Child sexual exploitation is one of the most ghastly cybercrimes. Users share online images (or videos) of children engaged in sexual activities to which they cannot give informed consent.
Dark Web Sites, Forums, and Messaging Apps are some channels through which predators trade Child Sexual Abuse Material (CSAM). But digging into some of these services, monetisation is only a part of the problem.
Pleasure Place, a cyber investigation
Summary of contents
Child sexual exploitation on the internet
The Global Threat Assessment 2021 report by the We Protect Global Alliance organisation, focused on protecting children, stated that “child sexual exploitation is an under-reported crime.” Despite that, the previous years’ data showed a peak in these cyber offences.
The document listed several reasons:
- The rapidly increasing internet penetration means that more children are receiving regular access to the internet at younger ages;
- A more significant percentage of children have access to individual or peers’ smartphones more frequently, using a more comprehensive range of platforms;
- COVID-19 has forced children to spend more time online and left people everywhere feeling more isolated;
- Digital platforms became a way for children to explore sexuality with their peers, allowing new forms of abuse.
The offenders are often familiars or criminals luring children online via social media and private messaging services.
However, not all perpetrators have the same responsibilities. According to the We Protect Global Alliance 2019 report, “in law, distinctions are usually drawn between:
- those who collect CSAM for personal collections and those who actively acquire or share it;
- those who conduct ‘in-person’ contact abuse and those whose acts of child abuse are perpetrated exclusively online”.
Nevertheless, the impact on the victims is not less painful. Interpol Secretary General Jürgen Stock said in 2017, following the identification of 10,000 child sexual abuse victims: “The scale of this crime is shocking, made worse by the fact that these images can be shared online globally at the touch of a button and can exist forever. Each time an image or video clip is shared or viewed, the child is being re-victimised”.
The Dark Web
According to data provided by Bitfury Group’s Crystal Blockchain analytics crypto firm, between 2017 and 2020, the activity on the dark web increased by around 300%.
The growth is reflected in child sexual exploitation. According to Europol, the number of messages in a dark web forum section for ‘cappers’ (offenders capturing footage of child sexual abuse or using innocuous imagery of children for sexual purposes) more than tripled between December 2019 and February 2020.
A quick Dark Web Search Engine query regarding Child Pornography returns dozens of results. Among them are websites, portals and forums. Each one of them promised the best service at a “worth” price, usually payable with cryptocurrency.
LoveCp portal (the name is in the URL) is a collection of more than ten forums and sites with “child porn”. The total number of registered users (on the portal counter as of the 19th of October) is 3,288,984. Some sections of the forums are named “Young Teens” and “Babies and Toddlers”.
The price for one access to the forums is 200 $. “Ask Why? Because we have no deception and scams. We have sold access to the forums for more than 20 bitcoins“, the managers inform on the homepage. “A good product can never be cheap”, they explain; if a bunch of videos and photos “are offered for 30 $, then these are scammers”.
To gain a password, you should contact the email address: firstname.lastname@example.org, where dnmx.org is an anonymous email service (these services are popular among cybercriminals).
You can find special offers, even at lower prices. LolitaEum portal advertised CSAM content expanded with virtual reality (VR) in a simulated 3D environment.
In 2021, the Australian e-Safety Commissioner warned about the potential use of VR as a “tool for online child sexual abuse”: “The addition of haptics, particularly teledildonics [sex toys controlled via the Internet], would allow predators also to ‘feel’ and be felt by victims even if they don’t have physical contact with them, intensifying the abuse”.
LolitaEum sells accesses with distinct subscriptions: “One day: One week; One month; One year; Or you can buy the archive, which will be collected for your taste”. One-day entry costs 30 $, payable through Cryptonator, an online Bitcoin wallet service which supports multiple cryptocurrencies, “combining usability with high-level privacy, anonymity and security”. The LolitaEum crypto address is not plainly shown on the homepage.
