Cryptocurrency: Myth of Anonymity, Darknet Busts
grarpamp
grarpamp at gmail.com
Fri Apr 15 16:11:05 PDT 2022
https://www.wired.com/story/tracers-in-the-dark-welcome-to-video-crypto-anonymity-myth/
Inside the Bitcoin Bust That Took Down the Web’s Biggest Child Abuse Site
They thought their payments were untraceable. They couldn’t have been
more wrong. The untold story of the case that shredded the myth of
Bitcoin’s anonymity.
An eye mischievously peeks through a Bitcoin B next to the words THE
CRYPTO TRAP.
ILLUSTRATION: MIKE McQUADE
Content Warning: The story told here includes references to suicide
and child abuse, though the abuse is not graphically described.
Early one fall morning in 2017, in a middle-class suburb on the
outskirts of Atlanta, Chris Janczewski stood alone inside the doorway
of a home he had not been invited to enter.
Moments earlier, armed Homeland Security Investigations agents in
ballistic vests had taken up positions around the tidy two-story brick
house, banged on the front door, and when a member of the family
living there opened it, swarmed inside. Janczewski, an Internal
Revenue Service criminal investigator, followed quietly behind. Now he
found himself in the entryway, in the eye of a storm of activity,
watching the agents search the premises and seize electronic devices.
This story is excerpted from the book Tracers in the Dark: The Global
Hunt for the Crime Lords of Cryptocurrency, available November 15,
2022, from Doubleday.
Buy this book at:
Amazon
Bookshop.org
Books-A-Million
Walmart
Apple Books
If you buy something using links in our stories, we may earn a
commission. This helps support our journalism. Learn more.
They separated the family, putting the father, an assistant principal
at the local high school and the target of their investigation, in one
room; his wife in another; the two kids into a third. An agent
switched on a TV and put on Mickey Mouse Clubhouse in an attempt to
distract the children from the invasion of their home and the
interrogation of their parents.
Janczewski had come along on this raid only as an observer, a visitor
flown in from Washington, DC, to watch and advise the local Homeland
Security team as it executed its warrant. But it had been Janczewski’s
investigation that brought the agents here, to this average-looking
house with its well-kept yard among all the average-looking houses
they could have been searching, anywhere in America. He had led them
there based on a strange, nascent form of evidence. Janczewski had
followed the links of Bitcoin’s blockchain, pulling on that chain
until it connected this ordinary home to an extraordinarily cruel
place on the internet—and then connected that place to hundreds more
men around the world. All complicit in the same massive network of
unspeakable abuse. All now on Janczewski’s long list of targets.
Over the previous few years, Janczewski, his partner Tigran Gambaryan,
and a small group of investigators at a growing roster of three-letter
American agencies had used this newfound technique, tracing a
cryptocurrency that once seemed untraceable, to crack one criminal
case after another on an unprecedented, epic scale. But those methods
had never led them to a case quite like this one, in which the fate of
so many people, victims and perpetrators alike, seemed to hang on the
findings of this novel form of forensics. That morning’s search in the
suburb near Atlanta was the first moment when those stakes became real
for Janczewski. It was, as he would later put it, “a proof of
concept.”
>From where Janczewski was positioned at the front of the house, he
could hear the Homeland Security agents speaking to the father, who
responded in a broken, resigned voice. In another room, he overheard
the agents questioning the man’s wife; she was answering that, yes,
she’d found certain images on her husband’s computer, but he’d told
her he had downloaded them by accident when he was pirating music. And
in the third room he could hear the two grade-school-age children—kids
about as old as Janczewski’s own—watching TV. They asked for a snack,
seemingly oblivious to the tragedy unfolding for their family.
Janczewski remembers the gravity of the moment hitting him: This was a
high school administrator, a husband and a father of two. Whether he
was guilty or innocent, the accusations this team of law enforcement
agents were leveling against him—their mere presence in his home—would
almost certainly ruin his life.
Janczewski thought again of the investigative method that had brought
them there like a digital divining rod, revealing a hidden layer of
illicit connections underlying the visible world. He hoped, not for
the last time, that it hadn’t led him astray.
on a summer’s day in London a few months earlier, a South Africa-born
tech entrepreneur named Jonathan Levin had walked into the unassuming
brick headquarters of the UK’s National Crime Agency—Britain’s
equivalent to the FBI—on the south bank of the Thames. A friendly
agent led him to the building’s second floor and through the office
kitchen, offering him a cup of tea. Levin accepted, as he always did
on visits to the NCA, leaving the tea bag in.
The two men sat, cups in hand, at the agent’s desk in a collection of
cubicles. Levin was there on a routine customer visit, to learn how
the agent and his colleagues were using the software built by the
company he’d cofounded. That company, Chainalysis, was the world’s
first tech firm to focus solely on a task that a few years earlier
might have sounded like an oxymoron: tracing cryptocurrency. The NCA
was one of dozens of law enforcement agencies around the world that
had learned to use Chainalysis’ software to turn the digital
underworld’s preferred means of exchange into its Achilles’ heel.
When Bitcoin first appeared in 2008, one fundamental promise of the
cryptocurrency was that it revealed only which coins reside at which
Bitcoin addresses—long, unique strings of letters and numbers—without
any identifying information about those coins’ owners. This layer of
obfuscation created the impression among many early adherents that
Bitcoin might be the fully anonymous internet cash long awaited by
libertarian cypherpunks and crypto-anarchists: a new financial
netherworld where digital briefcases full of unmarked bills could
change hands across the globe in an instant.
monero
The DOJ’s $3.6B Seizure Shows How Hard It Is to Launder Crypto
Andy Greenberg
lazarus
North Korean Hackers Stole Nearly $400M in Crypto Last Year
Andy Greenberg
cryptocurrency
The Feds Seized $1 Billion in Stolen Silk Road Bitcoins
Andy Greenberg
Satoshi Nakamoto, the mysterious inventor of Bitcoin, had gone so far
as to write that “participants can be anonymous” in an early email
describing the cryptocurrency. And thousands of users of dark-web
black markets like Silk Road had embraced Bitcoin as their central
payment mechanism. But the counterintuitive truth about Bitcoin, the
one upon which Chainalysis had built its business, was this: Every
Bitcoin payment is captured in its blockchain, a permanent,
unchangeable, and entirely public record of every transaction in the
Bitcoin network. The blockchain ensures that coins can’t be forged or
spent more than once. But it does so by making everyone in the Bitcoin
economy a witness to every transaction. Every criminal payment is, in
some sense, a smoking gun in broad daylight.
Within a few years of Bitcoin’s arrival, academic security
researchers—and then companies like Chainalysis—began to tear gaping
holes in the masks separating Bitcoin users’ addresses and their
real-world identities. They could follow bitcoins on the blockchain as
they moved from address to address until they reached one that could
be tied to a known identity. In some cases, an investigator could
learn someone’s Bitcoin addresses by transacting with them, the way an
undercover narcotics agent might conduct a buy-and-bust. In other
cases, they could trace a target’s coins to an account at a
cryptocurrency exchange where financial regulations required users to
prove their identity. A quick subpoena to the exchange from one of
Chainalysis’ customers in law enforcement was then enough to strip
away any illusion of Bitcoin’s anonymity.
Chainalysis had combined these techniques for de-anonymizing Bitcoin
users with methods that allowed it to “cluster” addresses, showing
that anywhere from dozens to millions of addresses sometimes belonged
to a single person or organization. When coins from two or more
addresses were spent in a single transaction, for instance, it
revealed that whoever created that “multi-input” transaction must have
control of both spender addresses, allowing Chainalysis to lump them
into a single identity. In other cases, Chainalysis and its users
could follow a “peel chain”—a process analogous to tracking a single
wad of cash as a user repeatedly pulled it out, peeled off a few
bills, and put it back in a different pocket. In those peel chains,
bitcoins would be moved out of one address as a fraction was paid to a
recipient and then the remainder returned to the spender at a “change”
address. Distinguishing those change addresses could allow an
investigator to follow a sum of money as it hopped from one address to
the next, charting its path through the noise of Bitcoin’s blockchain.
Thanks to tricks like these, Bitcoin had turned out to be practically
the opposite of untraceable: a kind of honeypot for crypto criminals
that had, for years, dutifully and unerasably recorded evidence of
their dirty deals. By 2017, agencies like the FBI, the Drug
Enforcement Agency, and the IRS’s Criminal Investigation division (or
IRS-CI) had traced Bitcoin transactions to carry out one investigative
coup after another, very often with the help of Chainalysis.
The cases had started small and then gained a furious momentum.
Investigators had traced the transactions of two corrupt federal
agents to show that, before the 2013 takedown of Silk Road, one had
stolen bitcoins from that dark-web market and another had sold law
enforcement intel to its creator, Ross Ulbricht. Next they tracked
down half a billion dollars of bitcoins stolen from the Mt. Gox
exchange and showed that the proceeds had been laundered by the
Russian administrator of another crypto exchange, BTC-e, eventually
locating the exchange’s servers in New Jersey. And finally, they
followed bitcoin trails to nail down the identity of the founder of
AlphaBay, a dark-web market that had grown to 10 times the size of
Silk Road. (In fact, even as Levin was sitting in London talking to
the NCA agent, a coalition of half a dozen law enforcement agencies
was converging in Bangkok to arrest AlphaBay’s creator.)
