s name was still publicly registered as the owner of the domain until February 2019, when registration data was redacted.

Bellingcat was able to view Facebook and Instagram accounts under Maharaj’s name and showing his profile picture in early May. These accounts painted a picture of a family man, with his public photos mainly showing his wife and children. His Facebook account had been either deleted or made private by May, and his Instagram account, while still active, has not been updated since 2013.
Archives of an X account using the same username as Maharaj’s Facebook and Instagram accounts also show several posts from November 2019 promoting LeakedBB.

The “Darkmew” username that Jitendra M. originally used was also used for a GitHub account which hosts a repository described as the “official repository for Pay it Now – PIN Token”. This account, which now redirects to an account with the username “JitMaharaj”, has also forked (or copied) two apps created by other people: one to create a subscription platform “like onlyfans.com” that uses cryptocurrency for payments; the other designed to scrape and report illicit content from LeakedBB.

These forked repositories were among 38 visible on JitMaharaj’s account on June 17, but by July 1 – after a June 22 query from The Press asking Maharaj whether he owned this account – there were only 25 repositories listed on this account. The two repositories mentioned above were among those removed.
Maharaj did not respond to questions about whether he owned any of the accounts or domains mentioned in this section.
Mahoney said that successfully removing clients’ images from platforms like LeakedBB was a time-consuming task. “Some sites, usually the sites hosted overseas, will just ignore the request and won’t take them down,” she said.
In the US, which accounted for almost half (40 percent) of LeakedBB’s web traffic in May, the Take it Down Act recently came into effect. The new federal law requires platforms to quickly remove non-consensually shared intimate imagery when it is reported.
However, there has been little discussion of the law on LeakedBB. One user asked in the “Help” forum how this act would affect the site and its members back in October 2025, but Lucifer NightStar never responded to this post.

Rocket said having content removed for her US-based clients could be difficult when the platforms were based overseas: “A lot of it depends on where the platform is hosted, who runs their ad network and who is monetising – who their payment processors are,” she said.
LeakedBB accepted cryptocurrency payments through NOWPayments, a cryptocurrency payments gateway based in the Netherlands and Estonia. The purchase page for its subscription plans, which allowed users to gain unrestricted access to the site, redirected to a NOWPayments purchase screen to transfer cryptocurrency to LeakedBB.
In response to questions from Bellingcat, NOWPayments confirmed that LeakedBB’s activities violated its terms of service. The payments provider said it had deactivated LeakedBB’s account and blacklisted the platform immediately, as of June 4.
LeakedBB did have a form for people to request that their content be taken down under the Digital Millennium Copyright Act (DMCA), a US copyright law. However, this required victims to submit personal information such as a physical address and a business email address, and stated that it would reject requests that used email addresses from free services like Google and ProtonMail. Such details appear to go beyond those required for DMCA takedown requests on other sites: for example, Google only requires a first and last name, and an email address from any domain.
In one Reddit thread discussing the difficulty of removing content from LeakedBB under the DMCA, someone commented: “Some of this seems fairly standard, some of it seems like it’s designed to make people not request a takedown for fear of doxing [sic] themselves.”
On the page to submit DMCA takedown requests, LeakedBB also stated that successful requests would lead to them removing content hosted on their servers, but not links to third-party hosting providers – which is how a large portion of the content was made available to the website’s users.
In New Zealand, where Maharaj is based, posting intimate imagery without consent is illegal under the Harmful Digital Communications Act. People face up to two years imprisonment or a fine up to NZ$50,000 (US$29,200), while for a company, the fine can be as high as NZ$200,000.
Netsafe is the only approved body in the country that handles complaints under this act. The agency’s chief online safety officer Sean Lyons told The Press that the law was quite novel and other jurisdictions were “envious” when it was enacted – it was able to respond to generative AI technology that didn’t exist when it was written, and gave New Zealand courts powers to issue takedown orders, even in other countries.
Still, Lyons said the law had its limitations: it was mostly intended for use where one individual was harming another, and if the responsible party was overseas, the law’s efficacy largely relied on responsible platforms doing the right thing.
“There are times when within our process, we will have contacted platforms or hosts and they will have said, ‘Who the heck are you?’…[Or] ‘We know what we’re doing, we are quite comfortable with what we are doing, and we don’t give a stuff about what it is that you are telling us, or about New Zealand law, or about the harm.’”
Mahoney and Rocket agreed that current laws were limited in their effectiveness against sites like LeakedBB.
“The fact of the matter is there are places where … until there is an enforceable international law, that content is going to be available forever, which means there is a risk of it being shared forever,” Rocket said.
Mahoney said image-based abusers have also become more sophisticated over time: “Technology is advancing, and the law is always playing catch-up,” she said.
But she suggested that identifying those responsible for the abuse could have a deterrent effect: “The anonymity that people have hiding behind screens really contributes to this and emboldens people to act in ways that are very abusive to people.
“If people understand that there’s a risk that their identity and their bad behaviour will be revealed, the hope is that it will curtail some of this and dissuade people from engaging in this type of conduct, which is so, so harmful to the victims.”
If you are a victim or know anyone who is affected by image-based abuse, resources and support are available through StopNCII.org.
Galen Reich and Melissa Zhu from Bellingcat and Michael Wright from The Press contributed to this article.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.