1 January 2025 to 31 December 2025
Report issued on 30 March 2026
What is transparency?
Transparency reports provide public information on compliance programmes and achievements. They demonstrate accountability and play a critical role in building trust with users, suppliers, regulators, employees, investors and the general public.
MEGA periodically publishes statistics on takedown requests, subscriber information disclosure and related issues. This is intended to provide transparency to MEGA’s operating processes relating to privacy and to statutory compliance. MEGA’s report confirms its zero tolerance for illegal activity.
This is the fifteenth transparency report published by MEGA since it commenced operations in January 2013. It summarises data for the twelve-month period from 1 January 2025 to 31 December 2025 and includes comparative data from previous years to illustrate trends. This reporting period differs from earlier reports, which covered six months, reflecting a transition to annual reporting to align with evolving regulatory expectations, including the Digital Services Act.
About MEGA
In March 2025, MEGA underwent a corporate restructuring under which the contractual provider of the MEGA Cloud and MEGA S4 services became MEGA Privacy LLC, a company registered in Hungary. Updated Terms of Service reflecting this change took effect on 15 May 2025.
As at 31 December 2025, MEGA had over 338 million registered user accounts in more than 215 countries and territories. By that date, MEGA users had uploaded more than 208 billion distinct files.
In 2013, MEGA pioneered user-controlled end-to-end encryption through the web browser. Today, it provides the same zero-knowledge privacy and security across its services, whether accessed via a web browser, mobile app, desktop app or command line tool. MEGA provides Privacy by Design through the use of zero-knowledge user-controlled end-to-end encryption, commonly known as E2EE.
All files and chat messages are encrypted on the user’s device before being transmitted to MEGA. Each item is encrypted using randomly generated keys, which are themselves encrypted with the user’s password before the encrypted data is stored on MEGA. The password remains on the user’s device and is never sent to MEGA, so file contents and chats are not accessible to MEGA. Files can only be decrypted by the original uploader when accessing their account while logged in, or by other parties to whom the account holder has deliberately provided the required file or folder keys, whether through a URL or by other means.
Mega’s encryption is described in a Whitepaper[1] and is open to independent scrutiny because all client-side source code is published,[2] allowing its correctness and integrity to be verified by researchers.
The privacy provided by MEGA is a valued service, necessary for personal, professional, business and government use. It is consistent with the Universal Declaration of Human Rights, Article 12:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence […].
Everyone has the right to the protection of the law against such interference […].”
However, MEGA has zero tolerance for illegal activity. While fiercely guarding the privacy of legitimate users, MEGA will not be a haven for illegal activity.
MEGA has developed additional services, including MEGA VPN, MEGA Pass, MEGA S4 and other services. Throughout the product development cycle, MEGA ensures that all services comply with the same internal policies and compliance requirements. These policies are applied consistently to all users, regardless of which MEGA services they use or subscribe to. All MEGA services are linked to the same MEGA account, and the statistics in this report include users across all MEGA services.
Regulatory background
MEGA is designed and operated to ensure a high level of compliance with applicable regulatory requirements.
MEGA maintains market-leading processes for dealing with users who upload and/or share copyright-infringing material or breach any other legal requirements. MEGA cannot view or determine the contents of files stored on its system as files are encrypted by users before they reach MEGA. However, if a user voluntarily shares a link (including the decryption key) to a folder or file stored on MEGA, anyone with that link can decrypt and view or download the contents. The same applies to chat links. A member of a group chat with the appropriate access right can create a chat link, allowing anyone with that link to join, view, post and download the materials shared within the group chat.
Industry cooperation
MEGA is an active member of leading industry bodies which seek to promote best practice for compliance activity and to assist with communications between platforms and with regulatory and law enforcement agencies. MEGA is a member of:
- Tech Coalition
- Global Internet Forum to Counter Terrorism (GIFCT)
- WeProtect Global Alliance
MEGA actively participates in the Lantern programme, managed by the Tech Coalition. Through this programme, participating companies can securely and responsibly share signals about accounts and behaviours associated with online child sexual exploitation and abuse (OCSEA), including the storage or distribution of Child Exploitation Material (CEM), also known as Child Sexual Abuse Material (CSAM).