Levin was, as always, on the lookout for Chainalysis’ next big
investigation. After running through a few open cases with him, the
NCA agent mentioned an ominous site on the dark web that had recently
come onto the agency’s radar. It was called Welcome to Video.
He was taken aback by what he saw: An entire network of criminal
payments, all intended to be secret, was laid bare before him.
The NCA had stumbled across the site in the midst of a horrific case
involving an offender named Matthew Falder. An academic based in
Manchester, England, Falder would pose as a female artist and solicit
nude photos from strangers on the internet, then threaten to share
those images with family or friends unless the victims recorded
themselves carrying out increasingly demeaning and depraved acts.
Ultimately he’d force his victims to commit self-harm and even
sexually abuse others on camera. By the time he was arrested, he had
targeted 50 people, at least three of whom had attempted suicide.
On Falder’s computers, the NCA had found he was a registered user of
Welcome to Video, a criminal enterprise that, by its sheer scale, put
even Falder’s atrocities in the shade. This evidentiary lead had then
wended its way from the NCA’s child exploitation investigations team
to the computer crime team, including the cryptocurrency-focused agent
at whose desk Levin now sat. Welcome to Video, it seemed, was among
the rare sites that sold access to clips of child sexual abuse in
exchange for bitcoin. It was clear at a glance that its library of
images and videos was uncommonly large, and it was being accessed—and
frequently refreshed with brand-new material—by a sprawling user base
around the globe.
Sometimes known as “child pornography,” the class of imagery that was
trafficked on Welcome to Video has increasingly come to be called
“child sexual abuse material” by child advocates and law enforcement,
so as to strip away any doubt that it involves acts of violence
against kids. CSAM, as it is usually abbreviated, had for years
represented a massive undercurrent of the dark web, the collection of
thousands of websites protected by anonymity software like Tor and
I2P. Those anonymity tools, used by millions of people around the
world seeking to avoid online surveillance, had also come to serve as
the shadow infrastructure for an abhorrent network of abuse, which
very often foiled law enforcement’s attempts to identify CSAM sites’
visitors or administrators.
The NCA agent showed Levin a Bitcoin address that the agency had
determined was part of Welcome to Video’s financial network. Levin
suggested they load it in Chainalysis’ crypto-tracing software tool,
known as Reactor. He set down his cup of tea, pulled his chair up to
the agent’s laptop, and began charting out the site’s collection of
addresses on the Bitcoin blockchain, representing the wallets where
Welcome to Video had received payments from thousands of customers.
He was taken aback by what he saw: Many of this child abuse site’s
users—and, by all appearances, its administrators—had done almost
nothing to obscure their cryptocurrency trails. An entire network of
criminal payments, all intended to be secret, was laid bare before
him.
Over the years, Levin had watched as some dark-web operators wised up
to certain of his firm’s crypto-tracing tricks. They would push their
money through numerous intermediary addresses or “mixer” services
designed to throw off investigators, or use the cryptocurrency Monero,
designed to be far harder to track. But looking at the Welcome to
Video cluster in the NCA office that day, Levin could immediately see
that its users were far more naive. Many had simply purchased bitcoins
from cryptocurrency exchanges and then sent them directly from their
own wallets into Welcome to Video’s.
The contents of the website’s wallets, in turn, had been liquidated at
just a few exchanges—Bithumb and Coinone in South Korea, Huobi in
China—where they were converted back into traditional currency.
Someone seemed to be continually using large, multi-input transactions
to gather up the site’s funds and then cash them out. That made it
easy work for Reactor to instantly and automatically cluster thousands
of addresses, determining that they all belonged to a single
service—which Levin could now label in the software as Welcome to
Video. What’s more, Levin could see that the constellation of
exchanges surrounding and connected to that cluster likely held the
data necessary to identify a broad swath of the site’s anonymous
users—not simply who was cashing out bitcoins from the site, but who
was buying bitcoins to put into it. The blockchain links between
Welcome to Video and its customers were some of the most clearly
incriminating connections that Levin had ever witnessed.
These child sexual abuse consumers seemed to be wholly unprepared for
the modern state of financial forensics on the blockchain. By the
standards of the cat-and-mouse game Levin had played for years,
Welcome to Video was like a hapless rodent that had never encountered
a predator.
As he sat in front of the NCA agent’s laptop, it dawned on Levin,
perhaps more clearly than ever before, that he was living in a “golden
age” of cryptocurrency tracing—that blockchain investigators like
those at Chainalysis had gained a significant lead over those they
were targeting. “We’ve created something extremely powerful, and we’re
a step ahead of these types of operators,” he remembers thinking.
“You’ve got a heinous crime, a terrible thing happening in the world,
and in an instant our technology has broken through and revealed in
very clear logic who’s behind it.”
Seeing that someone was cashing out the majority of Welcome to Video’s
revenues through the two exchanges in South Korea, Levin could already
guess that the administrator was very likely located there. Many of
the site’s users seemed to be paying the site directly from the
addresses where they’d purchased the coins, on exchanges like Coinbase
and Circle, based in the United States. Taking down this global child
abuse network might only require getting another law enforcement
agency in either the US or Korea involved, one that could demand
identifying details from those exchanges. And Levin had just the
agency in mind.
“I have some people who would be interested,” he told his NCA host.
But first, as he prepared to leave, Levin silently memorized the first
five characters of the Welcome to Video address the agent had shown
him. Chainalysis’ Reactor software included a feature that could
autocomplete Bitcoin addresses based on their first few unique numbers
or letters. Five would be enough—a single short password to unlock the
living map of a global criminal conspiracy.
it was evening in Thailand when Levin spoke with Chris Janczewski and
Tigran Gambaryan. That night in early July 2017, the two IRS Criminal
Investigation special agents were sitting in Bangkok’s Suvarnabhumi
Airport, stewing over the frustration of being sidelined from the
biggest dark-web market takedown in history.
The IRS, by 2017, had come to possess some of the most adept
cryptocurrency tracers in the US government. It was Gambaryan, in
fact, who had traced the bitcoins of the two corrupt agents in the
Silk Road investigations and then cracked the BTC-e money laundering
case. Working with Levin, Gambaryan had even tracked down the AlphaBay
server, locating it at a data center in Lithuania.
Yet when Gambaryan and Janczewski had come to Bangkok for the arrest
of AlphaBay’s administrator, the French-Canadian Alexandre Cazes, they
had been largely excluded from the inner circle of DEA and FBI agents
who ran the operation. They hadn’t been invited to the scene of Cazes’
arrest, or even to the office where other agents and prosecutors
watched a video livestream of the takedown.
For Gambaryan and Janczewski, the story was utterly typical. IRS-CI
agents did shoe-leather detective work, carried guns, and made
arrests, just like their FBI and DEA counterparts. But because of the
IRS’s dowdy public image, they often found that fellow agents treated
them like accountants. “Don’t audit me,” their peers from other law
enforcement branches would joke when they were introduced in meetings.
Most IRS-CI agents had heard the line enough times that it warranted
an instant eye roll.
At loose ends in Bangkok, Gambaryan and Janczewski spent much of their
time idly contemplating what their next case should be, browsing
through Chainalysis’ blockchain-tracing software Reactor to brainstorm
ideas. Dark-web markets like AlphaBay seemed to have been reduced to a
shambles by the Thailand operation, and they’d take months or even
years to recover. The agents considered taking on a dark-web gambling
site. But illegal online casinos hardly seemed worth their attention.
On the day of their departure from Thailand, Gambaryan and Janczewski
arrived at the airport only to find that their flight to DC was badly
delayed. Stuck in the terminal with hours to kill, they sat half-awake
and bored, literally staring at the wall. To pass the hours, Gambaryan
decided to try calling Chainalysis’ Levin to discuss next cases. When
Levin picked up the phone, he had news to share. He’d been looking
into a website that didn’t fit among the IRS’s usual targets but that
he hoped they’d be willing to check out: Welcome to Video.
Child sexual exploitation cases had traditionally been the focus of
the FBI and Homeland Security Investigations, certainly not the IRS.
In part, that was because child sexual abuse images and videos were
most often shared without money changing hands, in what investigators
described as a “baseball card trading” system—which put them outside
the IRS’s domain. Welcome to Video was different. It had a money
trail, and it seemed to be a very clear one.
Soon after they arrived back in DC, Gambaryan and Janczewski enlisted
a technical analyst named Aaron Bice from a contract technology firm
called Excygent, with whom they’d investigated the crypto exchange
BTC-e. Together, they charted out Welcome to Video in Reactor and saw
what Levin had recognized right away: how glaringly it presented
itself as a target. Its entire financial anatomy was laid before them,
thousands of clustered bitcoin addresses, many with barely concealed
pay-ins and cash-outs at exchanges they knew they could squeeze for
identifying information. It did indeed look, as Levin said, like “a
slam dunk.” In short order, Janczewski brought the case to Zia
Faruqui, a federal prosecutor, who was instantly sold on the idea of
taking on Welcome to Video and formally opened an investigation.
