Multiple WA state government sites apparently hosted links to AI sex content
At least three Washington government sites with “wa.gov” in their web address appear to have inadvertently hosted links promoting artificial intelligence sex apps, explicit AI chatbots and AI-generated nude images.
The breach has affected the Washington Department of Fish and Wildlife (WDFW) and Washington Department of Veterans Affairs (WDVA), as well as the Washington Fire Commissioners Association (WFCA) government organization.
As of Nov. 28, PDFs appearing under engage.wdfw.wa.gov featured titles including “AI SEX Best SEX AI APP in 2025.” On Dec. 1, one proclaiming “AI Nudes Free, No Sign-Up Needed! 2025” was tied to wfca.wa.gov.
Some links that hosted PDFs plugging “not safe for work AI” are now inactive but still show up on the Google search engine.
.png "Screenshot (884).png")
McClatchy contacted WDFW, WDVA and WFCA seeking comment.
The fish and wildlife department replied Dec. 1 that the agency is “aware of this issue and is actively working with our partners at WaTech to address.” On Dec. 3, a WaTech spokesperson told McClatchy that the affected agencies are the best sources of information on the matter.
WDVA said it had taken prompt steps to fix the problem and that the inappropriate links are no longer on its website. WFCA did not immediately respond to McClatchy’s request for comment.
The issue has also affected government sites in other states.
In Kansas, AI adult-related content has been hosted on the state attorney general’s website, NPR-affiliate KCUR reported Nov. 25. Documents detailing where to track down websites and applications to create AI-fabricated nude images recently cropped up in Nevada via the web address of the state Department of Transportation, according to 8 News Now in Las Vegas.
How did it happen?
WDVA’s site includes a way for members of the community to directly upload details about events to a calendar, Heidi Audette, the state VA’s communications and legislative director, said in an email. Staff then review the uploads prior to online publication.
A feature intended to let organizers share event flyers — one that created a temporary link not visible to site visitors but discoverable on search engines — was exploited Nov. 25, she said. Bad actors uploaded links steering users toward inappropriate and unrelated content.
When the agency learned of this the next morning, officials immediately began scrubbing the files, per Audette. WaTech quickly nixed the ability to add calendar items and expanded security on the website. The “10 IP addresses that were used to upload this inappropriate content have also been blocked,” she said.
Looking ahead, event information will be able to be shared on the community calendar, but site visitors won’t be able to upload flyers, she said. Staff will continue reviewing calendar info ahead of posting, too.
The department is looking for pathways to introduce more security measures alongside WaTech and continues to monitor its sites, Audette added. Its website is public-facing and doesn’t hold private health or personal information.
“No personal data was compromised,” she said.
How did officials learn of the issue?
Audette said that WDVA had received emails about the problem but that they weren’t seen until “after the incident’s response began.” The webmaster registered abnormal web activity and dove in to explore it when their morning started Nov. 26.
As for WDFW, a spokesperson replied that the agency “received the tip through an internal notification from WaTech.”
McClatchy first learned about the problem when a man in Arizona, Brian Penny, reached out with screenshots as part of his weeks-long push to notify reporters across the country. The citizen researcher and freelance journalist said he stumbled across the issue while researching AI sites.
“All I’m doing is Googling ‘AI sex app’ on government sites, and it is sending government agencies across the country just scrambling,” Penny said in a Nov. 28 call.
Penny marveled that he’s somehow found himself in the middle of a bizarre multi-state phenomenon. He estimates that the issue has affected roughly three dozen governments spanning 18 or so states, as well as jurisdictions outside the U.S.
“I should not be the one having to notify everybody. Like who’s in charge of everything?” Penny said, asking rhetorically why he — a self-described pothead who’d just woken up from a nap — was spending his Black Friday “having to try to figure out the cyber-security defense for the entire United States?”
Some state departments are also getting ensnared by phishing scams. Fraudulent messages coming from trusted government email addresses may trick people into clicking on a malicious link or giving out personal information.
In May, TechCrunch reported that fake emails about unpaid tolls were sent to Indiana residents, purportedly from a state government department.
Washington’s veterans affairs department sent out an email last week saying it had learned that some veteran-owned businesses were receiving fraudulent emails claiming to be from the WDVA. However, the agency told McClatchy on Monday that this appeared to be unrelated to the website problem.
Dawna Nolan, a Washington veteran, told McClatchy she was “flabbergasted” after seeing social media posts from Penny about the scope of the AI-government site trouble. She contacted WDVA upon learning of its apparent breach.
Nolan said in a Friday call that for the first time in more than 30 years of history with the VA, she worried that her most private information, such as details about her health care, could have been exposed. (WDVA said that no personal data was made vulnerable.)
Online privacy issues and AI aren’t going away any time soon, Nolan said.
“If people don’t get ahead of it, then I think it’s probably beyond most people’s imaginations to think about what some of the consequences of that sort of thing could be,” Nolan said.
This story was originally published December 4, 2025 at 5:30 AM.
.jpg)