Yet, another website gives more clues. Pleasure Place pledges “the best porn on the dark net” with the “youngest and hottest models”. One year of unlimited access costs 0,0008 BTC, currently 16 $ worth. The bitcoin address to which send the amount is indicated on the webpage.
Pleasure Place, a Bitcoin address
Communication on the Pleasure Place page invites the user to send the charge to the bitcoin address: 12vhr3HeoeU6AJtHYiB3uhG3VKiatjKuAh. Then, through an identification number, the sender can access the CSAM after a confirmation.
Blockchain Explorer, the transactions
All transfers from and to this address are recorded in a public blockchain, a shared and immutable ledger. Blockchain Explorer is a valuable tool for analysing the trades between crypto wallets. When searching for a bitcoin address, the service returns all the activities over it.
As of the 26th of October, this address (12vhr3HeoeU6AJtHYiB3uhG3VKiatjKuAh) has engaged in 41 transactions since the 8th of June. The total Received amount is 0.01849096 BTC (worth about 375 $), the total sent is 0.01640791 BTC (worth about 333 $), and the final balance is 0.00208305 BTC (worth about 40 $).
Almost all the incoming transactions are equal to 0,0008 BTC, the price for the Pleasure Place access. When receiving the sum, the wallet owner immediately transfers it to other wallets, from where the amount is split into different separate bitcoin addresses (following a typical pattern in crypto money laundering).
The Binance address
We can see returning wallets looking at the addresses that sent money to the Pleasure Place. The address bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h paid 0,0008 BTC three times: on the 14th of July, the 18th of August, and the 14th of October. However, they are all transactions where the single movement is merged with other transfers. Indeed, this address has transacted 521,470 times on the Bitcoin blockchain because it relates to the Binance service exchange, used by multiple investors.
Other illegal activities
Another sending address is interesting: bc1qe0jf00lghg6e2554dv4f9fy53e97psas03dxgn. On the 19th of June, it forwarded 0,0008 BTC to the Pleasure Place wallet. We can wonder about its connections.
Bgraph, a cluster
Bgraph is a tool provided by Blin Agency. When you insert a bitcoin transaction identification string, it shows you a graph with all its relations in the blockchain. It creates a visualisation in real-time and is currently available for free.
Looking at the path of outcoming bitcoin from this last address (bc1qe0jf00lghg6e2554dv4f9fy53e97psas03dxgn), we can see the amount is split into two destinations: the first is the Pleasure Place wallet, and the other is the address 1P5MGMyofh9wJPjdhJkZJ6zovoocvbwp85.
But after the bifurcation, the sums joined again in a common address: 1Gs7Aztizk2rNNSE6AbpK4K7yAFTCZKV9a. The user who sent the money to Pleasure Place forwarded another amount to a wallet that is a recipient of bitcoin from the same Pleasure Place.
The common destination
Furthermore, this address 1Gs7Aztizk2rNNSE6AbpK4K7yAFTCZKV9a appeared in a 2021 order from a District Court of Ohio regarding a sex offender. It reportedly linked to a website advertising “access to 10 + terabytes of child porn private site.”
The Court described the process for accessing this CSAM resource: “users of the website were expected to send payment in the form of BTC to the provided address [1Gs7Aztizk2rNNSE6AbpK4K7yAFTCZKV9a] before getting access to a larger collection”. The order mentioned an email address: “The website asked for users to send the transaction id associated with the payment to the email address email@example.com” to receive the admittance.
Surprisingly (or maybe not), this email is still visible on the Dark Web in an old advertisement. It is related to a known name: Love-CP (here with a dash).
AMLBot, the intermediate address
We can also investigate the middle address 1P5MGMyofh9wJPjdhJkZJ6zovoocvbwp85. AMLBot is a tool which screens crypto transactions to determine the risk score of any wallet to avoid problems with regulatory authorities related to money laundering.