Gambaryan, Janczewski, Bice, and Faruqui made an unlikely team to
focus on busting a massive child exploitation network. Janczewski was
a tall Midwestern agent with a square jaw, like a hybrid of Sam
Rockwell and Chris Evans, who wore horn-rimmed glasses when looking at
a computer screen. He’d been recruited to the DC computer crimes team
from the IRS office in Indiana after proving his mettle in a grab bag
of counterterrorism, drug trafficking, government corruption, and tax
evasion cases. Bice was an expert in data analysis and was, as
Janczewski described his computer skills, “part robot.” Faruqui was a
seasoned assistant US attorney with a long history of national
security and money laundering prosecutions. He had an almost manic
focus and intensity, spoke in a comically rapid patter, and, it seemed
to his colleagues, barely slept. And then there was Gambaryan, an
agent with buzzed hair and a trim beard who by 2017 had made a name
for himself as the IRS’s cryptocurrency whisperer and dark-web
specialist. Faruqui called him “Bitcoin Jesus.”
The team began to realize that, as simple as this “slam dunk” case had
seemed, it was actually overwhelming in its complexity.
Yet none of the four had ever worked a child sexual exploitation case.
They had no training in handling images and videos of child abuse,
whose mere possession, in the hands of normal Americans, represented a
felony. They had never even seen these sorts of radioactively
disturbing materials, and they had no emotional or psychological
preparation for the graphic nature of what they were about to be
exposed to.
Still, when the two agents showed Faruqui what they saw in the
blockchain, the prosecutor was undeterred by their collective
inexperience in the realm of child exploitation. As an attorney who
focused on money-laundering cases, he saw no reason why, with the
evidence of criminal payments Janczewski and Gambaryan had handed him,
they couldn’t approach Welcome to Video as, fundamentally, a financial
investigation.
“We’re going to treat this case like we would any other,” he said. “We
are going to investigate this by following the money.”
Janczewski remembers the blank shock he felt at the parade of
thumbnails alone, the way his brain almost refused to accept what it
was seeing.
Illustration: Party of One Studio
when Janczewski and Gambaryan first copied the unwieldy web address,
mt3plrzdiyqf6jim.onion, into their Tor browsers, they were greeted by
a bare-bones site with only the words “Welcome to video” and a login
prompt, a minimalism Janczewski compared to the Google homepage. They
each registered a username and password and entered.
Past that first greeting page, the site displayed a vast, seemingly
endless collection of video titles and thumbnails, arrayed in squares
of four stills per video, apparently chosen automatically from the
files’ frames. Those small images were a catalog of horrors: scene
after scene of children being sexually abused and raped.
The agents had steeled themselves to see these images, but they were
still unprepared for the reality. Janczewski remembers the blank shock
he felt at the parade of thumbnails alone, the way his brain almost
refused to accept what it was seeing. He found that the site had a
search page with the misspelled words “Serach videos” written at the
top of it. Below the search field, it listed popular keywords users
had entered. The most popular was an abbreviation for “one-year-old.”
The second most popular was an abbreviation for “two-year-old.”
Janczewski at first thought he must have misunderstood. He had
expected to see recordings of the sexual abuse of young teenagers, or
perhaps preteens. But as he scrolled, he found, with mounting
revulsion and sadness, that the site was heavily populated with videos
of abuse of toddlers and even infants.
“This is a thing, really? No,” Janczewski says, numbly recounting his
reactions as he first browsed the site. “Oh, there’s this many videos
on here? No. This can’t be real.”
The two agents knew that, at some point, they would have to actually
watch at least some of the advertised videos. But, mercifully, on
their first visits to the site they couldn’t access them; to do so,
they’d have to pay bitcoins to an address the site provided to each
registered user, where they could purchase “points” that could then be
traded for downloads. And since they weren’t undercover agents, they
didn’t have the authorization to buy those points—nor were they
particularly eager to.
At the bottom of several pages of the site was a copyright date: March
13, 2015. Welcome to Video had already been online for more than two
years. Even at a glance, it was clear that it had grown into one of
the biggest repositories of child sexual abuse videos that law
enforcement had ever encountered.
“You cannot let a child be raped while you go and try to take down a
server in South Korea.” Simply pulling the site offline couldn’t be
their first priority.
As Janczewski and Gambaryan analyzed the site’s mechanics, they saw
that users could obtain points not just by purchasing them but also by
uploading videos. The more those videos were subsequently downloaded
by other users, the more points they would earn. “Do not upload adult
porn,” the upload page instructed, the last two words highlighted in
red for emphasis. The page also warned that uploaded videos would be
checked for uniqueness; only new material would be accepted—a feature
that, to the agents, seemed expressly designed to encourage more abuse
of children.
The element of the site that Gambaryan found most unnerving of all,
though, was a chat page, where users could post comments and
reactions. It was filled with posts in all languages, offering a hint
at the international reach of the site’s network. Much of the
discussion struck Gambaryan as chillingly banal—the kind of casual
commentary one might find on an ordinary YouTube channel.
Gambaryan had hunted criminals of all stripes for years now, from
small-time fraudsters to corrupt federal law enforcement colleagues to
cybercriminal kingpins. He usually felt he could fundamentally
understand his targets. Sometimes, he’d even felt sympathy for them.
“I’ve known drug dealers who are probably better human beings than
some white-collar tax evaders,” he mused. “I could relate to some of
these criminals. Their motivation is just greed.”
But now he’d entered a world where people were committing atrocities
that he didn’t understand, driven by motivations that were entirely
inaccessible to him. After a childhood in war-torn Armenia and
post-Soviet Russia and a career delving into the criminal underworld,
he considered himself to be familiar with the worst that people were
capable of. Now he felt he had been naive: His first look at Welcome
to Video exposed and destroyed a hidden remnant of his idealism about
humanity. “It killed a little bit of me,” Gambaryan says.
as soon as they had seen firsthand what Welcome to Video truly
represented, Gambaryan and Janczewski understood that the case
warranted an urgency that went beyond that of even a normal dark-web
investigation. Every day the site spent online, it enabled more child
abuse.
Gambaryan and Janczewski knew their best leads still lay in the
blockchain. Crucially, the site didn’t seem to have any mechanism for
its customers to pull money out of their accounts. There was only an
address to which they could pay for credits on the site; there didn’t
even seem to be a moderator to ask for a refund. That meant that all
the money they could see flowing out of the site—more than $300,000
worth of bitcoins at the time of the transactions—would almost
certainly belong to the site’s administrators.
Gambaryan began reaching out to his contacts in the Bitcoin community,
looking for staff at exchanges who might know executives at the two
Korean exchanges, Bithumb and Coinone, into which most of Welcome to
Video’s money had been cashed out, as well as one US exchange that had
received a small fraction of the funds. He found that the mere mention
of child exploitation seemed to evaporate the cryptocurrency
industry’s usual resistance to government intervention. “As
libertarian as you want to be,” Gambaryan says, “this is where
everybody kind of drew the line.” Even before he sent a formal legal
request or subpoena, staff at all three exchanges were ready to help.
They promised to get him account details for the addresses he had
pulled from Reactor as soon as they could.
Gambaryan couldn’t help it: Sitting in front of his computer screen in
his DC cubicle, staring at the flaw he’d discovered, the agent started
to laugh.
In the meantime, Gambaryan continued to investigate the Welcome to
Video site itself. After registering an account on the site, he
thought to try a certain basic check of its security—a long shot, he
figured, but it wouldn’t cost anything. He right-clicked on the page
and chose “View page source” from the resulting menu. This would give
him a look at the site’s raw HTML before it was rendered by the Tor
Browser into a graphical web page. Looking at a massive block of code,
anyway, certainly beat staring at an infinite scroll of abject human
depravity.
He spotted what he was looking for almost instantly: an IP address. In
fact, to Gambaryan’s surprise, every thumbnail image on the site
seemed to display, within the site’s HTML, the IP address of the
server where it was physically hosted: 121.185.153.64. He copied those
11 digits into his computer’s command line and ran a basic traceroute
function, following its path across the internet back to the location
of that server.
Incredibly, the results showed that this computer wasn’t obscured by
Tor’s anonymizing network at all; Gambaryan was looking at the actual,
unprotected address of a Welcome to Video server. Confirming Levin’s
initial hunch, the site was hosted on a residential connection of an
internet service provider in South Korea, outside of Seoul.
Welcome to Video’s administrator seemed to have made a rookie mistake.
The site itself was hosted on Tor, but the thumbnail images it
assembled on its home-page appeared to be pulled from the same
computer without routing the connection through Tor, perhaps in a
misguided attempt to make the page load faster.
Gambaryan couldn’t help it: Sitting in front of his computer screen in
his DC cubicle, staring at the revealed location of a website
administrator whose arrest he could feel drawing closer, the agent
started to laugh.
Janczewski was at a firing range in Maryland, waiting his turn in a
marksmanship exercise, when he got an email from the American
cryptocurrency exchange his team had subpoenaed. It contained
identifying information on the suspected Welcome to Video
administrator who had cashed out the site’s earnings there.
The email’s attachments showed a middle-aged Korean man with an
address outside of Seoul—exactly corroborating the IP address
Gambaryan had found. The documents even included a photo of the man
holding up his ID, apparently to prove his identity to the American
exchange.