MEGA is a member of the Christchurch Call, a community of governments, online service providers, and civil society organisations acting together to eliminate terrorist and violent extremist content online, with underlying commitments to human rights and fundamental freedoms, transparency, collaboration, research, and an effective appeals process. See https://www.christchurchcall.org/the-christchurch-call-commitments/.
Mega is also a strong supporter of the ‘Principles to Counter Online Child Sexual Exploitation and Abuse’ issued in March 2020.[3] The Principles were produced by a working group of officials from New Zealand, Australia, the United Kingdom, the United States and Canada. MEGA was one of the technology companies that provided supportive comments on the draft Principles during the consultation process.
MEGA policies
Copyright
MEGA’s Terms of Service expressly prohibit users from using our services to infringe copyright or any other intellectual property rights. Copyright holders who become aware of public links to their copyrighted material can contact MEGA to have access to the offending files disabled. Similarly, copyright holders with information indicating that MEGA VPN has been used to access copyrighted content can provide relevant details to us for investigation and appropriate action.
MEGA operates in accordance with applicable copyright laws and intermediary liability frameworks. These frameworks provide limitations of liability for service providers where they act expeditiously to remove or disable access to copyright infringing material once notified. As a service provider operating in the European Union, MEGA complies with the relevant provisions of EU law governing intermediary services. MEGA also processes copyright notices in a manner consistent with the safe-harbour principles of the United States Digital Millennium Copyright Act (DMCA).
MEGA does this by allowing any person to submit a notice that their copyrighted material is being stored and/or shared through the MEGA platform or accessed via MEGA VPN without authorisation. When MEGA receives such notices, it promptly processes them as detailed below, pursuant to MEGA’s Terms of Service agreed to by every registered user. File takedowns continue to target a very small portion of the files stored on MEGA, indicating that the vast majority of users rely on MEGA’s services for legitimate business and personal use.
Applicable legal frameworks require infringing material to be removed or access to it disabled expeditiously after notice. While some cloud storage providers target removal within 24 hours, MEGA targets takedown within 4 hours, with most takedowns being actioned faster.
Illegal content –
Child Exploitation Material, Violent Extremism, Bestiality, Zoophilia, Gore, Malware, Hacked/Stolen Data, Passwords
MEGA does not condone, authorise, support or facilitate[4] Child Sexual Exploitation[5] or the storage or sharing of CEM/CSAM, other illegal content or harmful material. MEGA has zero tolerance for users who store or share such material. Users, law enforcement, or members of the public can report links to illegal material to abuse@mega.io.
Any reports of such content result in prompt disabling of the folder or file links and closure of the associated MEGA account. Details are routinely shared with relevant law enforcement authorities for investigation and prosecution.
The illegal content shared by MEGA users generally consists of historic still images and videos created elsewhere and later uploaded to the platform. It continues to include self-generated imagery, much of which appears to have resulted from online grooming, coercion, or bribery by adults.
Copyright matters
Requests for removal of copyright content
MEGA’s approach to dealing with requests for the takedown of content uploaded by its users (as well as requests for the disclosure of user information and data) is set out in its Takedown Guidance Policy.
Mega accepts copyright takedown notices via a dedicated web page[6] or by email to copyright@mega.io.
Requests are processed promptly in accordance with MEGA’s Terms of Service. Four companies have entered into agreements with MEGA that allow them to submit takedown notices directly through MEGA’s reporting system without requiring additional processing by MEGA staff. These entities are treated as trusted reporting partners for copyright notices.[7]
The rights holder is able to specify one of three outcomes for file links:
- Removal of just a specified link to the file: – the file will remain in the user’s account;
- Removal of all links to the file: – the file will remain in the user’s account;
- Removal of all links to and all instances of the file/byte sequence: – there is no user permitted to store the identified file under any circumstance worldwide.
Folder links often refer to a large number of files, of which only some may be claimed to be infringing files. If the person requesting the takedown doesn’t provide identification of the infringing file or files within the folder, MEGA will disable the reported folder link only as folder contents can change. This means that the folder and its files will remain accessible in the user’s account. This would be the same as option (1) above in respect of file link takedown requests.
