diff --git a/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex b/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
index ed421d93e..3a6eae3f2 100644
--- a/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
@@ -37,7 +37,16 @@ defp load_or_create_pack() do
 
   defp add_emoji(shortcode, extension, filedata) do
     {:ok, pack} = load_or_create_pack()
-    filename = shortcode <> "." <> extension
+    # Make final path infeasible to predict to thwart certain kinds of attacks
+    # (48 bits is slighty more than 8 base62 chars, thus 9 chars)
+    salt =
+      :crypto.strong_rand_bytes(6)
+      |> :crypto.bytes_to_integer()
+      |> Base62.encode()
+      |> String.pad_leading(9, "0")
+
+    filename = shortcode <> "-" <> salt <> "." <> extension
+
     Pack.add_file(pack, shortcode, filename, filedata)
   end
 
@@ -71,7 +80,7 @@ defp steal_emoji(%{} = response, {shortcode, extension}) do
 
       e ->
         Logger.warning(
-          "MRF.StealEmojiPolicy: Failed to add #{shortcode}.#{extension}: #{inspect(e)}"
+          "MRF.StealEmojiPolicy: Failed to add #{shortcode} as #{extension}: #{inspect(e)}"
         )
 
         nil