For a moment, Janczewski felt as though he were looking at Welcome to
Video’s administrator face-to-face. But he remembers thinking that
something was off: The man in the picture had noticeably dirty hands,
with soil under his fingernails. He looked more like a farm worker
than the hands-on-keyboard type he’d expected to be running a site on
the dark web.
Over the next days, as the other exchanges fulfilled their subpoenas,
the answer began to come into focus. One Korean exchange and then the
other sent Gambaryan documents on the men who controlled Welcome to
Video’s cash-out addresses. They named not just that one middle-aged
man but also a much younger male, 21 years old, named Son Jong-woo.
The two men listed the same address and shared the same family name.
Were they father and son?
The agents believed they were closing in on the site’s administrators.
But they had come to understand that merely taking down the site or
arresting its admins would hardly serve the interests of justice. The
constellation of Bitcoin addresses that Welcome to Video had generated
on the blockchain laid out a vast, bustling nexus of both consumers
and—far more importantly—producers of child sexual abuse materials.
By this point, Faruqui had brought on a team of other prosecutors to
help, including Lindsay Suttenberg, an assistant US attorney with
expertise in child exploitation cases. She pointed out that even
taking the site offline shouldn’t necessarily be their first priority.
“You cannot let a child be raped while you go and try to take down a
server in South Korea,” as Faruqui summed up her argument.
The team began to realize that, as simple as this “slam dunk” case had
seemed at first, after the easy identification of the site’s admins,
it was actually overwhelming in its complexity. They would need to
follow the money not to just one or two web administrators in Korea,
but also from that central point to hundreds of potential
suspects—both active abusers and their complicit audience of
enablers—around the entire globe.
Gambaryan’s right-click discovery of the site’s IP address and the
quick cooperation from crypto exchanges had been lucky breaks. The
real work still lay ahead.
just two weeks after Levin passed along his tip, the team of IRS-CI
agents and prosecutors knew almost exactly where Welcome to Video was
hosted. But they also knew they’d need help to go further. They had
neither connections to the Korean National Police Agency—which had a
reputation for formality and impenetrable bureaucracy—nor the
resources to arrest what could be hundreds of the site’s users, an
operation that would require far more personnel than the IRS could
muster.
Faruqui suggested they bring Homeland Security Investigations in on
the case, partnering with a certain field office across the country,
in Colorado Springs. He’d chosen that agency and its far-flung outpost
because of a specific agent there whom he’d worked with in the past,
an investigator named Thomas Tamsi. Faruqui and Tamsi had together
unraveled a North Korean arms trading operation a year earlier, one
that had sought to smuggle weapon components through South Korea and
China. In the course of that investigation, they’d flown to Seoul to
meet with the Korean National Police, where, after some introductions
by an HSI liaison there, they spent an evening with Korean officers
drinking and singing karaoke.
Others on the team couldn’t stand to hear Suttenberg describe the
videos. “They would ask me to stop talking, to put it in writing,” she
remembers, “and then they’d tell me that was even worse.”
At a particularly memorable point in the night, the Korean agents had
been ribbing the US team for their alleged hot-dog-and-hamburger
diets. One agent mentioned sannakji, a kind of small octopus that some
Koreans eat not merely raw but alive and writhing. Tamsi had gamely
responded that he’d try it.
A few minutes later, a couple of the Korean agents had brought to the
table a fist-sized, living octopus wrapped around a chopstick. Tamsi
put the entire squirming cephalopod in his mouth, chewed, and
swallowed, even as its tentacles wriggled between his lips and black
ink dripped from his face onto the table. “It was absolutely
horrible,” Tamsi says.
The Koreans found this hilarious. Tamsi gained near-legendary status
within certain circles of the Korean National Police, where he was
thereafter referred to as “Octopus Guy.”
Like most of their group, Tamsi had no experience in child
exploitation cases. He had never even worked on a cryptocurrency
investigation. But Faruqui insisted that to make inroads in Korea,
they needed Octopus Guy.
not long afterward, Tamsi and a fellow HSI agent authorized for
undercover operations flew to Washington, DC. They rented a conference
room in a hotel, and as Janczewski watched, the undercover agent
logged on to Welcome to Video, paid a sum of bitcoins, and began
downloading gigabytes of videos.
The strange choice of location—a hotel rather than a government
office—was designed to better mask the agent’s identity, in case
Welcome to Video could somehow track its users despite Tor’s
protection, and also so that, when it came time to prosecute, the DC
attorney’s office would be given jurisdiction. (The HSI agent did, at
least, use a Wi-Fi hot spot for his downloading, to avoid siphoning
the web’s most toxic content over the hotel’s network.)
As soon as the undercover agent’s work was complete, they shared the
files with Janczewski, who, along with Lindsay Suttenberg, would spend
the following weeks watching the videos, cataloging any clues they
could find to the identities of the people involved while also
saturating their minds with enough images of child abuse to fill
anyone’s nightmares for the rest of their lives.
Suttenberg’s years as a child exploitation prosecutor had left her
somewhat desensitized; she would find that other attorneys on the team
couldn’t stand to even hear her describe the contents of the videos,
much less watch them. “They would ask me to stop talking, to put it in
writing,” she remembers, “and then they’d tell me that was even
worse.”
Janczewski, as lead agent on the case, was tasked with putting
together an affidavit that would be used in whatever charging document
they might eventually bring to court. That meant watching dozens of
videos, looking for ones that would represent the most egregious
material on the site, and then writing technical descriptions of them
for a jury or judge. He compares the experience to a scene from A
Clockwork Orange: an unending montage from which he constantly wanted
to avert his gaze but was required not to.
He says watching those videos altered him, though in ways he could
only describe in the abstract—ways even he’s not sure he fully
understands. “There’s no going back,” Janczewski says, vaguely. “Once
you know what you know, you can’t unknow it. And everything that you
see in the future comes in through that prism of what you now know.”
in the first weeks of fall 2017, the team investigating the Welcome to
Video network began the painstaking process of tracing every possible
user of the site on the blockchain and sending out hundreds of legal
requests to exchanges around the world. To help analyze every tendril
of Welcome to Video’s cluster of Bitcoin addresses in Reactor, they
brought on a Chainalysis staffer named Aron Akbiyikian, an
Armenian-American former police officer from Fresno whom Gambaryan
knew from childhood and had recommended to Levin.
Akbiyikian’s job was to perform what he called a “cluster
audit”—squeezing every possible investigative clue out of the site’s
cryptocurrency trails. That meant manually tracing payments back from
one prior address to another, until he found the exchange where a
Welcome to Video customer had bought their bitcoins—and the
identifying information that the exchange likely possessed. Plenty of
Welcome to Video’s users had made his job easy. “It was a beautiful
clustering in Reactor,” Akbiyikian says. “It was just so clear.” In
some cases, he would trace back chains of payments through several
hops before the money arrived at an exchange. But for hundreds of
users, he says, he could see wallet addresses receive money from
exchanges and then put the funds directly into Welcome to Video’s
cluster, transactions that had created, as Akbiyikian put it, “leads
as clean as you could want.”
As responses from exchanges with those users’ identity information
began to pour in, the team started the process of assembling more
complete profiles of their targets. They began to collect the names,
faces, and photos of hundreds of men—they were almost all men—from all
walks of life, everywhere in the world. Their descriptions crossed
boundaries of race, age, class, and nationality. All these individuals
seemed to have in common was their gender and their financial
connection to a worldwide, hidden haven of child abuse.
By this time, the team felt they’d pinned down the site’s Korean
administrator with confidence. They’d gotten a search warrant for Son
Jong-woo’s Gmail accounts and many of his exchange records, and they
could see that he alone seemed to be receiving the cashed-out proceeds
from the site—not his father, who increasingly seemed to the
investigators like an unwitting participant, a man whose son had
hijacked his identity to create crypto-currency accounts. In Son
Jong-woo’s emails, they found photos of the younger man for the first
time—selfies he’d taken to show friends where he’d chipped a tooth in
a car accident, for instance. He was a thin, unremarkable-looking
young Korean man with wide-set eyes and a Beatles-esque mop-top of
black hair.
* For several reasons, we’ve chosen not to identify the defendants in
the Welcome to Video case by name, with the exception of the site's
administrator. In some instances, at the time of this writing, a
defendant’s case had not been fully adjudicated. In other cases, we
left out names at the request of prosecutors, to avoid providing
information that might inadvertently identify victims. We applied the
same standard to the rest, to avoid singling out some offenders while
others went unnamed.
But as their portrait of this administrator took shape, so too did the
profiles of the hundreds of other men who had used the site.* A few
immediately stuck out to the investigative team: One suspect, to the
dismay of Thomas Tamsi and his Homeland Security colleagues, was an
HSI agent in Texas. Another, they saw with a different sort of dread,
was the assistant principal of a high school in Georgia. The school
administrator had posted videos of himself on social media singing
duets, karaoke-style, with teenage girls from his school. The videos
might otherwise have been seen as innocent. But given what they knew
about the man’s Bitcoin payments, agents who had more experience with
child exploitation warned Janczewski that they might reflect a form of
grooming.
