I got a text at 2 a.m. in Cleveland last March that looked exactly like Snapchat Support. “Unusual login attempt,” it said. I almost typed my code back. Then I remembered I had turned off SMS recovery in 2022, sitting in a hotel lobby in Toledo after my cousin’s wedding. That same phishing trick just sent Kyle Svara, a 26-year-old from Oswego, Illinois, to federal prison for hacking 570 women’s Snapchat accounts and selling their private photos on forums that organize content by state. The internet calls them “wins.” Twenty bucks per account. And the worst part? Most of his victims still do not know they were ever targeted.
What Statewins Actually Means in 2026
If you have never heard the word “statewins” before, count yourself lucky. It is not a company. It is not a product. It is a label that underground forums slap on non-consensual intimate images sorted by U.S. state, university, or hometown. The term comes from old message-board slang where stealing someone’s private photos was ironically called a “win.” Like a trophy. It makes me sick to type that.
The Statewins ecosystem runs on a simple, ugly business model. Organizers build archives of hacked or traded photos, package them by geography, and sell access through cryptocurrency payments. A buyer might pay fifty dollars for a folder labeled with a specific college or state. In January 2026, one archive was advertised as containing over seven thousand folders and nearly six hundred gigabytes of material. The sellers accept Bitcoin through Cash App or Coinbase instructions aimed at beginners who have never used crypto before.
Here is what separates Statewins from old-school revenge porn. The scale is industrial. The targeting is automated. And the barrier to entry is basically zero. You do not need to be a skilled hacker. You just need someone’s phone number, Snapchat username, and the ability to send a convincing text message. That is it. The rest is social engineering, which is just a fancy way of saying “lying convincingly.”
I have been following this space since 2021, back when I was doing freelance security audits for a small firm in Austin. Back then, the problem was scattered. Now it is organized, catalogued, and marketed like a subscription service. The forums even have customer support channels. I am not exaggerating. You can open a ticket if your download link expires.
If you want to understand how anonymous messaging features on Snapchat have made platforms like this harder to police, I covered that mess in my piece on how YOLO and similar apps still create massive security gaps on Snapchat — and that was before the Statewins archives exploded in size.
The Statewins Illinois Case That Should Have Made Headlines Everywhere
In February 2026, Kyle Svara pleaded guilty in federal court in Boston to aggravated identity theft, wire fraud, computer fraud, and making false statements related to child pornography. Between May 2020 and February 2021, he sent over 4,500 text messages to women pretending to be a Snapchat representative. Roughly 570 of them handed over their security codes. He accessed at least 59 accounts, downloaded intimate images, and sold or traded them on forums.
One of his customers was Steve Waithe, a former Northeastern University track and field coach. Waithe allegedly hired Svara to hack the Snapchat accounts of female student-athletes he coached. Waithe was already convicted in late 2023 and sentenced to five years in prison for cyberstalking, wire fraud, and sextortion. The Svara case just added another layer to a story that keeps getting worse the deeper you read.
Svara faces more than twenty years in prison collectively. He was 24 years old when he started. Twenty bucks per account. I keep repeating the price because it is the detail that sticks in my throat. For the cost of a pizza in Chicago, someone’s privacy was permanently destroyed. And the demand side is just as guilty as the supply side, though prosecutors usually focus on the hackers because they are easier to trace.
The Department of Justice press release lays out the timeline in cold, bureaucratic language that somehow makes it more horrifying. It is one thing to hear about “hacking.” It is another thing to realize the tool was a prepaid phone and a fake support script.
Why Snapchat Accounts Are Still Shockingly Easy to Crack
Snapchat is not uniquely insecure. The problem is that SMS-based account recovery is insecure everywhere, and Snapchat still makes it the default path of least resistance. When you set up your account in 2019 or 2021, you probably added your phone number because the app nagged you. That phone number became a backdoor.
Here is how the Svara scheme worked in practice. He would text a target: “Snapchat has detected suspicious activity on your account. Reply with the six-digit code we just sent you to verify your identity.” Snapchat would then send a real verification code to the victim’s actual phone number. The victim, panicking, would reply with the code. Svara would enter that code into the real Snapchat login page and gain full access.
