MEGA Transparency Report

Period ending 30 June 2025

Report issued on 22 October 2025

What is transparency?

Transparency reports provide public information on compliance programmes and achievements. They demonstrate accountability and play a critical role in building trust with users, suppliers, regulators, employees, investors and the general public.

Mega periodically publishes statistics on takedown requests, subscriber information disclosure and related issues. This is intended to provide transparency to Mega’s operating processes relating to privacy and to statutory compliance. Mega’s report confirms its zero tolerance for illegal activity.

This is the fourteenth transparency report published by Mega since it commenced operations in January 2013. This report contains new data for the six-month period from 1 January 2025 to 30 June 2025.

About Mega

As at 30 June 2025, Mega had over 328 million registered user accounts in more than 215 countries and territories. In total, as at 30 June 2025, Mega’s users had uploaded more than 194 billion distinct files.

In 2013, Mega pioneered user-controlled end-to-end encryption through the web browser. Today, it provides the same zero-knowledge privacy and security across its cloud storage and chat applications, whether accessed via a web browser, mobile app, desktop app or command line tool. Mega The Privacy Company provides Privacy by Design based on the uncompromising use of zero-knowledge user-controlled end-to-end encryption, commonly known as E2EE.

All chat messages and files are fully encrypted on the user’s device before being sent to Mega, using random keys that are encrypted with the user’s password before the encrypted keys, chat messages and files get submitted to and stored on Mega. The password remains on the user’s device and is never sent to Mega, so chats and file contents can’t be read or accessed in any manner by Mega. Files can only be decrypted by the original uploader through a logged-in account or by other parties to whom the account holder has consciously provided the required file/folder keys by way of URL or otherwise.

Mega’s encryption is described in a Whitepaper^[1]and is open to independent scrutiny because all client-side source code is published,^[2] allowing its correctness and integrity to be verified by researchers.

The privacy provided by Mega is a valued service, necessary for personal, professional, business and government use. It is consistent with the Universal Declaration of Human Rights, Article 12:

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence […].
Everyone has the right to the protection of the law against such interference […].”

However, Mega has zero tolerance for illegal activity. While fiercely guarding the privacy of legitimate users, Mega will not be a haven for illegal activity.

Mega has developed a range of new products, including MEGA VPN, MEGA Pass, MEGA S4, and other services currently in early development. Throughout the product development cycle, we ensure that all products comply with the same internal policies and compliance requirements. These policies are applied consistently to all users, regardless of which MEGA products they use or subscribe to. All these products are tied to the same MEGA account, and therefore the statistics in this report include all user counts.

Industry cooperation

Mega is an active member of leading industry bodies which seek to promote best practice for compliance activity and to assist with communications between platforms and with regulatory and law enforcement agencies. Mega is a member of:

The Tech Coalition
Global Internet Forum to Counter Terrorism (GIFCT)
WeProtect Global Alliance

Mega actively participates in the Lantern programme, managed by the Tech Coalition. Through this program, participating companies can securely and responsibly share signals about accounts and behaviours associated with online child sexual exploitation and abuse (OCSEA), including the storage or distribution of Child Exploitation Material (CEM), also known as Child Sexual Abuse Material (CSAM).

Mega is a member of the Christchurch Call, a community of governments, online service providers, and civil society organisations acting together to eliminate terrorist and violent extremist content online, with underlying commitments to human rights and fundamental freedoms, transparency, collaboration, research, and an effective appeals process. See https://www.christchurchcall.org/the-christchurch-call-commitments/.

Mega is also a strong supporter of the ‘Principles to Counter Online Child Sexual Exploitation and Abuse’ issued in March 2020.^[3] The Principles were produced by a working group of officials from New Zealand, Australia, the United Kingdom, the United States and Canada. Mega was one of the technology companies that provided supportive comment on the draft Principles during the consultation process.

Regulatory background

Mega was designed, and is operated, to ensure that it achieves the highest levels of compliance with regulatory requirements.

Mega maintains market-leading processes for dealing with users who upload and share copyright-infringing material or breach any other legal requirements. Mega cannot view or determine the contents of files stored on its system as files are encrypted by users before they reach Mega. However, if a user voluntarily shares a link (with its decryption key) to a folder or file that they have stored on Mega, then anyone with that link can decrypt and view/download the folder/file contents. The same applies to chat links. A member of a group chat with the appropriate access right can create a chat link, allowing anyone with that link to join, view, post and download the materials shared within the group chat.