These were men in privileged positions of power, with potential access
to victims. The investigators could immediately see that, as they
suspected, they would need to arrest some of Welcome to Video’s users
as quickly as possible, even before they could arrange the takedown of
the site. Child exploitation experts had cautioned them that some
offenders had systems in place to warn others if law enforcement had
arrested or compromised them—code words or dead man’s switches that
sent out alerts if they were absent from their computer for a certain
period of time. Still, the Welcome to Video investigation team felt
they had little choice but to move quickly and take that risk.
Another suspect, around the same time, came onto their radar for a
different reason: He lived in Washington, DC. The man’s home, in fact,
was just down the street from the US attorneys’ office, near the
capital’s Gallery Place neighborhood. He happened to live in the very
same apartment building that one of the prosecutors had only recently
moved out of.
That location, they realized, might be useful to them. Janczewski and
Gambaryan could easily search the man’s home and his computers as a
test case. If that proved the man was a Welcome to Video customer,
they would be able to charge the entire case in DC’s judicial
district, overcoming a key legal hurdle.
As they dug deeper, though, they found that the man was a former
congressional staffer and held a high-level job at a prestigious
environmental organization. Would arresting or searching the home of a
target with that sort of profile cause him to make a public outcry,
sinking their case?
Just as they trained their sights on this suspect in their midst,
however, they found that he had gone strangely quiet on social media.
Someone on the team had the idea to pull his travel records. They
found that he had flown to the Philippines and was about to fly back
to DC via Detroit.
There were suitcases still not fully unpacked from the trip. The man
had ordered a pizza the night before, and part of it remained uneaten
on the table.
This discovery led the agents and prosecutors to two thoughts: First,
the Philippines was a notorious destination for sex tourism, often of
the kind that preyed on children—the HSI office in Manila constantly
had its hands full with child exploitation cases. Second, when the man
flew back to the US, Customs and Border Protection could legally
detain him and demand access to his devices to search for evidence—a
bizarre and controversial carve-out in Americans’ constitutional
protections that, in this case, might come in handy.
Would their DC-based suspect sound the alarm and tear the lid off
their investigation, just as it was getting started?
“Yes, this all had the potential to blow up our case,” Janczewski
says. “But we had to act.”
in late October, Customs and Border Protection at the Detroit
Metropolitan Airport stopped a man disembarking from a plane from the
Philippines on his way back to Washington, DC, asking him to step
aside and taking him into a secondary screening room. Despite his
vehement protests, the border agents insisted on taking his computer
and phone before allowing him to leave.
A few days later, on October 25, the prosecutor who had lived in the
same DC apartment block as the suspect saw an email from her old
building’s management; she’d remained on the distribution list despite
having moved out. The email noted that the parking garage ramp in an
alley at the back of the tower would be closed that morning. An
unnamed resident, it explained, had landed there after jumping to
their death from the balcony of their apartment.
The prosecutor put two and two together. The jumper was their Welcome
to Video “test case.” Janczewski and Gambaryan immediately drove to
the apartment tower and confirmed with management: The very first
target of their investigation had just killed himself.
Later that day the two IRS-CI agents returned to the scene of the
man’s death with a search warrant. They rode the elevator up to the
11th floor with the building’s manager, who was deeply puzzled as to
why the IRS was involved, but wordlessly unlocked the door for them.
Inside they found an upscale, moderately messy apartment with high
ceilings. There were suitcases still not fully unpacked from a trip.
The man had ordered a pizza the night before, and part of it remained
uneaten on the table.
Janczewski remembers feeling the somber stillness of the man’s empty
home as he imagined the desperate choice he had faced the night
before. Looking down 11 floors from the balcony, the agent could see
the spot in the alleyway below where the pavement had recently been
hosed off.
DC’s metropolitan police offered to show the agents a security cam
video of the man falling to his death. They politely declined. The
Customs and Border Protection office in Detroit, meanwhile, confirmed
that they had searched the computer seized from the man at the
airport—some of its storage was encrypted, but other parts were
not—and found child exploitation videos, along with surreptitiously
recorded videos of adult sex. Their decision to target the man had
served its purpose: Their test case had come back positive.
The prosecutors in DC paused their work briefly to meet and
acknowledge the surreal shock of the man’s death—their investigation
of a site hosted halfway around the world had already led someone to
kill themselves, just blocks away. “It was just a reminder of how
serious what we were investigating was,” Faruqui says. Still, the
group agreed: They couldn’t let the suicide distract them from their
work.
“We’ve got to focus on the victims here,” Faruqui remembers them
telling each other. “That provides clarity.”
Janczewski says he would have much preferred that the man be arrested
and charged. But he had, by this point, been forced to watch hour
after hour of child sexual abuse videos. He had put aside his emotions
early on in the case, and he had few sympathies to spare for an
apparent customer of those materials.
If he felt anything, he admits, it was relief, given the time that the
suicide had saved him: They still had hundreds more Welcome to Video
customers to pursue.
Janczewski spotted something that gave him a jolt: At one point in the
recording, the girl in the video had a red flannel shirt tied around
her waist.
Photograph: Tabitha Soren
Next on their list was the high school assistant principal. Just days
later, Janczewski flew down to Georgia and joined a tactical team of
HSI agents as they carried out their search. For the first time, he
came face-to-face with an alleged Welcome to Video client in his own
home.
In spite of his stoicism, this second test case affected Janczewski
more than the DC target had. The tidy, well-kept brick two-story
house. The parents questioned in separate rooms. The kids the same age
as Janczewski’s own, watching Mickey Mouse Clubhouse. As he stood in
the entryway of that house outside of Atlanta, the full toll of the
investigation hit him—the fact that every name on their list was a
person with human connections and, in many cases, a family. That even
accusing suspects of such an unforgivable crime had an irreversible
impact on their lives—that it was “a scarlet letter for someone that
just cannot be undone,” as he put it.
Janczewski and the HSI agents stayed at the home long enough to search
it, to question the man, and to seize his devices for analysis. In
addition to the evidence of the man’s payments for material on Welcome
to Video, Faruqui says that the man also admitted to “inappropriately
touching” students at his school. The man would later be charged with
sexual assault of minors—though he would plead not guilty.
For Janczewski, at least, any last doubts he had felt after his first
confrontation with a suspect based on cryptocurrency tracing alone
were dispelled in a matter of hours. “At the end of the day, I felt
more confident,” he says. “We were correct.” The blockchain had not
lied.
the team was steadily working their way through their short list of
high-priority Welcome to Video targets and test cases. But in December
2017, they came upon a different sort of lead—one that would scramble
their priorities yet again.
As they followed Welcome to Video’s financial trails, investigators
had been careful to record the full contents of the site’s chat page,
where users were still posting a steady stream of comments against a
backdrop of spam and trolling typical of any anonymous web forum. The
site seemed to be entirely unmoderated: There was not so much as an
admin email or help contact visible anywhere. But Janczewski began to
notice repeated messages from one account that seemed to offer the
closest thing the site had to that missing help-desk contact: “Contact
the admins,” the messages read, “if you want assistance in fixing
error.” It included an address on Torbox, a privacy-focused Tor-based
email service.
Was this an actual moderator on the site? Or even the administrator
himself—the owner of the site, who they now believed to be Son
Jong-woo?
As Janczewski tried to decipher who was behind those messages, he
checked the username before the “@” in the Torbox address, a
unique-looking string of six characters, to see if it matched a user
on Welcome to Video. Sure enough, he found that someone with that same
handle had uploaded more than a hundred videos.
On the wall, Janczewski noticed a poster he’d seen in the videos. He
momentarily felt as though he’d fallen through his own computer screen
into the set of a horror film.
Excygent’s Aaron Bice had the idea to run this Torbox email address
against a database seized from BTC-e during IRS-CI’s probe of the
crypto exchange, to search for clues in its treasure trove of criminal
underworld user data. Bice found a match: One account on BTC-e had
been registered with an email address that included that same unique
string of six characters. It wasn’t the Torbox email address, but one
from a different privacy-focused email service called Sigaint.
Janczewski knew that Torbox and Sigaint, both dark-web services
themselves, wouldn’t respond to legal requests for their users’
information. But the BTC-e data included IP addresses for 10 past
logins on the exchange by the same user. In nine out of 10, the IP
address was obscured with a VPN or Tor. But in one single visit to
BTC-e, the user had slipped up: They had left their actual home IP
address exposed. “That opened the whole door,” says Janczewski.
A traceroute showed that the IP address led to a residential internet
connection—not in Korea this time, but in Texas. Was there a second
Welcome to Video admin, this one based in the US? Janczewski and Bice
continued pulling the thread with increasing urgency, subpoenaing the
user’s account information from their internet service provider.
It was a Friday morning in early December, and Janczewski was drinking
coffee at his desk in the IRS-CI office when he got back the results
of that subpoena. He opened the email to find a name and a home
address. The man was an American in his thirties who lived in a town
outside of San Antonio—an unlikely collaborator for a 21-year-old
Korean managing a child exploitation site from 15 time zones away. But
the man’s employment, when Janczewski looked it up, was even more
jarring: He was another Department of Homeland Security staffer—this
time a Border Patrol agent.