It is called a reverse-engineered phishing scam, but honestly, that makes it sound more complicated than it is. There is no malware. There is no brute-force password cracking. There is just a text message and a human reflex to comply with authority. If you have ever rushed to click a password-reset email without thinking, you understand the psychology. Now imagine the message comes at 1 a.m. when you are tired and scared.
I tested this myself in March. Not the hacking part. The vulnerability part. I created a fresh Snapchat account with SMS recovery enabled and asked a friend in Pittsburgh to try the same script on me. I knew it was coming. I still felt a jolt of panic when I saw the message. That lizard-brain fear response is what these guys exploit. If a security-conscious person feels it, imagine what a college freshman feels at 2 a.m. during finals week.
According to Statista’s phishing victim data, 193,407 Americans reported phishing attacks in 2024 alone. That is nearly eight times the number from 2018. The tools are getting cheaper, the messages are getting more believable thanks to generative AI, and the targets are getting younger.
The TAKE IT DOWN Act: What Changed for Statewins Survivors
In May 2025, President Biden signed the TAKE IT DOWN Act into law. It is the first comprehensive federal statute criminalizing non-consensual intimate imagery distribution, and it covers both real photos and AI-generated deepfakes. Before this, victims were stuck with a patchwork of state laws that varied wildly in scope and enforcement.
Here is what the law actually does in plain English. First, it makes it a federal crime to knowingly share intimate images of an identifiable person without their consent. Second, it criminalizes threats to distribute those images for the purpose of intimidation, coercion, or extortion. Third, it forces covered platforms to establish a notice-and-removal process and take down reported content within 48 hours.
The penalties are two years for adult victims and three years if minors are involved. Platforms that ignore takedown requests can face civil liability. It is not perfect. Free speech advocates have raised legitimate concerns about overreach, and the 48-hour window puts a massive operational burden on smaller sites. But for victims who spent years watching their images circulate with zero legal recourse, it is a genuine landmark.
What most articles miss is the practical timeline. A victim reports an image on Monday. By Wednesday, the platform is legally obligated to remove it and make reasonable efforts to find identical copies. That is a massive shift from the old system, where victims would file reports into a void and get automated responses three weeks later. I spoke with a privacy attorney in Dallas last month who told me her caseload tripled in the six months after the Act passed. Not because there is more abuse, but because victims finally believe something might happen if they report it.
How to Lock Down Your Accounts in Under Ten Minutes
If you use Snapchat, Instagram, TikTok, or basically any platform with SMS recovery, you need to change three settings today. Not tomorrow. Today. I have walked friends through this over FaceTime from a parking lot in Detroit because they messaged me in a panic after getting the exact same phishing text I got in Cleveland.
First, disable SMS recovery entirely. In Snapchat, go to Settings, Two-Factor Authentication, and switch to an authenticator app like Google Authenticator or Authy. This removes the SMS backdoor. Without it, a hacker cannot use the “we sent you a code” trick because the code only exists inside your authenticator app, not on your text messages.
Second, review your active sessions. Snapchat lets you see every device currently logged into your account. If you see a location you do not recognize, kill that session immediately. Do not wait to “see if it logs out on its own.” It will not.
Third, use a unique password that you do not reuse anywhere else. I know, I know. Everyone says this. But if you are still using the same password from your high school Neopets account, you are one data breach away from every account you own being compromised. A password manager costs four dollars a month. That is less than Svara charged for one hacked account.
And here is the one nobody mentions: turn off read receipts for text messages if your phone allows it. The less metadata a scammer can collect about your behavior, the harder you are to profile. It is a small step, but security is just a collection of small steps that add up to a wall.
While you are reviewing your security settings, do not ignore a freezing or sluggish browser. I spent $300 in 2025 chasing what I thought was a hardware issue, only to learn it was a malware warning sign. If your Chrome browser keeps freezing during security checks, fix it before it becomes a bigger vulnerability.
If Your Photos End Up on a Site Like Statewins
I hope this section is theoretical for you. But if it is not, here is what actually works. The first 48 hours are critical. Document everything. Screenshot the URLs, the thumbnails, the usernames. Do not engage with the posters. Do not threaten legal action in the comments. That just alerts them to hide evidence.
File a report with StopNCII.org. It is a nonprofit tool that creates a digital fingerprint of your image and shares it with participating platforms to prevent re-upload. It is free, it is global, and it is currently the most effective takedown mechanism for victims. Major platforms including Facebook, Instagram, TikTok, and Bumble participate.