Mega policies

Copyright

Mega’s Terms of Service expressly prohibit our users from using our services to infringe copyright or any other intellectual property rights. Copyright holders who become aware of public links to their copyright material can contact Mega to have access to the offending files disabled. Similarly, copyright holders with information indicating that MEGA VPN has been used to access infringing content can provide relevant details to us for actioning.

By complying with applicable copyright laws, Mega is provided with a safe harbour, shielding it from liability for the material that its users upload and share using Mega’s services. Although not technically bound by US or EU law, Mega also complies with the conditions for safe harbour under the US Digital Millennium Copyright Act (DMCA) process and relevant European Union Directives.

Mega does this by allowing any person to submit a notice that their copyright material is being stored and/or shared through the Mega platform or accessed via MEGA VPN without authorisation. When Mega receives such notices, it promptly processes them as detailed below, pursuant to Mega’s Terms of Service agreed to by every registered user. File takedowns continue to target a very small portion of the files stored on Mega, indicating that the vast majority of users appreciate the speed, flexibility and privacy of Mega’s systems for legitimate business and personal use.

The safe harbours in various jurisdictions require material to be removed and links disabled expeditiously. Some cloud storage providers target takedown within 24 hours. Mega targets takedown within 4 hours, with most takedowns being actioned faster.

Illegal content –
Child Exploitation Material, Violent Extremism, Bestiality, Zoophilia, Gore, Malware, Hacked/Stolen Data, Passwords

Mega does not condone, authorise, support or facilitate^[4] Child Sexual Exploitation^[5] or the storage or sharing of CEM/CSAM, other illegal content or harmful material. Mega has zero tolerance for users who store or share such material. Users, law enforcement, or members of the public can report links to illegal material to [email protected].

Any reports of such content result in immediate deactivation of the folder/file links and closure of the user’s account. We routinely provide details to New Zealand Government Authorities, and other relevant international authorities, for investigation and prosecution.

The illegal content shared by Mega users generally consists of historic still images and videos that were created elsewhere and later uploaded to the platform. It continues to include self-generated imagery, much of which appears to have resulted from online grooming, coercion, or bribery by adults.

Copyright matters

Requests for removal of copyright content

Mega’s approach to dealing with requests for the takedown of content uploaded by its users (as well as requests for the disclosure of user information and data) is set out in its Takedown Guidance Policy.

Mega accepts copyright takedown notices via a dedicated web page^[6] or by email to [email protected].
Requests are promptly processed without reviewing their validity.^[7] Four companies have executed agreements with Mega whereby they can directly enter takedown notices, without requiring further action by Mega staff. These companies are effectively ‘trusted flaggers’ for copyright reports.

The rights holder is able to specify one of three outcomes for file links:

Removal of just a specified link to the file: – the file will remain in the user’s account;
Removal of all links to the file: – the file will remain in the user’s account;
Removal of all links to and all instances of the file/byte sequence: – there is no user permitted to store the identified file under any circumstance worldwide.

Folder links often refer to a large number of files, of which only some may be claimed to be infringing files. If the person requesting the takedown doesn’t provide identification of the infringing file or files within the folder, Mega will disable the reported folder link only as folder contents can change. This means that the folder and its files will remain accessible in the user’s account. This would be the same as option (1) above in respect of file link takedown requests.

The number of unique takedown requests submitted represents a very small percentage of the total number of files stored on Mega.

Year	Quarter	Copyright takedown requests	Links taken down / Total files	Total files (Billion)
2022	Q1	1,187,646	0.0010%	117.6
	Q2	262,888	0.0002%	122.7
	Q3	276,901	0.0002%	127.9
	Q4	377,574	0.0003%	132.9
2023	Q1	342,668	0.0002%	138.2
	Q2	435,086	0.0003%	144.0
	Q3	430,674	0.0003%	149.9
	Q4	402,414	0.0003%	155.6
2024	Q1	846,463	0.0003%	161.6
	Q2	561,772	0.0003%	167.5
	Q3	577,470	0.0003%	173.7
	Q4	311,093	0.0002%	180.6
2025	Q1	1,072,446	0.0006%	187.4
	Q2	729,911	0.0004%	194.1

Table 1 – Copyright takedowns

Counter-notices

Mega receives counter-notices from some users who dispute the validity of a copyright takedown. These counter-notices are processed in accordance with safe harbour requirements, whereby the link will be reinstated unless the complainant gives notice of legal proceedings. Unfortunately, some content owners and agents trawl the Internet using robots which generate incorrect notices on behalf of copyright owners, and some fail to review the specific link content or to determine whether it is actually a live link.

There are also cases where some parties deliberately issue false copyright takedown notices, for commercial competition or other reasons.

