I scanned 98 adult websites with Blacklight and VirusTotal. Here's the methodology, the raw findings, and the three sites running active surveillance on their users.
The Tools
Blacklight (themarkup.org/blacklight) is a real-time privacy inspector built by The Markup. You give it a URL, it loads the page in a headless browser, and reports back what's running: ad trackers, third-party cookies, canvas fingerprinting, session recording scripts, and keystroke loggers. It's the same tool journalists used to investigate Facebook's tracking infrastructure and how popular websites surveil visitors.
VirusTotal aggregates scan results from 94 security engines. Submit a URL, get a consensus verdict on whether the domain is serving malware, phishing pages, or malicious scripts.
Neither tool requires authentication. Neither notifies the site being scanned. The data is what the page serves to a regular browser visit.
The Process
For each of the 98 sites:
- Submit the URL to Blacklight. Record: ad trackers (count), third-party cookies (count), canvas fingerprinting (boolean), session recording (boolean), keystroke capture (boolean).
- Submit the URL to VirusTotal. Record: detection ratio (e.g., 0/94, 1/94).
- Manually verify payment processor and billing descriptor from checkout flow.
- Record domain registration date from WHOIS.
Total time per site: roughly 5 minutes for the automated scans, another 5 for manual verification. The whole project took about two weeks of evening sessions.
No site was informed. No scan was sponsored. I paid for premium access on platforms that required it to verify billing descriptors.
The Findings Nobody Expected
Malware is basically nonexistent
91 out of 98 sites returned 0/94 on VirusTotal. The remaining 7 had a single vendor flag each — almost always a heuristic that flags adult domains by category, not by detected threat. Zero sites were flagged by more than 3 vendors.
The "porn gives you viruses" narrative is a decade out of date. These are commercial operations running Cloudflare CDNs, React frontends, and enterprise payment processing. The risk isn't malware. It never was.
The average site loads 2.1 trackers
Across all 98 sites, the mean tracker count is 2.1 with a median of 1. That's below the general web average. The distribution is heavily skewed — 20 sites run zero trackers, while the top offender (Seeking.com, a dating platform) loads 10.
The top 10 by tracker count:
Seeking.com 10 trackers
Fanvue 7 trackers
Fansly 6 trackers
Hitomi.la 6 trackers
Ashley Madison 5 trackers
Flirt4Free 4 trackers
Jerkmate 3 trackers
SexLikeReal 3 trackers
PromptChan 3 trackers
Kupid AI 3 trackers
The pattern: dating and creator platforms track more than streaming sites. The sites where you create an account, enter payment details, and interact with other users are the ones running the most third-party tracking scripts. Free tubes that monetize through ads — the sites you'd expect to be worst — are frequently cleaner.
Three sites run active surveillance
This is where Blacklight's value goes beyond counting trackers. It detects two specific techniques that cross the line from analytics into surveillance:
Session recording captures your entire browsing session — every scroll, click, mouse movement, and page transition — and replays it server-side. It's like someone watching a screen recording of your visit. Companies like FullStory and Hotjar sell this as a UX research tool. On an adult site where users browse intimate content and have private conversations, the implication is different.
Keystroke capture logs every character you type in any input field on the page. Search queries. Chat messages. Login credentials. On a cam site with live text chat, that means the platform records every message you send to a performer — not just as chat history, but as raw keystroke data including corrections, deletions, and typing cadence.
I found both on LiveJasmin — a major cam platform with millions of daily users. Session recording and keystroke capture running simultaneously. On a site where people enter credit card numbers, have private text chats with performers, and browse content they wouldn't want replayed in a boardroom.
Pure Taboo and Transfixed (both Gamma Entertainment / Adult Time network) returned keystroke capture without session recording. These are premium studio sites where the primary interaction is video streaming, not chat — the keystroke capture likely monitors search and login inputs rather than conversations, but the script doesn't discriminate. It captures everything typed on the page.
Every other site in the dataset — 95 out of 98 — came back clean on both session recording and keystroke capture. Including Pornhub. Including OnlyFans. Including Chaturbate. The absence is the norm. The presence is the red flag.
20 sites returned a perfect 0/0
Zero trackers. Zero third-party cookies. No fingerprinting. No session recording. No keystroke capture. On ad-supported sites with hundreds of millions of monthly visits. Here's the list:
XNXX SpankBang Stripchat
OnlyFans Hanime CandyAI
AdultFriendFinder Twistys FantasyAI
Nutaku MyDirtyHobby Virtual Porn
XNXX Gold Literotica SimpCity
PornTube F95Zone CherryTV
Rule34.xxx
XNXX serves billions of pageviews monthly with zero third-party tracking. Rule34.xxx handles 445 million visits a month at 0/0. Meanwhile Fansly — a creator platform handling payments and private messages — runs 6 trackers and 6 cookies.
The gap between the cleanest and dirtiest sites in the same industry is wider than I expected going in.
What This Means for Users
A VPN encrypts your connection and hides your IP address. An adblocker (uBlock Origin) strips tracker scripts and cookies from the page. Together they cover most of the threat surface.
Neither stops session recording or keystroke capture. Those scripts run inside the page itself, after the content loads, regardless of VPN or adblocker configuration. The only defense against session recording is not using the site, or using a browser extension that blocks known session recording domains (FullStory, Hotjar, Mouseflow, etc.) at the network level.
The Data
All 98 scan results are published with full transparency at nsfwranker.com, where each reviewed site has an individual safety report with the raw Blacklight results.
The privacy score tool at nsfwranker.com/tools/privacy-score lets you search any site in the database and see the scan data.
Scans performed February 2026 using The Markup's Blacklight and VirusTotal. This is independent research, not sponsored content.
Top comments (0)