The number of unique takedown requests submitted represents a very small percentage of the total number of files stored on MEGA.
| Year | Quarter | Copyright takedown requests | Links taken down / Total files | Total files (Billion) |
| 2022 | Q1 | 1,187,646 | 0.0010% | 117.6 |
| Q2 | 262,888 | 0.0002% | 122.7 | |
| Q3 | 276,901 | 0.0002% | 127.9 | |
| Q4 | 377,574 | 0.0003% | 132.9 | |
| 2023 | Q1 | 342,668 | 0.0002% | 138.2 |
| Q2 | 435,086 | 0.0003% | 144.0 | |
| Q3 | 430,674 | 0.0003% | 149.9 | |
| Q4 | 402,414 | 0.0003% | 155.6 | |
| 2024 | Q1 | 846,463 | 0.0003% | 161.6 |
| Q2 | 561,772 | 0.0003% | 167.5 | |
| Q3 | 577,470 | 0.0003% | 173.7 | |
| Q4 | 311,093 | 0.0002% | 180.6 | |
| 2025 | Q1 | 1,072,446 | 0.0006% | 187.4 |
| Q2 | 729,911 | 0.0004% | 194.1 | |
| Q3 | 797,192 | 0.0004% | 201.3 | |
| Q4 | 1,299,520 | 0.0006% | 208.4 |
Counter-notices
MEGA receives counter-notices from some users who dispute the validity of a copyright takedown. These counter-notices are processed in accordance with applicable intermediary liability framework. Where appropriate, the reported link may be reinstated unless the complainant confirms that legal proceedings have been initiated in relation to the alleged infringement. Unfortunately, some copyright owners and their agents rely on automated tools to identify potentially infringing material on the Internet. In some cases, this results in notices being submitted without the reported link being fully reviewed or where the link is no longer active.
There are also cases where some parties deliberately issue false copyright takedown notices, for commercial competition or other improper purposes.
As can be seen, following the submission of a counter notice most of the links have been reinstated.
The increase in dispute numbers observed in Q3 and Q4 of 2023 was due to false copyright takedown notices submitted by malicious reporters using temporary email addresses to target some Korean users. We have addressed this issue by implementing an email verification process for the copyright notice submission system.
Repeat infringers
MEGA suspends the account of any user who receives three copyright takedown strikes related to file storage or sharing within a six-month period. In some cases, an account may be reinstated if it is shown that the takedown notices were invalid, but most suspended accounts remain suspended. Over the 12 years to 31 December 2025, MEGA suspended 172,247 users for repeated copyright infringement. The data below shows that suspensions represent a very small percentage of the total number of registered accounts.
| Year | Quarter | Number of users suspended | % of registered users |
| 2022 | Q1 | 2,033 | 0.0008% |
| Q2 | 1,690 | 0.0007% | |
| Q3 | 1,676 | 0.0006% | |
| Q4 | 1,567 | 0.0006% | |
| 2023 | Q1 | 1,584 | 0.0006% |
| Q2 | 1,479 | 0.0005% | |
| Q3 | 1,791 | 0.0006% | |
| Q4 | 1,346 | 0.0005% | |
| 2024 | Q1 | 2,312 | 0.0008% |
| Q2 | 1,328 | 0.0004% | |
| Q3 | 2,102 | 0.0007% | |
| Q4 | 702[8] | 0.0002% | |
| 2025 | Q1 | 0[9] | 0% |
| Q2 | 3,276 | 0.0010% | |
| Q3 | 1,246 | 0.0004% | |
| Q4 | 1,105 | 0.0003% |
Infringement Notices Related to VPN Usage
On 19 December 2023, MEGA launched MEGA VPN, a VPN service available to our Pro users and later to subscribers of MEGA VPN as a standalone product. We do not store content or data that is transmitted using MEGA VPN; it is a means of transmission only, and therefore no data can be taken down in response to notices related to VPN usage.