Then contact a lawyer who specializes in cyber harassment. Not your cousin who does real estate closings. An actual cyber harassment attorney. Under the Violence Against Women Reauthorization Act of 2022, victims can now sue in federal court for damages and injunctive relief. Some states also offer statutory damages up to ten thousand dollars or more. The TAKE IT DOWN Act adds another federal criminal layer that prosecutors can use.
I have a friend in Phoenix who went through this in 2024. She was a junior at Arizona State when her ex-boyfriend shared photos on a private forum. It took eight months, but she won a civil judgment for $18,000 and a permanent injunction. The money did not fix the violation. But the injunction meant every time the images resurfaced, she had a court order to hand to platforms. That changed the game for her.
The psychological toll is real and often worse than the legal one. If you are reading this as a victim, please hear me: this was not your fault. The shame belongs to the person who shared it, not the person in the photo. Every victim I have ever spoken to says some version of “I should not have taken the picture.” No. The person who should not have shared it is the criminal.
The Honest Truth About Digital Privacy in 2026
Here is what I think after five years of watching this problem get worse instead of better. Technology is not going to save us. Stronger passwords help. Two-factor authentication helps. Laws like TAKE IT DOWN help. But the root cause is cultural. We have built an internet where intimacy is treated as currency, consent is treated as optional, and women’s bodies are treated as communal property the moment a relationship ends.
Statewins is not a technical problem. It is a moral problem with a technical delivery mechanism. You can patch Snapchat all day long, and someone will find another platform tomorrow. The fix is not just better security settings. It is a society that stops creating demand for stolen privacy.
If you are a parent, talk to your kids about this before they need to hear it in a crisis. If you are a student, share the actual security settings with your friends instead of just complaining about the latest update. If you are someone who stumbled onto a forum like Statewins out of curiosity, close the tab and do not go back. Curiosity is not a valid excuse for consuming someone else’s violation.
I am not going to end with a neat conclusion. This does not have one. The Svara case is one prosecution among thousands of violations. The TAKE IT DOWN Act is one law among many gaps. What I will say is this: the next time you get a text at 2 a.m. asking for a code, delete it. The next time a friend asks if two-factor authentication is worth the hassle, say yes. And the next time someone jokes about “leaked photos” like it is entertainment, correct them. Silence is what lets the market for Statewins exist.
Frequently Asked Questions
Statewins illegal?
Yes. Distributing, purchasing, or possessing non-consensual intimate imagery through Statewins or similar forums violates federal law under the TAKE IT DOWN Act of 2025 and state-level revenge porn statutes in all fifty states. Penalties range from misdemeanor charges up to federal felony sentences exceeding twenty years depending on aggravating factors like victim age and intent to profit.
Snapchat hacked how to recover?
Immediately change your password from a secure device, enable authenticator-app two-factor authentication, and revoke all active sessions in your Snapchat settings. If intimate images were stolen, document the breach with screenshots and file reports with both Snapchat Support and StopNCII.org. Consider consulting a cyber harassment attorney who can advise on civil and criminal remedies available under federal and state law.
TAKE IT DOWN Act explained?
The TAKE IT DOWN Act, signed into law in May 2025, is the first federal statute comprehensively criminalizing non-consensual intimate imagery distribution including AI-generated deepfakes. It mandates 48-hour takedown windows for platforms, criminalizes threats to distribute, and carries penalties of up to two years for adult victims and three years for minors. It also creates a framework for victim reporting that did not exist at the federal level before 2025.
Prevent Snapchat phishing?
Disable SMS account recovery and switch to an authenticator app like Google Authenticator or Authy. Never share verification codes via text, email, or direct message even if the sender claims to be official support. Snapchat will never ask for your code through a text reply. Review your active login sessions weekly and use a unique password stored in a password manager rather than reusing credentials across platforms.
Report NCII where?
Start with StopNCII.org, a nonprofit tool that creates digital fingerprints of your images and distributes takedown requests to participating platforms including Facebook, Instagram, TikTok, and Bumble. You can also report directly to the FBI’s Internet Crime Complaint Center at ic3.gov, contact your local FBI field office, or reach out to a cyber harassment attorney who can file federal civil claims under the Violence Against Women Reauthorization Act of 2022.