Querying a crypto address, AMLBot returns a report (based on known blockchain services) with an overall score and, in addition, distinct detailed parameters with a percentage for each one. The parameters are groups with different levels of risk of illegal activity. The results show the connections of the checked address to these groups as a percentage. The percentage goes from 0 % to 100 %, where the lower is, the safer, and the higher is, the riskier.
Although the score for this address (as of the 18th of October) is 22,1 % (not high), some bad indicators exist. Besides the parameter “Child Exploitation” (Entities associated with child exploitation), which scored 1,8 %, the report lists other groups.
- “Stolen Coins” (Coins obtained by hijacking someone else’s cryptocurrency) scored 0,3 %;
- “Gambling” (Coins associated with unlicensed online gaming) 1,7 %;
- “Sanctions” (links to Sanctioned Entities) 2,4 %;
- the general label “Dark Market” (Coins related to illegal activities) received a punctuation of 1,9 %. The website of AMLBot advises the presence of Dark Market, Dark Services, and Illegal Service parameters in a report is a bad sign.
CSAM is only one of many focuses for this cluster.
The Bitcoin Whale
Moreover, another wallet sending money to Pleasure Place seems suspicious: bc1qmkrrsmjx5eswtgdqdnu2y3kdj4h9k9uchmtq0e. This address relates to only two transactions with multiple destinations: one incoming of 34.61207640 BTC (worth about 660,000 $) dated the 6th of July and one outcoming with the same amount.
This high sum comes from a Bitcoin “Whale”, an investor or a group of investors who own $10 million or more in BTC. Indeed, on the 6th of July, the address 199webiJv7fyNgrq19rKU3xUwnVb8Caf84 sent $71,638,282 worth of Bitcoin (3492.43972804 BTC) off the crypto platform Coinbase. 0,0008 BTC of them reached PleasurePlace through bc1qmkrrsmjx5eswtgdqdnu2y3kdj4h9k9uchmtq0e.
Demand and supply sides
Despite the number of CSAM websites on the Dark Web, most of these contents are accessed through surface web, private messaging apps, or peer-to-peer (P2P) sharing networks. Each channel can implement a privacy-enhanced measure, making it difficult to identify suspicious communications. A VPN for surfing the web and encryption for messaging apps or P2P protocols are usually enough.
Detecting private communications exchanging CSAM is also problematic if the material is previously recorded on a database of illegal contents. Focusing on supply rather than demand seems the most viable solution for addressing this cybercrime.
Pornhub and Stop It Now!
Nevertheless, several entities have acted on the demand side. In February 2021, the Lucy Faithfull Foundation, a UK charity working to prevent child abuse, launched a collaboration with Mindegeek, the owner of the Pornhub adult pornography website. Pronhub began showing dissuading texts when users searched for sexual videos featuring children.
They also included the possibility to request the ‘Stop It Now! Get Help‘, a self-directed online service addressing people concerned about their online sexual behaviour. Between February and early May 2021, the deterrence messages brought more than 35,000 users worldwide to solicit this help.
Last March, Pornhub also launched the “ReThink” chatbot: it engages users that try to view children’s sexual images in a conversation and signpost them to “Stop It Now!”
Pedo Support Community
According to the We Protect Global Alliance 2021 Report, “1% of the global male population is affected by paedophilia (sexual attraction to prepubescent children)”. On the Dark Web, you can find forums aiding these people.
The Pedo Support Community (PSC) is one of them. “This community is designed and actively managed, to provide a special place that caters for those of us who love children and would never knowingly do anything to hurt them. As such, discussions focused on causing harm to the children we love, are not welcome here”.
In 2021, a user published a post on PSC regarding the German police takedown of a child pornography website, fearing possible consequences for visitors. The Staff reassured the members: “They did not capture every person who even visited the site. Nor is it likely they took down the lurkers [people who passively participate]“.
Then, the Staff pointed out: “That being said, it is always good to remain vigilant. Avoiding CP [Child Pornography] sites in general is good practice. Nothing good can come of it, even if you are never caught”.