The Investigation
Our journey began in January 2024 when multiple content creators approached Sidenty with serious concerns about GayForFans.com. The platform was hosting hundreds of their videos and images without permission, effectively monetizing their work without compensation or consent.
“We’ve been fighting this for months,” explained one creator who wished to remain anonymous. “They’re taking our exclusive content and making it freely available, without permission.“
Following our standard protocol, we first attempted to resolve the issue through conventional channels. We sent many DMCA takedown notices to GayForFans.com through multiple communication channels:
Sometimes we received a response and they removed the content from their website but after a weeks it was back published. This deliberate pattern of ignoring legal communications is a strategy we’ve observed with platforms intentionally operating in regulatory gray areas.
Eventually we determined that stronger measures were necessary. Our digital forensics team initiated a technical investigation with a clear objective: identify the actual operators behind GayForFans.com who were deliberately concealing their identities to avoid legal accountability.
“Platforms that systematically ignore takedown notices are rarely operating in fully isolation,” noted our lead investigator. “They typically have technical and business connections to other operations that can be uncovered through digital forensics.”
Little did we know that pulling on this single thread would unravel an entire network of connected platforms, technical infrastructure, and business relationships all leading back to an individual who publicly presented a very different professional image.
The Mail Server Connection
Our first breakthrough came from examining GayForFans.com’s mail exchange (MX) records. The site used an unusual mail server: mail.anton.cloud.
This configuration immediately raised red flags for several reasons:
- Non-standard provider: Most legitimate businesses use established email providers like Google Workspace (gmail-smtp-in.l.google.com), Microsoft 365 (*.mail.protection.outlook.com), or their web hosting company’s default mail services. Finding a custom domain as a mail server suggests deliberate infrastructure setup.
- Obscure domain: Unlike recognizable mail servers (mail.protonmail.ch, mx.zoho.com, etc.), anton.cloud had no public profile as an email service provider. Our research confirmed it wasn’t a commercial email service available to the general public.
- Privacy-focused choice: Custom mail servers are often deployed by those specifically seeking to avoid the standard email providers that might comply more readily with legal requests.
This unusual mail server configuration became the key that unlocked our entire investigation.
This discovery proved critical when our reverse MX lookup revealed eight domains all using this same mail server:
Domain First Seen Last Seen
------------------------------------------------------
adultcdn.media Dec 6, 2023 Jun 20, 2025
anton.cloud May 12, 2022 Jun 21, 2025
corbg.com Mar 20, 2023 Jun 15, 2025
fetishforfans.com May 28, 2022 Jun 15, 2025
gayforfans.com Jun 14, 2022 Jun 15, 2025
gffshorts.com May 23, 2024 Jun 19, 2025
jeffersonchacon.com Jun 13, 2022 Jun 30, 2025
marshallmedia.group May 27, 2022 Jul 2, 2025Most telling was that seven of these domains began using this mail server within weeks of each other in 2022 – statistically impossible to occur by coincidence.
The IP Address Evidence
Following the mail server discovery, we conducted a IP infrastructure analysis. Using both historical and current DNS data, we identified a critical technical connection through IP address 51.161.212.147.
On August 6, 2024, our DNS lookups revealed that specific subdomains of jeffersonchacon.com – particularly the “autoconfig” and “autodiscover” subdomains used for email configuration were hosted on this IP address. These technical subdomains are invisible to casual visitors but critical for email functioning.
“These aren’t subdomains a typical user would create,” explains our technical lead. “Autoconfig and autodiscover subdomains are specifically used for automatic email client configuration. They’re created when setting up advanced mail server functionality, not when building a portfolio website.”
In October 2024, our continued monitoring detected that GayForFans.com had moved to this exact same IP address.
Most revealing was our discovery that pod-01.marshallmedia.group was also operating from this same IP address. This subdomain appeared to be running container infrastructure (likely Docker), suggesting a sophisticated technical operation with multiple services running on the same hardware.
This triangular connection between jeffersonchacon.com, gayforfans.com, and marshallmedia.group through a single dedicated IP represents an unmistakable technical fingerprint.