Between 1 January 2025 and 31 December 2025, we received 4,839 notices of alleged copyright infringement related to MEGA VPN usage. These notices were processed by matching the exact timestamp, protocol (TCP or UDP) and originating IP address/port number. Users received a warning upon the third verified match associated with an alleged infringement, and a strike was recorded. Accounts accumulating multiple strikes were subject to suspension. The data below shows that a very small percentage of users were suspended due to alleged repeated infringements via MEGA VPN.
| Year | Quarter | Total VPN users | Copyright notices received | Accounts suspended (Repeat Infringement) | Suspension Rate (% of VPN Users) |
|---|---|---|---|---|---|
| 2025 | Q1 | 8627 | 1958 | 0 | 0.000% |
| Q2 | 9987 | 1195 | 5 | 0.050% | |
| Q3 | 11789 | 1018 | 9 | 0.076% | |
| Q4 | 12355 | 668 | 8 | 0.065% |
Illegal content
During the 12 years to 31 December 2025, MEGA closed approximately 3.33 million accounts for sharing illegal content. Details of links to illegal content and associated accounts were shared with relevant law enforcement authorities for investigation and prosecution.
CSAM Hash Tracing Project
In 2022, MEGA commenced a process to download files from public links that included the decryption key and had been reported to contain illegal content, such as CSAM, to a server controlled by a New Zealand authority. These links are reviewed by humans and whitelisted when appropriate. We calculate a digital hash for each downloaded file and compare it against reputable hash databases from sources including INTERPOL, NCMEC, and the Canadian Centre for Child Protection. When a file matches a known illegal content hash, MEGA removes all identical copies from user accounts. Users who store such files receive a final warning for the first strike, and accounts are immediately closed if they have shared the illegal content by creating public links. The CSAM Hash Tracing Project has led to a substantial increase in account closures.
This process was temporarily paused due to technical reasons and resumed in the second half of 2024. It resulted in the closure of 415,579 accounts during the twelve months to 31 December 2025.
MEGA records its compliance activity relating to illegal content in various categories. Details of major categories are shown below.
Identification of illegal content
MEGA receives reports of CSAM links from international NGOs, such as reporting hotlines, and from law enforcement agencies. However, the majority of reports are submitted by private individuals who have noticed the links, often accompanied by descriptions, being openly shared on websites and social media platforms. Anyone with the link, and its decryption key, can download the content.
Upon receipt of reports of illegal content, MEGA promptly disables the link and closes the associated account. Details are shared with relevant law enforcement authorities where appropriate. MEGA also uses automated tools, including AI, to assist in the processing of links reported as containing CSAM. Human review is applied where notices are unclear, and all disabled links are subject to daily triage. MEGA does not have any DSA-designated ‘trusted flaggers’.
Illegal content reports are processed promptly. In most cases, reported links are disabled within minutes and the associated accounts are suspended or closed at the same time.
In addition to reports received from external sources, MEGA also uses automated hash-matching tools as part of its CSAM Hash Tracing Project to identify additional copies of previously reported illegal content across user accounts.
Signal sharing via Lantern
MEGA proudly participates in the Lantern programme, which is managed by the Tech Coalition.
Sharing information across platforms (which is conducted in compliance with applicable data protection laws and is limited to information necessary to combat OCSEA) helps us to be more effective in our processes to remove illegal content and to take action on accounts storing or sharing such content. Lantern offers us a further means of identifying, addressing, and in some cases, preventing harmful or illegal conduct. We also want to do our part by helping other services to reduce this conduct on their platforms.
Our Terms of Service permit us to suspend or terminate access to our services if we receive credible information indicating that a user has shared or possessed CSAM through another online platform. Our compliance team carefully triages signals we receive via Lantern, which are considered credible information of this nature.
In the twelve months to 31 December 2025, we:
- Disabled 504 MEGA public file or folder links reported to us via Lantern; and
- Closed 1,202 user accounts based on signals shared by other members in the Lantern programme.
Through the Lantern programme, we primarily share signals consisting of user email addresses associated with public links that have been manually verified to contain CSAM. These links were publicly distributed, sometimes advertised for sale, and reported as circulating on other platforms.
In the twelve months to 31 December 2025, we shared 4,085 signals with members in Lantern.
Accounts administratively disabled for other reasons
In addition to closing accounts for storing and/or sharing illegal content, or for repeated copyright infringement, we administratively disabled accounts for other harmful conduct that are breaches of our Terms of Service.