Janczewski quickly began to assemble public information about the
agent from his social media accounts. He first found a Facebook page
for the man’s wife, and later an account for the man himself, with his
name written backwards to obscure it. Bice dug up his Amazon page,
too, where he seemed to have left reviews on hundreds of products and
put others on a “wish list”—including external storage devices that
could hold terabytes of videos, hidden cameras, and other cameras
designed to be snaked through small spaces, like holes drilled in a
wall.
Finally, with a creeping sense of dread, Janczewski saw that the
Border Patrol agent’s wife had a young daughter—and that he had
created a crowdfunding page on GoFundMe to raise money to legally
adopt the girl as his stepdaughter. “Fuck,” Janczewski thought to
himself. “Did he upload videos of the daughter?”
Janczewski looked back at Welcome to Video and saw that some of the
thumbnails of the videos uploaded by the person with this username
showed the sexual assault of a young girl about the daughter’s age. He
realized he now had a duty to separate this Border Patrol agent from
his victim as swiftly as possible.
For the next 10 days, Janczewski barely left his desk. He’d drive
home, eat dinner quickly with his family in their small Arlington,
Virginia, townhouse, then drive back to the office to work late, often
calling Bice and Faruqui well into the night.
“You are rarely in a situation where your time is zero-sum,” Faruqui
says. “Every moment we were not working on that case, a little girl
could be getting raped.”
Janczewski asked their undercover HSI agent to download the videos
that had been uploaded by the Texas agent, and he began the grueling
process of watching them one by one. A few videos in, he spotted
something that jolted the pattern-matching subroutines of his brain:
At one point in the recording, the girl in the video had a red flannel
shirt tied around her waist. He looked back at a photo of the girl
posted to the GoFundMe page and saw it: She was wearing the same red
flannel.
Was this Border Patrol agent an admin on Welcome to Video? A
moderator? It hardly mattered. Janczewski now believed he had found
the identity of an active child rapist who lived with his victim and
had been recording and sharing his crimes with thousands of other
users. The Texas man had earned a place at the very top of their
target list.
two weeks before Christmas, on the 10th day after he’d identified the
Border Patrol agent, Janczewski flew to southern Texas, along with
HSI’s Thomas Tamsi and his team’s child-exploitation-focused
prosecutor, Lindsay Suttenberg. On a cool, dry evening about a hundred
miles from the Mexican border, Tamsi and a group of Texas State Police
officers tailed their target as he drove home from work and pulled him
over. Together with a group of FBI agents, they took the man to a
nearby hotel for questioning.
The team’s initial list of high-priority suspects was finally checked
off. They could move on to their primary target: Son Jong-woo.
Meanwhile Janczewski and a group of local Homeland Security
investigators entered the man’s house and began to search for
evidence. The two-story home was run-down and messy, Janczewski
remembers—with the exception of the man’s well-organized home office
on the second floor, where they found his computer. Down the hall from
that office he came to the girl’s bedroom and immediately recognized
it as the scene where the videos uploaded by the man had been filmed.
On the wall he noticed a poster he’d seen in the recordings and
momentarily felt as though he’d fallen through the screen of his own
computer into the set of a horror film.
The IRS agent and prosecutor had brought with them an FBI interviewer
with child exploitation experience, who separated the girl from the
agents searching her home and took her to a safer location. The girl
eventually detailed to the interviewer the abuse she’d endured.
Shortly after the search of the Border Patrol agent’s home, Janczewski
arrived at the hotel room where other agents were questioning their
suspect. He saw, for the first time, the target of his last
week-and-a-half’s obsession. The man was tall and burly, still in his
uniform, with thinning hair. He initially refused to talk about any
physical abuse he might have committed, Janczewski says, but he
eventually confessed to possessing, sharing, and—finally—making child
sexual abuse videos.
Janczewski was struck by the dispassionate, almost clinical way the
man described his actions. He gave his interrogators the password to
his home computer, and an agent still at the house began pulling
evidence from the machine and sending it to Janczewski. It included
detailed spreadsheets of every child sexual exploitation video the man
had both amassed on his hard drives and, by all appearances, filmed in
his own home.
Another spreadsheet from the man’s computer contained a long list of
other Welcome to Video users’ login credentials. Under questioning,
the man explained his scheme: He would pose as an administrator in
messages he posted to the site’s chat page, then ask users who took
the bait to send him their usernames and passwords, which he’d use to
log in to their accounts and access their videos.
The Border Patrol agent had never been a Welcome to Video
administrator or moderator at all, only a particularly devious visitor
to the site, willing to scam his fellow users to support his own
appetites.
After an intense 10 days, they’d identified and arrested another
alleged child abuser, even rescued his victim. But as he flew back to
DC, Janczewski knew that Welcome to Video’s vastly larger network of
abuse remained very much intact. And until they took the site itself
down, it would continue to serve its videos—including the very ones
the Border Patrol agent had uploaded from his Texas home office—to an
anonymous throng of consumers just like him.
In early January of 2018, the DC investigators got word from Thomas
Tamsi that he and the team had arrested the other federal law
enforcement customer of Welcome to Video, the HSI agent who’d shown up
early in their blockchain tracing and subpoenas. Though seemingly
unconnected to the Border Patrol agent case, this second agent had
been based in Texas, too, less than an hour away from the home of the
man they had just raided.
Aside from that grim coincidence, the news of the HSI agent’s arrest
also meant that the DC team’s initial list of high-priority suspects
was finally checked off. They could move on to their primary target,
Son Jong-woo—and the Welcome to Video server under his control.
By February, that Korea-focused operation was coming together. Before
the Texas arrests, Janczewski, Gambaryan, Faruqui, and Tamsi had flown
to Seoul to meet the Korean National Police Agency. At a dinner set up
by the local HSI attaché, the director of the KNPA himself told
Tamsi—whose octopus-eating reputation preceded him—that the Americans
would have the help of his “best team.” Soon they had Son Jong-woo
under constant surveillance as he came and went from his home, an
apartment two and a half hours south of Seoul in the province of South
Chungcheong.
Now, in the depths of winter on the Korean peninsula, just a week
after Korea had hosted the Olympics in Pyeongchang, the American
agents arrived in Seoul again. Gambaryan had to stay behind for a
badly timed conference where the agency’s director had volunteered him
to speak. But Janczewski and Faruqui brought with them Aaron Bice and
Youli Lee, a Korean-American computer crime prosecutor on their team.
By this point, too, a growing international force had assembled around
the case. The UK’s National Crime Agency, which had launched its own
investigation into Welcome to Video just after Levin’s London visit,
sent two agents to Seoul, and the German Federal Police also joined
the coalition. It turned out the Germans had been pursuing the site’s
administrators independently, even before they’d learned about the
IRS’s investigation, but they’d never been able to secure the
cooperation of the Korean National Police.
At one point Faruqui remembers a German official asking him, as they
stood in the cold outside the Seoul hotel where they were staying, how
the Americans had gotten the Koreans on board so quickly. “Oh, Octopus
Guy,” Faruqui had explained. “You don’t have Octopus Guy. We have
Octopus Guy.”
for their first days in Seoul, the takedown team met repeatedly in the
Korean National Police offices to talk through their plans. Their
tracing of the IP address, based on Gambaryan’s fortuitous
right-click, seemed to show that the site’s server was located,
bizarrely, not in any web-hosting firm’s data center but in Son
Jong-woo’s own apartment—the evidentiary hub of a massive child sexual
abuse video network, sitting right in his home. That made things
simple: They would arrest him, tear his site offline, and use that
evidence to convict him. The team made a plan to grab him in his
apartment early on a Monday morning.
Then, on the Friday before, Janczewski got a cold. He spent much of
the weekend with prosecutor Youli Lee, dazedly wandering between
markets and stores in Seoul trying to pronounce gaseubgi, the Korean
word for humidifier. On Sunday evening, he took a dose of what he
hoped was a Korean equivalent of Nyquil—he couldn’t read the
label—with the intention of getting some sleep and recovering in time
to be at full strength for the arrest.
That’s when the KNPA alerted the team that the plan had changed: Son
had unexpectedly driven into Seoul for the weekend. Now the team
following his whereabouts believed he had begun a late-night drive
back to his home south of the city.
If the police could drive down to Son’s home that night and stake it
out, perhaps they could be there when he returned, ready to arrest him
at his door. That way he couldn’t destroy evidence or—another looming
concern after the death of their Washington, DC, target—commit
suicide. “We had to scramble,” Janczewski says.
That evening, Faruqui insisted the group put their hands in for a “Go
team!” cheer in their hotel lobby. Then he and Lee went up to their
rooms to go to bed. Janczewski—sick, half asleep from cold medication,
and clutching a pillow from his hotel room—walked out into the pouring
rain and got in a car with the HSI liaison to start the long
night-drive south. The HSI agent had begged Janczewski to take the
wheel of another car in the caravan, instead of an elderly Korean man
on his team who was, the agent said, a notoriously bad driver. But
Janczewski insisted he was far too medicated to navigate the dark, wet
highways of a country 7,000 miles from his home.