The Marketing Parameter Connection
Examining GayForFans.com’s advertising revealed a crucial business connection. In November 2023, advertisements on the platform contained URL parameters explicitly referencing “marshallmedia” (example: ?ref=marshallmedia&campaign=internal).
This parameter directly tied GayForFans to marshallmedia, confirming not just technical overlap but an intentional business relationship.
The Content Network
The domains revealed a clear content pattern:
- GayForFans.com – The main platform
- FetishForFans.com – Sister site with similar branding
- GFFShorts.com – GayForFansShorts
- adultcdn.media – Content delivery network for adult media
The Professional Connection
One domain, corbg.com, was particularly revealing. Using Internet Archive, we found it was a news blog focused on TV, movies, and gaming mirroring Jefferson’s current employment at a movie news blog website. This thematic overlap between corbg.com and his professional focus added yet another connection point.
The Email Responses
GayForFans Response
When contacted, GayForFans first redirected us to their DMCA form, adding:
“Please also note that there’s no one on our team named Jefferson. We rotate our IP addresses regularly so any domains linking to our past IP’s will be inaccurate.”
Rather than denying the IP connection, they acknowledged rotating IPs, an unusual practice for dedicated servers and a tacit admission they were aware of the technical connections.
In a follow-up communication, they suddenly switched from signing emails as “GayForFans Support” to:
“Regards, Joseph”
This inconsistency in communication style suggested improvisation.
Jefferson’s Evolving Explanation
Jefferson initially responded with a simple denial:
“I am writing to formally state that I am not the owner, operator, or administrator of gayforfans.com, marshallmedia.group, anton.cloud, or any related domain mentioned in your communication.”
When presented with technical evidence, his story evolved significantly:
“Though this is entirely outside the scope of what I am obligated to disclose, in the interest of helping you understand where you may have drawn incorrect conclusions: last year, while seeking employment, I assembled a portfolio of my graphic design work and paid for a small website and email address which was hosted on shared infrastructure.”
This explanation contradicted our findings that:
- The connections were on email configuration subdomains, not portfolio pages
- The IP was a dedicated server, not shared hosting
Jefferson escalated to legal threats:
“Should you proceed with releasing any such false claims to the media, you will not only expose yourself to a defamation lawsuit, but any media outlet that republishes this libel will likewise be subject to legal action.”
Despite threats of defamation action, we remain confident in our technical findings. Truth is an absolute defense against defamation claims, and our evidence has been meticulously documented with multiple sources confirming each technical connection.
Conclusion
The connections we uncovered weren’t isolated coincidences but a pattern of evidence that tells a clear story. Eight domains sharing the same unusual mail server. Three websites connecting through the same dedicated IP address. Marketing parameters explicitly linking platforms and sister sites with consistent branding and naming patterns.
What makes this case particularly notable is how the technical evidence directly contradicts the explanations provided when confronted. The claim of having “no technical knowledge” crumbles when faced with evidence of custom mail servers, dedicated IP infrastructure, and containerized applications. The timeline of “last year” and “shared hosting” cannot be reconciled with three years of connections across dedicated servers.
The tactics employed ignoring takedown notices, rotating IP addresses, threatening legal action are familiar strategies used by those operating in regulatory gray areas. But digital infrastructure leaves traces that cannot be easily erased, and technical configurations create connections that tell their own story regardless of the narratives constructed around them.
What is Next?
We are looking for content creators whose content is or was shared on GayForFans and would like to join us in this fight against gayforfans.com and Jefferson.
The strength of our case grows with each affected creator who comes forward. By combining resources and evidence from multiple parties, we can pursue legal action and increase pressure for compliance.
If you are interested in joining us in this fight, please contact us. All communications will be kept strictly confidential, and our team can explain the potential options available based on your specific situation.
Sidenty specializes in copyright protection and digital investigations. This case study has been shared with appropriate redactions as an educational resource for the OSINT community.
Note: This investigation complies with GDPR under the legitimate interest basis (Article 6(1)(f)), processing only necessary technical data to protect intellectual property rights.