U.S., South Korea follow crypto trails, take down largest darknet child exploitation site, arresting hundreds in global sweep, saving nearly two-dozen victims
An international task force spearheaded by U.S. and Korean investigators, working with a company that tracks crypto transactions, have broken up one of the world’s largest darknet marketplaces for child exploitative materials, arresting nearly 340 site users in a coordinated global sweep – in the process saving dozens of victims.
The U.S. Department of Justice (DOJ) detailed the bust Wednesday in an unsealed indictment against Jong Woo Son, 23, who prosecutors say operated a hidden Darknet market, using Bitcoin in a bid to ensure anonymity, while distributing more than 1 million sexually explicit videos involving children.
Regional authorities have already convicted Son, a South Korean national, and he is serving 18 months in prison.
Investigators have also arrested and charged site users in some 24 states – including California, Florida, New York, Texas and Washington, D.C. – as well as individuals in the United Kingdom, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia.
“Darknet sites that profit from the sexual exploitation of children are among the most vile and reprehensible forms of criminal behavior,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “This Administration will not allow child predators to use lawless online spaces as a shield.”
According to the indictment, on March 5, 2018, agents from the IRS-CI, HSI, National Crime Agency in the United Kingdom, and Korean National Police in South Korea arrested Son and seized the server that he used to operate a Darknet market that exclusively advertised child sexual exploitation videos available for download by members of the site.
The operation resulted in the seizure of approximately eight terabytes of child sexual exploitation videos, which is one of the largest seizures of its kind.
The images, which are currently being analyzed by the National Center for Missing and Exploited Children (NCMEC), contained over 250,000 unique videos, and 45 percent of the videos currently analyzed contain new images that have not been previously known to exist.
Welcome To Video offered these videos for sale using the cryptocurrency bitcoin. Typically, sites of this kind give users a forum to trade in these depictions.
This Darknet website is among the first of its kind to monetize child exploitation videos using bitcoin.
In fact, the site itself boasted over one million downloads of child exploitation videos by users. Each user received a unique bitcoin address when the user created an account on the website.
An analysis of the server revealed that the website had more than one million bitcoin addresses, signifying that the website had capacity for at least one million users.
Key private sector entities also played a vital role in the investigation.
Commenting on the investigation itself, IRS-Criminal Investigations Chief Don Fort mentioned the importance of the sophisticated tracing of bitcoin transactions in order to identify the administrator of the website, an effort bolstered by crypto analytics firm, Chainalysis.
The firm’s products provided assistance in this area, helping investigators analyze the website’s cryptocurrency transactions that ultimately led to the arrests, according to a company statement, with one top company official calling the collaboration his “proudest moment.”
Welcome to Video (WTV) was a child pornography website that operated out of South Korea and allowed users to buy content with Bitcoin or to upload their own. Upon signing up for the site, users received a unique Bitcoin address where they could send funds to buy content to view.
Between 2015 and 2018, the site received nearly $353,000 worth of Bitcoin across thousands of individual transactions.
Welcome to Video had a global customer and contributor base requiring cross-border collaboration among law enforcement agencies across the world. IRS-Criminal Investigations (IRS-CI), Homeland Security Investigations (HSI), and other agencies used Chainalysis software to analyze blockchain transactions and map out contributors and users of the site.
This enabled them to disseminate the blockchain evidence to their partners in the United Kingdom, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia, and ultimately make arrests.
With the site’s listed Bitcoin address, IRS-CI and HSI used Chainalysis Reactor, an investigations product, to analyze transactional activity and build a graph showing the flow of funds in and out of the WTV address.
The agencies have shared data from the seized server with law enforcement around the world to assist in identifying and prosecuting customers of the site. This has resulted in leads sent to 38 countries and yielded arrests of 337 subjects around the world.
The operation has resulted in searches of residences and businesses of approximately 92 individuals in the United States.
Notably, the operation is responsible for the rescue of at least 23 minor victims residing in the United States, Spain and the United Kingdom, who were being actively abused by the users of the site.
In the Washington, D.C.-metropolitan area, the operation has led to the execution of five search warrants and eight arrests of individuals who both conspired with the administrator of the site and were themselves, users of the website.
Two users of the Darknet market committed suicide subsequent to the execution of search warrants, (via DOJ).
Monroe’s Musings: This is a powerful example of the incredible good that can come with public and private sector groups work together, share information and use that knowledge and expertise to take down a horrific group that thought itself anonymous and above the law.