A few hours later, the team arrived in the parking lot of Son’s
apartment—a 10-story tower with a few small buildings on one side and
a vast, empty rural landscape on the other—to begin their long
stakeout in the rain. It was well past midnight when they saw Son’s
car finally pull into the parking garage of the complex.
A group of Korean agents had been waiting there for him. One
particularly imposing officer, whom the HSI agents referred to as
“Smiley”—because he never smiled—led a team of plainclothes police,
sidling into the elevator next to Son as he got inside. The agents
silently rode the elevator up to Son’s floor with him and stepped out
when he did. They arrested him, without resistance, just as he reached
his front door.
There were more than 250,000 videos on the server—more content by
volume than in any child sexual abuse materials case in history.
Throughout that arrest and the hours-long search of Son’s apartment
that followed, Janczewski and the other foreigners remained stuck in
their cars in the rain-drenched parking lot. Only the National Police
had authorization to lay hands on Son or enter his home. When the
Korean officers had the young Welcome to Video admin handcuffed, they
asked him if he’d consent to letting Janczewski or any of the
Americans come in as well. Son, unsurprisingly, said no. So Janczewski
was limited to a tour via FaceTime of the small and unremarkable
apartment that Son shared with his divorced father, the man with the
soiled hands in the first photo they’d examined, as the Korean agents
scoured it for evidence and seized his devices.
The Korean agent showing Janczewski around eventually pointed the
phone’s camera at a desktop computer on the floor of Son’s bedroom, a
cheap-looking tower-style PC with its case open on one side. The
computer’s guts revealed the hard drives that Son seemed to have
added, one by one, as each drive had filled up with terabytes of child
exploitation videos.
This was the Welcome to Video server.
“I was expecting some kind of glowing, ominous thing,” Janczewski
remembers, “and it was just this dumpy computer. It was just so
strange. This dumpy computer, that had caused so much havoc around the
world, was sitting on this kid’s floor.”
It was well past midnight when they saw Son’s car finally pull into
the parking garage of the complex.
ILLUSTRATION: Hokyoung Kim
on the return trip, Janczewski learned exactly why the HSI liaison had
wanted him to drive the other car. The elderly HSI staffer behind the
wheel of the other vehicle in their caravan was somehow so disoriented
after a sleepless night that he turned the wrong way down a highway
exit ramp, narrowly avoiding a high-speed collision and terrifying his
passenger, Aaron Bice.
After barely averting that disaster, as the sun began to rise and the
rain let up, the group pulled over at a truck stop along the highway
to have a breakfast of gas-station instant ramen. Janczewski, still
sick and utterly exhausted, was struck by how anticlimactic it all
seemed. His team had located and extricated both the administrator and
the machine at the epicenter of the malevolent global network they
were investigating. He had been anticipating this moment for more than
six months. But he felt no elation.
There were no high fives, no celebrations. The agents got back in
their cars to continue the long drive back to Seoul.
the next day, after finally getting some sleep, Janczewski began to
see past the dreariness of the previous night’s operation to
understand just how lucky they had been. He learned from the forensic
analysts who had examined Son Jong-woo’s computers that Son hadn’t
encrypted his server. Everything was there: all of Welcome to Video’s
content, its user database, and the wallets that had handled all of
its Bitcoin transactions.
The scale of the video collection, now that they could see it in its
entirety, was staggering. There were more than 250,000 videos on the
server, more content by volume than in any child sexual abuse
materials case in history. When they later shared the collection with
the National Center for Missing and Exploited Children (NCMEC), which
helps to catalog, identify, and take down CSAM materials across the
internet, NCMEC found that it had never seen 45 percent of the videos
before. Welcome to Video’s uniqueness check and incentive system for
fresh content appeared to have served its purpose, motivating
countless new cases of recorded child abuse.
The real prize for the investigators, however, was the site’s user
information. The Korean National Police gave the US team a copy of
Welcome to Video’s databases, and they got to work in a US Embassy
building in Seoul, reconstructing those data collections on their own
machine. Meanwhile, to avoid tipping off the site’s users to the
takedown, they quickly set up a look-alike Welcome to Video homepage
on their own server, using the private key pulled from the real server
to take over its dark-web address. When users visited the site, it now
displayed only a message that it was under construction and would be
back soon with “upgrades,” complete with typos to mimic Son’s shoddy
English spelling.
Bice spent two days with his head down, rebuilding the site’s user
data in a form they could easily query—with Janczewski and Faruqui
standing behind him, pestering him to see if the system was ready yet.
When Bice was finished, the US team had a full directory of the site’s
pseudonymous users, listed by their Welcome to Video usernames. They
could now link every Bitcoin payment they had initially mapped out on
the blockchain with those usernames and look up exactly what content
each of those users had uploaded or downloaded.
By the time the Americans were ready to go home at the end of
February, they had integrated the de-anonymized identities from their
cryptocurrency exchange subpoenas into a searchable database. It
mapped out the entire Welcome to Video network, complete with users’
real-world names, photos, and—for those who had paid into the site—the
record of those payments and the exact child abuse videos those
customers had bought access to. “You could see the whole picture,”
Janczewski says. “It was like a dictionary, thesaurus, and Wikipedia
all put together.”
They had, arrayed before them, the fully revealed structure of Welcome
to Video’s global child exploitation ring—hundreds of exquisitely
detailed profiles of consumers, collectors, sharers, producers, and
hands-on abusers alike. Now the final phase of the case could begin.
over the weeks that followed, Thomas Tamsi’s team in Colorado began
sending their Welcome to Video dossiers to HSI agents, local police,
and foreign police agencies around the world. These “targeting
packages” included descriptions of the suspects, the record of their
transactions, any other evidence they’d assembled about them,
and—given that they were being sent out to law enforcement agents who
had in some cases never been involved in a cryptocurrency-related
investigation—short primers on how Bitcoin and its blockchain worked.
There would be no coordinated, global takedown, no attempt to create
shock and awe with simultaneous arrests. The case’s defendants were
far too distributed and international for that kind of synchronized
operation. Instead, searches, arrests, and interviews began to roll
out across the globe—prioritized by those they’d learned might be
active abusers, then uploaders, and finally downloaders. Slowly, as
Welcome to Video’s users were confronted, one by one, the DC team
began to hear back about the results of their work—with harrowing,
sometimes gratifying, often tragic outcomes.
If not for cryptocurrency, and the years-long trap set by its
purported untraceability, most of the 337 pedophiles arrested in the
case—and their rescued victims—likely never would have been found.
A Kansas IT worker—whose arrest they’d prioritized when they found
that his wife ran an at-home daycare for infants and toddlers—had
deleted all of his child abuse videos from his computer before the
agents arrived. Prosecutors say he later confessed when remnants of
the files in the computer’s storage matched their records from the
Welcome to Video server.
When the agents came for a twentysomething man in New York, his father
blocked the door of their apartment, thinking at first that it was a
break-in. But when agents explained what their warrant was for, he
turned on his son and let them in. The son, it later turned out, had
sexually assaulted the daughter of a family friend and surreptitiously
recorded another young girl through her webcam, according to
prosecutors.
A repeat offender in Washington, DC, tried to commit suicide when the
HSI team entered his home; he hid in his bathroom and slit his own
throat. One of the arresting agents happened to have training as an
Army medic. He managed to slow the bleeding and keep the man alive.
They later found 450,000 hours of child abuse videos on his
computers—including recordings of the girl in Texas that had been
uploaded by the Border Patrol agent.
As months passed, the stories continued to pile up, a mix of the
sordid, sad, and appalling. An elderly man in his seventies who had
uploaded more than 80 child abuse videos. A man in his early twenties
with traumatic brain damage, whose medication had heightened his
sexual appetites and reduced his impulse control, and who was deemed
to have the same level of cognitive development as the preteens whose
abuse he’d watched. A New Jersey man whose communications, when they
were revealed through a search warrant, seemed to show his
negotiations to purchase a child for his own sexual exploitation.
Thomas Tamsi, as the lead HSI agent on the case, coordinated more
Welcome to Video arrests than anyone else—more than 50, by his
count—and was present for enough of them that they became a blur in
which only the most jarring moments remain distinct in his mind. The
mostly nude defendant he found in a basement. The suspect who told him
he had been involved in the Boy Scouts and that “children had always
been attracted” to him. Parents of victims who vehemently denied that
a family friend could have done the things Tamsi described, and whose
faces then went white as he slid printouts of redacted screenshots
across the table.
The cases spanned the globe, well beyond the US. Dozens of Welcome to
Video users were arrested in the Czech Republic, Spain, Brazil,
Ireland, France, and Canada. In England, where the entire case had
started with an agent’s tip to Levin, the country’s National Crime
Agency arrested one 26-year-old who had allegedly abused two
children—one of whom they found naked on a bed in his home—and
uploaded more than 6,000 files to the site. In another international
case, a Hungarian ambassador to Peru who downloaded content from
Welcome to Video was found to have more than 19,000 CSAM images on his
computer. He was quietly removed from his South American post, taken
to Hungary, and charged; he pleaded guilty.
For the DC team, many of the international cases fell into a kind of
black hole: One Saudi Arabian Welcome to Video user returned to his
home country and was captured by that country’s own law enforcement.