In the twelve months ending 31 December 2025, 3,071 accounts were disabled in this ‘other’ category.
Appeals
We process reports of illegal content in good faith based on information provided to us. Occasionally, these reports may be inaccurate, which can result in wrongful disabling of access to content or the suspension of user accounts.
While users have always been entitled to contact us to challenge the suspension or termination of their account, in early 2024 we implemented a formal appeal process, allowing users to submit a form at mega.io/appeal. As can be seen, this has contributed to an increased number of appeals against account termination or suspension.
Appeals against account closure for holding alleged illegal material may be referred to the relevant authorities for adjudication of the content. The account may be reinstated if the content is determined not to be illegal.
The number of appeals has increased in line with the rise in accounts suspended due to the CSAM Hash Tracing Project mentioned in the Illegal content section. Overall, very few accounts have been reinstated following an appeal.
Response to International Law Enforcement Agencies
MEGA is ‘The Privacy Company’ and values the privacy of its users. We are committed to maintaining industry-leading levels of security for, and confidentiality of, user data and information. In considering any request for access to such data or information, MEGA starts from the position that user data and information is private and should always be protected to the greatest extent possible.
However, privacy and protection of user information and data are not absolute rights and are subject to some limitations, such as in cases of illegal activity.
The basis on which MEGA may, in extremely limited situations, disclose user information and data is set out in MEGA’s Takedown Guidance Policy.
Unless an Emergency Response (as defined below) is required, or disclosure is necessary in relation to an investigation involving CSAM or terrorism, MEGA will generally only provide user data or information when required to do so by applicable law, or by a court or law enforcement authority with appropriate legal jurisdiction.
MEGA defines an Emergency Response as a situation where, in the expert judgement of a senior law enforcement officer or other authority acceptable to MEGA, disclosure is necessary to protect the vital interests of a natural person (Article 6(1)(d)) or for the performance of a task carried out in the public interest (Article 6(1)(e)) under the General Data Protection Regulation (GDPR), and where it is confirmed that the threat is of such urgency that there is insufficient time to obtain a production order or other court order.
If satisfied as to the above, MEGA may, at its discretion, accept the request in good faith.
When MEGA accepts a request, MEGA may provide advance notice to the affected user unless prohibited by a court order or where MEGA determines that providing notice is not appropriate.
Although all files stored on MEGA are encrypted prior to being uploaded to our system, and we therefore cannot access that content unless we are provided with the decryption key, MEGA does have access to user registration information and the IP addresses used to access our services.
MEGA may provide Basic Subscriber Information (BSI) to law enforcement agencies in jurisdictions with established legal systems and appropriate legal safeguards, in cases involving serious illegality and where consistent with the applicable EU legal framework.
The chart below shows the number of law enforcement requests for Basic Subscriber Information that have been processed.[10]
Metadata provided by MEGA has resulted in a significant number of arrests and prosecutions of Child Sexual Exploitation and Abuse perpetrators, as well as the rescue of children at risk of imminent harm.
MEGA treats law enforcement requests for subscriber account information as a priority, which is reflected in our response times. Reports from the public about illegal content being shared are actioned with similar urgency.
| Year | Quarter | Average Response Time (Hours) | Median Response Time (Hours) |
|---|---|---|---|
| 2024 | Q1 | 0.72 | 0.32 |
| Q2 | 0.63 | 0.30 | |
| Q3 | 0.66 | 0.33 | |
| Q4 | 0.58 | 0.30 | |
| 2025 | Q1 | 0.58 | 0.29 |
| Q2 | 0.96 | 0.41 | |
| Q3 | 0.93 | 0.41 | |
| Q4 | 0.72 | 0.38 |
Some requests from law enforcement agencies are more complex than usual, which results in the average being higher than the median.
Legal orders
Since May 2025 MEGA operates from Hungary (MEGA Privacy LLC) and is therefore subject to Hungarian and applicable European Union law. Subpoenas or search warrants issued by non-EU countries are not directly enforceable and must be submitted through the appropriate Mutual Legal Assistance Treaty (MLAT) channels. Requests from EU member states may be processed under intra-EU legal cooperation frameworks, such as the European Investigation Order (EIO), where applicable.
