How a Bitcoin Trail Led to a Massive Dark Web Child-Porn Site Takedown

Credit to Author: Lily Hay Newman| Date: Wed, 16 Oct 2019 18:32:17 +0000

Federal investigators focused not on offensive hacking efforts or surveilling communications, but on the transactions using cryptocurrency.

The Department of Justice said today that it has taken down the massive dark web child-porn site Welcome to Video. The site generated and distributed exploitative content, and had infrastructure in place that could have supported up to a million users. In a press conference this morning, US attorney Jessie Liu called it "one of the worst forms of evil imaginable."

The site's operator, 23-year-old Jong Woo Son of South Korea, has already been charged and convicted by South Korean officials and is currently serving his sentence there. Wednesday's announcement unsealed a nine-count US indictment against Son by a federal grand jury in the District of Columbia. In addition to the site takedown and Son's indictment, officials around the world also arrested a total of 337 Welcome to Video users in 23 US states, Washington DC, and in 11 other countries. The initiative resulted in the rescue of at least 23 children being abused by site participants.

The takedown is notable also for the investigation that enabled it, which focused not on offensive hacking efforts or surveilling encrypted communications, but on tracing bitcoin transactions.

"In August 2017 an investigation began into the illicit transactions of virtual currency on the dark net. By following the funds on a blockchain it ultimately uncovered the severity of Welcome to Video, a Tor network-based child pornography site that accepted payment in bitcoin," deputy assistant attorney general Richard Downing said in the press conference. "The Department of Justice will not stand for exploitation of our nation’s children. Let today’s announcement send a message: If you were involved in these crimes we are coming for you."

Welcome to Video launched in June 2015 and operated until law enforcement shut it down in March 2018. The DoJ collaborated with South Korean and UK officials on the initiative along with other US law enforcement groups, including Internal Revenue Service Criminal Investigation and Homeland Security Investigations.

Officials seized 8 terabytes of child porn videos during the investigation and site takedown, which included more than 250,000 unique videos. Law enforcement officials and the National Center for Missing and Exploited Children are analyzing the footage to potentially identify more children and perpetrators of exploitation. Almost half of the videos seem to be previously unknown to officials.

Welcome to Video made money by charging fees in bitcoin, and gave each user a unique bitcoin wallet address when they created an account. Son operated the site as a Tor hidden service, a dark web site with a special address that helps mask the identity of the site's host and its location. But Son and others made mistakes that allowed law enforcement to track them. For example, according to the indictment, very basic assessments of the Welcome to Video website revealed two unconcealed IP addresses managed by a South Korean internet service provider and assigned to an account that provided service to Son's home address. When agents searched Son's residence, they found the server running Welcome to Video.

To "follow the money," as officials put it in Wednesday's press conference, law enforcement agents sent fairly small amounts of bitcoin—roughly equivalent at the time to $125 to $290—to the bitcoin wallets Welcome to Video listed for payments. Since the bitcoin blockchain leaves all transactions visible and verifiable, they could observe the currency in these wallets being transferred to another wallet. Law enforcement learned from a bitcoin exchange that the second wallet was registered to Son with his personal phone number and one of his personal email addresses.

The investigation extended beyond Son as well. Law enforcement agents worked with the blockchain analysis firm Chainalysis to map user transactions with Welcome to Video wallets and attempt to trace individuals who interacted with the site. Chainalysis says that during the three years it operated, Welcome to Video received almost $353,000 worth of bitcoin from thousands of transactions. By charting the web of Welcome to Video users' assigned wallets and the bitcoin wallets or exchanges they used, officials identified several US-based cryptocurrency exchanges that users had gone through to pay for their Welcome to Video viewing. US law requires cryptocurrency exchanges to collect customer information and verify their identities, meaning law enforcement can subpoena exchanges for these records.

Though the scope of the investigation is vast, agents don't seem to have used advanced digital forensic techniques to analyze the bitcoin blockchain or other investigative tools, like vulnerabilities in Tor, to carry out the investigation. Son and many Welcome to Video users were sloppy enough that investigators could connect them to their dark web activity with relative ease. And particularly, investigators gained insight into the platform's users when they seized Son's server. But given that the site had capacity for a million users and about 340 were arrested in connection with the investigation, there are likely scores of users whose identities remain hidden.

Similarly, the investigation does not seem to have hinged on access to Son or other users' digital communications other than emails. At the beginning of the month, the Department of Justice urged Facebook in a letter from US attorney general William Barr not to add end-to-end encryption to its Messenger service. In a "Lawful Access Summit" event, the department specifically cited child exploitation investigations as an area where access to digital communication platforms like Messenger is absolutely vital. While there's no doubt truth in that, Wednesday's massive crackdown indicates that it may not always be the case in practice.

"This appears to be an example of a high-level investigation with major impact that was not hindered by encrypted communications," says Andrew Crocker, a staff attorney at the nonprofit Electronic Frontier Foundation, a digital rights group. "In these sorts of investigations, law enforcement's challenge is usually identifying operators and users of a site, which is a different problem than accessing the contents of communications. In this case and others, the government has relied on various techniques to successfully identify site operators and seize the server, giving them a window into user activity. And no form of end-to-end encryption will prevent police from reading communications if they have access to one of the 'ends.'"

Regardless, the takedown of such an expansive, abusive site is a crucial step in combating heinous and inveterate child exploitation. And it seems that the information gathered during the Welcome to Video investigation may aid officials in tracking child abusers and pedophiles for years to come.

https://www.wired.com/category/security/feed/

Leave a Reply