How Investigators Busted a Huge Online Child-Porn Site by Following the Bitcoin
27 Nov 2019

The call came in while two criminal investigators for the Internal Revenue Service sat at a Bangkok airport gate in July 2017, waiting for a flight.

A confidential source they knew from past investigations was offering a tip that a new website was selling child pornography in exchange for bitcoin. The website, the source said, appeared to have popped up in the wake of shutdowns of other dark-web marketplaces for illicit goods.

Investigator Chris Janczewski and his colleague, Tigran Gambaryan, who had been involved in previous probes involving bitcoin transactions, decided to dig in to the possible financial ramifications of the matter despite the fact that child pornography was outside the IRS’s usual bailiwick. But they quickly hit a logistical roadblock: Their office, like many others, blocked access to pornographic websites.

“This is uncharted territory for the IRS,” Mr. Janczewski said in an interview. “What do I do? Is there a special room that I am supposed to go into if I want to look at the website?” They turned for help to Department of Homeland Security investigators, since the agency had a history of dealing with child exploitation.

Within eight months the duo, along with the DHS agents and counterparts in the U.K. and South Korea, had traced the financial trail of the largest online marketplace for child pornography they had ever encountered, comprising some 250,000 different videos.

The story behind the takedown of the website Welcome to Video involved getting a lucky break with the right-click of a mouse, stumbling upon a selfie of someone holding a passport, and following electronic breadcrumbs left by bitcoin transactions.

The probe required “a new and different model than typical child-pornography cases,” said Washington-based Assistant U.S. Attorney Zia Faruqui, a prosecutor on the case. Instead of starting off with a tip about one person or a forensic exam of a single device, Mr. Faruqui said, the investigators were able to target the website, which led them to hundreds of clients and allowed them to identify even those who had downloaded videos and later deleted them from their computers.

As digital-currency movements have become a larger feature in international investigations involving everything from the purchase of illicit drugs to terrorism, IRS criminal investigators have broadened their financial expertise to tracing such transactions. The agency was involved, for example, in the 2017 takedown of the dark-net market AlphaBay, which involved the cooperation of law-enforcement agencies in more than seven countries.

This account of the probe was provided by Messrs. Janczewski and Gambaryan and the prosecutors involved in the case. Officials from the Justice Department, the IRS and Homeland Security jointly announced an indictment in the case last month, citing the involvement of Britain’s National Crime Agency and the Korean National Police in the investigation.

While the location of the website’s server was hidden via the open-source Tor anonymization service, which allows users to conceal their identities online, Messrs. Janczewski and Gambaryan discovered a possible defect in the encryption.

When they right-clicked on the images of videos on the site, they found they could examine the source code and see that the thumbnail images appeared to be coming from an internet address in South Korea. That, Mr. Janczewski said, “is not supposed to happen using Tor.”’

Meanwhile, the IRS investigators learned from their initial tipster that the U.K.’s National Crime Agency was also investigating the Welcome to Video site.

In addition, the confidential source gave them multiple bitcoin addresses and said they were associated with the website. To confirm that connection, DHS agents created Welcome to Video accounts and transferred bitcoin to those addresses. They analyzed the blockchain ledgers of those bitcoin transactions and found the funds had in fact gone to addresses grouped with the ones they had been provided.

Around that time, investigators divided their probe, with one strand focused on the website’s operators and the other on its users.

Investigators subpoenaed the bitcoin exchanges that had facilitated transactions sending funds to the addresses and secured records about who opened those digital-currency accounts.

Law-enforcement officials copied the contents of one alleged Welcome to Video user’s laptop and cellphone confiscated at the Detroit airport when he returned to the U.S. from the Philippines in October 2017, after determining he owned a bitcoin wallet that had made payments to the site, according to affidavits unsealed in Washington this month.

The website’s operator appeared to be sending funds to multiple Korean bitcoin exchanges and one U.S. exchange, according to the IRS agents and a prosecutor. Records filed by the operator upon opening his account at the U.S. exchange included a selfie of a person holding a Korean passport, the agents said.

By Aruna Viswanatha, The Wall Street Journal, 26 November 2019

Read more at The Wall Street Journal

Photo: NCA © Crown copyright

RiskScreen: Eliminating Financial Crime with Smart Technology

You can claim CPD minutes for this content, by signing up to our CPD Wallet

FREE CPD Wallet