**Figure 1 – Counter Notices to dispute a copyright takedown**

As can be seen, following the submission of a counter notice most of the links have been reinstated.

The increase in dispute numbers observed in Q3 and Q4 of 2023 was due to false copyright takedown notices submitted by malicious reporters using temporary email addresses to target some Korean users. We have addressed this issue by implementing an email verification process for the copyright notice submission system.

Repeat infringers

Mega suspends the account of any user with three copyright takedown strikes related to file storage/sharing within six months. In some cases, the account can be reinstated after it is proved to be the subject of invalid takedown notices, but most suspended accounts are terminated. During the 12 years to 30 June 2025, Mega had suspended 169,896 users for repeated copyright infringement. The data below shows that suspensions are a very small % of the number of registered accounts.

Year	Quarter	Number of users suspended	% of registered users
2022	Q1	2,033	0.0008%
	Q2	1,690	0.0007%
	Q3	1,676	0.0006%
	Q4	1,567	0.0006%
2023	Q1	1,584	0.0006%
	Q2	1,479	0.0005%
	Q3	1,791	0.0006%
	Q4	1,346	0.0005%
2024	Q1	2,312	0.0008%
	Q2	1,328	0.0004%
	Q3	2,102	0.0007%
	Q4	702^[8]	0.0002%
2025	Q1	0^[9]	0%
	Q2	3,276	0.0010%

Table 2 – Copyright suspensions

On 19 December 2023, Mega launched MEGA VPN, a VPN service available to our Pro users and later to subscribers of MEGA VPN as a standalone product. We do not store content or data that is transmitted using MEGA VPN; it is a means of transmission only, and therefore no data can be taken down in response to notices related to VPN usage.

Between 1 January 2025 and 30 June 2025, we received 3,153 notices of alleged copyright infringement related to MEGA VPN usage. These notices were processed by matching the exact timestamp, protocol (TCP or UDP) and originating IP address/port number. Users received a warning upon the third verified match associated with an alleged infringement, and a strike was recorded. Accounts accumulating multiple strikes were subject to suspension. The data below shows that a very small percentage of users were suspended due to alleged repeated infringements via MEGA VPN.

Year	Quarter	VPN user number	VPN notices received	Number of users suspended	% of users
2025	Q1	24423	1958	0	0.0000%
	Q2	28680	1195	5	0.0174%

Table 3 – Infringement Notices Related to VPN Usage

Illegal content

During the 12 years to 30 June 2025, Mega has closed 3.15 million accounts for sharing illegal content. Details of every link to illegal content and of every related account that was closed were provided to the New Zealand Government and relevant international authorities for investigation and prosecution.

**Figure 2 – Accounts closed for public sharing of illegal material**

CSAM Hash Tracing Project

In 2022, MEGA commenced a process to download files from public links that included the decryption key and had been reported to contain illegal content, such as CSAM, to a server controlled by the New Zealand authority. These links are reviewed by humans and whitelisted when appropriate. We calculate a digital hash for each downloaded file and compare it against reputable hash databases from sources including INTERPOL, NCMEC, and the Canadian Centre for Child Protection. When a file matches a known illegal content hash, MEGA removes all identical copies from user accounts. Users who store such files receive a final warning for the first strike, and accounts are immediately closed if they have shared the illegal content by creating public links. The CSAM Hash Tracing Project has led to a substantial increase in account closures.

Mega records its compliance activity relating to illegal content in various categories. Details of major categories are shown below.

**Figure 3 – Reports of illegal material predominantly relate to CSAM and Violent Extremism but also include a small number of other serious crimes**

Figure 4 – CSAM links represent a very small proportion of the total links created by users during each quarter. Since Q3 2022, this proportion has shown a steady decline, possibly reflecting the impact of Mega’s CSAM Hash Tracing Project, which has resulted in the suspension of numerous accounts involved in such activity.

**Figure 5 – Reported CSAM links are predominantly folder links, i.e. more than one file**

**Figure 6 – Reported Violent Extremism links are predominantly single files; the overall number remains low**

**Figure 7 – CSAM is a global problem, afflicting all geographic areas**

Identification of illegal content

Mega receives reports of CSAM links from international NGOs (such as reporting hotlines) and from law enforcement agencies, but most are submitted by private individuals who have noticed the links, with an associated description, being openly shared on public forums. Anyone with the link, including the decryption key, can download the content.

Upon receipt of reports of illegal content, Mega immediately disables the link and closes the user’s account. Details are shared with New Zealand authorities. Mega does not have any ‘trusted flaggers’.

