diff --git a/src/models/index.js b/src/models/index.js
index 173b677..a5b19e9 100644
--- a/src/models/index.js
+++ b/src/models/index.js
@@ -143,8 +143,11 @@ const Users = {
   },
 
   deleteUser(userId) {
-    db.prepare('UPDATE users SET display_name = ?, password_hash = ?, is_admin = 0, is_organizer = 0 WHERE id = ?')
-      .run('[deleted]', '', userId);
+    // get username from userId before scrambling
+    const user = this.findById(userId);
+    const scrambled = `_deleted_${user.username}_${Date.now()}`;
+    db.prepare('UPDATE users SET username = ?, display_name = ?, password_hash = ?, is_admin = 0, is_organizer = 0 WHERE id = ?')
+      .run(scrambled, '[deleted]', '', userId);
     db.prepare('UPDATE password_reset_tokens SET used = 1 WHERE user_id = ?').run(userId);
     db.prepare("DELETE FROM sessions WHERE sess LIKE ?").run('%"userId":' + userId + '%');
   }
diff --git a/src/routes/admin.js b/src/routes/admin.js
index 66de432..dcb7d8d 100644
--- a/src/routes/admin.js
+++ b/src/routes/admin.js
@@ -186,7 +186,7 @@ router.post('/users/:id/delete', requireAdmin, (req, res) => {
   }
 
   Users.deleteUser(userId);
-  req.session.flash = { type: 'success', message: `Account "${user.username}" has been deleted.` };
+  req.session.flash = { type: 'success', message: `Account "${user.display_name || user.username}" has been deleted.` };
   res.redirect('/admin');
 });
 
diff --git a/src/routes/hunts.js b/src/routes/hunts.js
index c28f179..62bca30 100644
--- a/src/routes/hunts.js
+++ b/src/routes/hunts.js
@@ -167,8 +167,9 @@ router.post('/player/:username/delete', requireAuth, (req, res) => {
   }
 
   Users.deleteUser(user.id);
-  req.session.destroy();
-  res.redirect('/');
+  req.session.destroy(() => {
+    res.redirect('/');
+  });
 });
 
 // ─── Browse all hunts ─────────────────────────────────────