During the twelve months ended 31 December 2025, MEGA received one formal legal order from Hungary or EU member states. Prior to the company restructure, we also received and processed one formal legal order from New Zealand authorities and subsequently disclosed account metadata in response to that order. The accounts identified in the order were alleged to be involved in serious criminal activity in New Zealand or abroad.
There were also five orders from foreign agencies, processed by New Zealand Police under the Mutual Assistance in Criminal Matters Act 1992, to disclose information relating to hacking, fraud, money laundering and child sexual exploitation offences.
| Originating Country | Alleged criminality | Number of Orders/Warrants | Outcome |
|---|---|---|---|
| New Zealand | CSAM | 1 | Metadata Supplied |
| Netherlands | Hacking | 1 | Metadata Supplied |
| Netherlands | Fraud | 1 | Metadata Supplied |
| Switzerland | Money Laundering | 1 | Metadata Supplied |
| Germany | Fraud | 1 | Metadata Supplied |
| Czech Republic | CSAM | 1 | Metadata Supplied |
In addition, some law enforcement agencies supplied subpoenas and search warrants produced by their local courts, apparently generated to provide local authority for the agency to obtain information. We advise such agencies that MEGA is not subject to their domestic laws or domestic court orders. However, in cases of serious criminality, including child sexual exploitation and abuse allegations, MEGA may supply metadata without a warrant, as specified in its Takedown Guidance Policy.
Other requests for personal information
During the twelve months ending 31 December 2025, MEGA received 31 requests for subscriber information from private individuals or companies. All were declined by MEGA, to preserve user privacy, as they did not meet the necessary requirements set out in MEGA’s Takedown Guidance Policy.
GDPR / Data Protection
Users can securely download personal data through an automated, self-service process. Download numbers were high in the first two quarters of 2022 and have remained relatively stable since then.
Personal Data is retained while the user’s account is active. After account closure, MEGA retains all account information as long as any law enforcement requests are pending. Otherwise, data is retained for twelve months after account closure, as users may request that an account be re-activated.
After 12 months, identifying information, such as email and IP addresses, is anonymised, except where email address records are retained for reference by the user’s contacts or where the user has participated in chats with other MEGA users. Other related database records may still be retained, including records of financial transactions where MEGA is legally required to retain such information.
When a user deletes a file from the Rubbish bin, that file becomes inaccessible, is marked for deletion and is permanently removed from the MEGA system during the next scheduled file deletion process. After account closure, all stored files are similarly marked for deletion and permanently removed during the next scheduled file deletion process.
Definition of terms
MEGA uses the term Child Sexual Abuse Material (CSAM) to refer to photos, videos and documents relating to sexually explicit images of, or conduct of or with a child, consistent with the ECPAT 2016 Luxembourg Guidelines.[11] This is broadly equivalent to terms used by other platforms, such as Child Sexual Exploitation and Abuse (CSEA) and Child Sexual Exploitation and Abuse Imagery (CSEAI).
Law Enforcement Agencies (LEA) include police and other relevant investigation and prosecution agencies.
Suspension means closing a user’s account permanently, unless reinstated by a successful appeal.
References
[1] https://mega.io/SecurityWhitepaper.pdf
[2] https://mega.io/sourcecode
[3] www.dia.govt.nz/Voluntary-Principles-to-Counter-Online-Child-Sexual-Exploitation-and-Abuse
[4] MEGA Terms of Service https://mega.io/terms and https://mega.io/takedown
[5] See https://ecpat.org/luxembourg-guidelines/
[6] https://mega.io/copyrightnotice
[7] MEGA cannot review the contents of reported files because they are encrypted by users unless the relevant decryption key has been publicly shared. In addition, the copyright status of a file cannot generally be determined by MEGA without information from the relevant rights holder.
[8] Due to a technical error, the account suspension system for repeated infringers was not fully operational during Q4 2024.
[9] Due to the same technical error, the account suspension system for repeated infringers was not operational during Q1 2025. The issue was identified and resolved in early April 2025.
[10] Starting from Q3 2024, the Organised Crime category has been discontinued following centralisation of request handling. Figures from this point onward reflect this change.