**Figure 8 – Most CSAM links are reported by individuals who find the links on public forums**

**Figure 9 – Until 2022, many reports of Violent Extremism links were provided by an NGO which monitored public websites**

Mega proudly participates in the Lantern programme, which is managed by the Tech Coalition.

Sharing information across platforms (which is conducted in compliance with applicable data protection laws and is limited to information necessary to combat OCSEA) helps us to be more effective in our processes to remove illegal content and to take action on accounts storing or sharing such content. Lantern offers us a further means of identifying, addressing, and in some cases, preventing harmful or illegal conduct. We also want to do our part by helping other services to reduce this conduct on their platforms.

Our Terms of Service permit us to suspend or terminate access to our services if we receive credible information indicating that a user has shared or possessed CSAM through another online platform. Our compliance team carefully triages signals we receive via Lantern, which are considered credible information of this nature.

In the six months to 30 June 2025, we:

Disabled 91 MEGA public file or folder links reported to us via Lantern; and
Closed 588 user accounts based on signals shared by other members in the Lantern programme.

Through the Lantern programme, we primarily share signals consisting of user email addresses associated with public links that have been manually verified to contain CSAM. These links were publicly distributed, sometimes advertised for sale, and reported as circulating on other platforms.

In the six months to 30 June 2025, we shared 741 signals to Lantern.

Accounts administratively disabled for other reasons

In addition to closing accounts for storing or sharing illegal content, or for repeated copyright infringement, we administratively disabled accounts for other harmful conduct that are breaches of our Terms of Service.

In the six months ending 30 June 2025, 2,007 accounts were disabled in this ‘other’ category.

Appeals

We process reports of illegal content in good faith based on information provided to us. Occasionally, these reports may be inaccurate, which can result in wrongful disabling of access to content or the suspension of user accounts.

While users have always been entitled to contact us to challenge the suspension or termination of their account, in early 2024 we implemented a formal appeal process, allowing users to submit a form at mega.io/appeal. As can be seen, this has led to an increased number of appeals against account termination or suspension.

Appeals against account closure for holding alleged illegal material may be referred to the New Zealand Authorities for adjudication of the content. The account may be reinstated if the content is determined not to be illegal.

**Figure 10 – Accounts Suspension Appeal**

A larger-than-usual number of accounts were reinstated in Q1 2024 because some accounts had been incorrectly flagged as being associated with LockBit ransomware. These wrongly identified accounts were fully restored when legitimate users appealed. Moreover, the number of appeals has grown in line with the increase in accounts suspended due to the CSAM Hash Tracing Project mentioned in the Illegal content section. Overall, very few accounts have been reinstated following an appeal.

Response to International Law Enforcement Agencies

Mega is ‘The Privacy Company’ and values the privacy of its users. We are committed to maintaining industry-leading levels of security for, and confidentiality of, user data and information. In considering any request for access to such data or information, Mega starts from the position that user data and information is private and should always be protected to the greatest extent possible.

However, privacy and protection of user information and data are not absolute rights and are subject to some limitations, such as in cases of illegal activity.

The basis on which Mega may, in extremely limited situations, disclose user information and data is set out in Mega’s Takedown Guidance Policy.

Unless an Emergency Response (as defined below) is required, or disclosure is necessary in relation to an investigation involving CSAM or violent extremism, Mega will generally only provide user data or information when required to do so by applicable law, or by a court or law enforcement authority with appropriate jurisdiction.

Mega defines Emergency Response as a situation where Mega has written assurance from a senior law enforcement officer that in the expert judgment of such person, disclosure is necessary in order to protect the vital interests of the data subject or another natural person and the person giving such assurance confirms in writing that the threat is of such urgency that there is not time to obtain a production order or other court order.

If satisfied as to the above, Mega may, at its discretion, accept the request in good faith.

When Mega accepts a request, Mega may provide advance notice to the affected user unless prohibited by a court order or where Mega decides delayed notice is appropriate.

Although all files stored on Mega are encrypted prior to being uploaded to our system, and we therefore cannot access that content unless we are provided with the decryption key, Mega does have access to user registration information and the IP addresses used to access our services.

Mega provides Basic Subscriber Information (BSI) to law enforcement agencies in countries with a democratically elected government and demonstrated legal systems, in cases of serious illegality.

The chart below shows the number of law enforcement requests for Basic Subscriber Information that have been processed.^[10]

**Figure 11 – BSI requests remained relatively consistent over recent periods**

Metadata provided by Mega has resulted in a significant number of arrests and prosecutions of Child Sexual Exploitation and Abuse perpetrators, as well as the rescue of children at risk of imminent harm.

Mega treats law enforcement requests for subscriber account information as a priority, which is reflected in our response times. Reports from the public about illegal content being shared are actioned with similar urgency.

Year	Quarter	Average Response Time (Hours)	Median Response Time (Hours)
2024	Q1	0.72	0.32
	Q2	0.63	0.30
	Q3	0.66	0.33
	Q4	0.58	0.30
2025	Q1	0.58	0.29
	Q2	0.96	0.41

Table 4 – Response Time to Law Enforcement Requests

Some requests from law enforcement agencies are more complex than usual, which results in the average being higher than the median.

Legal orders

During the six months ended 30 June 2025, Mega received one legal order from New Zealand authorities and subsequently disclosed account metadata for the accounts identified in the order. These accounts were alleged to be involved in serious criminal activity in New Zealand or abroad.

There were also three orders from overseas agencies, processed by New Zealand Police under the Mutual Assistance in Criminal Matters Act 1992, to disclose information relating to fraud, hacking and money laundering cases.

Originating Country	Alleged criminality	Number of Orders/Warrants	Outcome
New Zealand	CSAM	1	Metadata Supplied
Netherlands	Hacking	1	Metadata Supplied
United Kingdom	Fraud	1	Metadata Supplied
France	Money Laundering	1	Metadata Supplied

Table 5 – Legal orders

In addition, many law enforcement agencies supplied subpoenas and search warrants produced by their local courts, apparently generated to provide local authority for the agency to obtain information. Unless processed through the lengthy Mutual Legal Assistance Treaty (MLAT) process, these warrants have no application to foreign entities. We advise such agencies that Mega is not subject to their domestic laws or domestic court orders. However, in cases of serious criminality, including child sexual exploitation and abuse allegations, Mega may supply metadata without a warrant, as specified in its Takedown Guidance Policy.

Other requests for personal information

During the six months ending 30 June 2025, MEGA received 26 requests for subscriber information from private individuals or companies. All were declined by Mega, to preserve user privacy, as they did not meet the necessary requirements set out in Mega’s Takedown Guidance Policy.

**Figure 12 – Private requests for information about Mega users**

Users can securely download personal data through an automated, self-service process. Download numbers were high in the first two quarters of 2022 and have remained relatively stable since then.

**Figure 13 – User downloads of GDPR account information**

Personal Data is retained while the user’s account is active. After account closure, Mega retains all account information as long as any law enforcement requests are pending. Otherwise, data is retained for 12 months after account closure, as users may request that an account be re-activated.

After 12 months, identifying information, such as email and IP addresses, is anonymised, except where email address records are retained for reference by the user’s contacts or where the user has participated in chats with other Mega users. Other related database records may still be retained, including records of financial transactions where Mega is legally required to retain such information.

When a user deletes a file from the Rubbish bin, that file becomes inaccessible, is marked for deletion and is permanently removed from the Mega system during the next scheduled file deletion process. After account closure, all stored files are similarly marked for deletion and permanently removed during the next scheduled file deletion process.

Definition of terms

Mega uses the term Child Sexual Abuse Material (CSAM) to refer to photos, videos and documents relating to sexually explicit images of, or conduct of or with a child, consistent with the ECPAT 2016 Luxembourg Guidelines.^[11] This is broadly equivalent to terms used by other platforms, such as Child Sexual Exploitation and Abuse (CSEA) and Child Sexual Exploitation and Abuse Imagery (CSEAI).

Law Enforcement Agencies (LEA) include police and other relevant investigation and prosecution agencies.

Suspension means closing a user’s account permanently, unless reinstated by a successful appeal.

References

[1] https://mega.io/SecurityWhitepaper.pdf

[2] https://mega.io/sourcecode

[3] www.dia.govt.nz/Voluntary-Principles-to-Counter-Online-Child-Sexual-Exploitation-and-Abuse

[4] MEGA Terms of Service https://mega.io/terms and https://mega.io/takedown

[5] See https://ecpat.org/luxembourg-guidelines/

[6] https://mega.io/copyrightnotice

[7] It is impossible to review the validity as the file contents are user–encrypted (unless the user has published or provided the encryption key), and also due to the uncertainties of copyright status, as noted above.

[8] Due to a technical error, the account suspension system for repeated infringers was not fully operational during Q4. The issue was identified and fixed in early April 2025.

[9] Due to the same technical error, the account suspension system for repeated infringers was not fully operational during Q1 2025. The issue was identified and fixed in early April 2025.

[10] Starting from Q3 2024, the Organised Crime category has been discontinued following centralisation of request handling. Figures from this point onward reflect this change.

[11] https://ecpat.org/luxembourg-guidelines/