Faruqui and Janzewski say they never heard what happened to the man;
he was left to the Saudis’ own justice system, which sentences some
sex criminals to the Sharia-based punishments of whipping or even
beheading. When agents searched the car of a Chinese national living
near Seattle with a job at Amazon, they found a teddy bear, along with
a map of playgrounds in the area, despite the man having no children
of his own. The man subsequently fled to China and, as far as
prosecutors know, was never located again.
In each of the hundreds of intelligence packets that the team sent
out, Chris Janczewski’s contact was listed as the number to call with
any questions. Janczewski found himself explaining the blockchain and
its central role in the case again and again, to HSI agents and local
police officers around the US and the world, many of whom had never
even heard of Bitcoin or the dark web. “You get this lead sent to you
that says, ‘Here’s this website and this funny internet money,’”
Janczewski says, imagining how those on the receiving end of the
intelligence packets must have seen it, “and now you need to go arrest
this guy because some nerd accountant says so.”
In total, Janczewski traveled to six countries and spoke to more than
50 different people to help explain the case, often multiple times
each—including one US prosecutor and agent team with whom he had more
than 20 conversations. (“Some were a little more high maintenance,
respectfully, than others,” he says.) Bice, who oversaw the
reconstructed server data, says he spoke to even more agents and
officers—well over a hundred, by his count.
Ultimately, from the beginning of the case through the year and a half
that followed the server seizure, global law enforcement would arrest
no fewer than 337 people for their involvement with Welcome to Video.
They also removed 23 children from sexually exploitative situations.
Those 337 arrests still represented only a small fraction of Welcome
to Video’s total registered users. When the US team examined their
copy of the server data in Korea, they had found thousands of accounts
on the site. But the vast majority of them had never paid any bitcoins
into the site’s wallets. With no money to follow, the investigators’
trail usually went cold.
If not for cryptocurrency, in other words, and the years-long trap set
by its purported untraceability, the majority of the 337 pedophiles
arrested in the Welcome to Video case—and their rescued victims—likely
never would have been found.
The IRS and the US attorneys’ office in DC had taken an unprecedented
approach, treating a massive child sexual abuse materials case as a
financial investigation, and it had succeeded. Amidst all their
detective work, it had been Bitcoin’s blockchain that served as their
true lodestar, leading them through a landmark case. Without crypto
tracing, Faruqui argues, they would never have managed to map out and
identify so many of the site’s users.
“That was the only path through this darkness,” he says. “The darker
the darknet gets, the way that you shine the light is following the
money.”
Throwing money-laundering investigators into the deep end of the
internet’s CSAM cesspool, however, had taken its toll. Almost every
member of the team had children of their own, and almost all of them
say they became far more protective of those children as a result of
their work, to the degree that their trust in the people around their
family has been significantly damaged.
Janczewski, who after the case moved from DC to Grand Rapids,
Michigan, won’t let his children ride their bikes to school on their
own, as he himself did as a child. Even seemingly innocent
interactions—like another friendly parent who offers to watch his kids
at the other end of a swimming pool—now trigger red alerts in his
mind. Youli Lee says she won’t allow her 9- and 12-year-old children
to go into public bathrooms by themselves. Nor will she allow them to
play at a friend’s house unless the friend’s parents have top-secret
security clearances—an admittedly arbitrary rule, but one she says
ensures the parents have at least had a background check.
Faruqui says the 15 or so videos he watched as part of the
investigation remain “indelibly seared” into his brain and have
permanently heightened his sense of the dangers the world presents to
his children. He and his wife argue, he says, about his overprotective
tendencies. “You always see the worst of humanity, and so you’ve lost
perspective,” he quotes his wife telling him. “And I say, ‘You lack
perspective, because you don’t know what’s out there.’”
Gambaryan’s wife Yuki says the Welcome to Video case was the only time
her hard-shelled, Soviet-born husband ever discussed a case with her
and confessed that it had gotten to him—that he was struggling with it
emotionally. Gambaryan says that it was, in particular, the sheer
breadth of the cross-section of society that participated in the
site’s abuse that still haunts him.
“I saw that everybody’s capable of this: doctors, principals, law
enforcement,” he reflected. “Whatever you want to call it, evil, or
whatever it is: It’s in everybody—or it can be in anybody.”
in early July of 2020, Son Jong-woo walked out of a Seoul penitentiary
wearing a black long-sleeve T-shirt and carrying a green plastic bag
of his belongings. He had spent, due to Korea’s lenient laws on child
sexual abuse, just 18 months in prison.
US prosecutors, including Faruqui, had argued that he should be
extradited to the United States to face charges in the American
justice system, but Korea had denied their request. Welcome to Video’s
convicted creator and administrator was free.
The DC-based team that worked the Welcome to Video case remains deeply
dissatisfied with Son’s mystifyingly light sentence for running, by
some measures, the biggest child sexual abuse materials website in
history. But Janczewski says he’s comforted by the outcry in Korean
society over the case. The country’s social media exploded in anger
over Son’s quick release. More than 400,000 people signed a petition
to prevent the judge in the case from being considered for a seat on
the country’s supreme court. One Korean lawmaker put forward a bill to
allow appeals to extradition judgments, and the country’s National
Assembly introduced new legislation to strengthen punishments for
sexual abuse online and downloading child sexual abuse materials.
In the US, meanwhile, the ripple effects of the case continued for
years. Janczewski, Bice, and Suttenberg say that they still get calls
from law enforcement officials following the leads they assembled. On
the computer of the DC investigators’ very first test case—the former
congressional staffer who committed suicide—they found evidence in a
cryptocurrency exchange account that he’d also paid into a different
source of dark-web sexual materials. They followed those payments to a
site called Dark Scandals, which turned out to be a smaller but
equally disturbing dark-web repository of sexual abuse recordings.
Janczewski, Gambaryan, and the same group of prosecutors pursued that
Dark Scandals case in parallel with the tail end of the Welcome to
Video investigation,
similarly following blockchain leads to trace the site’s cash-outs.
With the help of the Dutch national police, they arrested the site’s
alleged administrator in the Netherlands, a man named Michael Rahim
Mohammad, who went by the online handle “Mr. Dark.” He faces criminal
charges in the US, and his case is ongoing.
>From the perspective of Welcome to Video’s money-laundering-focused
agents and prosecutors, perhaps the most interesting of the ripple
effects of the case stemmed from the fate of the HSI agent they had
arrested in Texas, just before their trip to carry out the site
takedown in Korea. The Texan man had taken a rare approach to his
legal defense: He’d pleaded guilty to possession of child sexual abuse
materials, but he also appealed his conviction. He argued that his
case should be thrown out because IRS agents had identified him by
tracking his Bitcoin payments—without a warrant—which he claimed
violated his Fourth Amendment right to privacy and represented an
unconstitutional “search.”
A panel of appellate judges considered the argument—and rejected it.
In a nine-page opinion, they explained their ruling, setting down a
precedent that spelled out in glaring terms exactly how far from
private they determined Bitcoin’s transactions to be.
“Every Bitcoin user has access to the public Bitcoin blockchain and
can see every Bitcoin address and its respective transfers. Due to
this publicity, it is possible to determine the identities of Bitcoin
address owners by analyzing the blockchain,” the ruling read. “There
is no intrusion into a constitutionally protected area because there
is no constitutional privacy interest in the information on the
blockchain.”
A search only requires a warrant, the American judicial system has
long held, if that search enters into a domain where the defendant has
a “reasonable expectation of privacy.” The judges’ ruling argued that
no such expectation should have existed here: The HSI agent wasn’t
caught in the Welcome to Video dragnet because IRS agents had violated
his privacy. He was caught, the judges concluded, because he had
mistakenly believed his Bitcoin transactions to have ever been private
in the first place.
Levin thought again of the blockchain’s bounty of evidence: the
countless cases left to crack, the millions of cryptocurrency
transactions eternally preserved in amber, and the golden age of
criminal forensics it presented to any investigator ready to excavate
them.
Photograph: Jooeun Bae
chris Janczewski says the full impact of the Welcome to Video case
didn’t hit him until the day in October 2019 when it was finally
announced in public and a seizure notice was posted to the site’s
home-page. That morning, Janczewski received an unexpected call from
the IRS commissioner himself, Charles Rettig.
Rettig told Janczewski that the case was “this generation’s Al
Capone”—perhaps the highest compliment that can be bestowed within
IRS-CI, where the story of Capone’s takedown for tax evasion holds
almost mythical status.
That same day, the Justice Department held a press conference to
announce the investigation’s results. US attorney Jessie Liu gave a
speech to a crowd of reporters about what the case represented—how
following the money had allowed agents to score a victory against “one
of the worst forms of evil imaginable.”
Chainalysis’ Jonathan Levin sat in the audience. Afterward, an IRS
official named Greg Monahan, who had supervised Gambaryan and
Janczewski, came over to thank Levin for his role in the case. It had
all started, after all, with Levin’s tip to two bored IRS agents in
the Bangkok airport. Monahan told Levin that it was the most important
investigation of his career, that he could now retire knowing he had
worked on something truly worthwhile.
Levin shook the IRS-CI supervisor’s hand. Neither he nor Monahan could
know, at that time, of the cases still to come: that IRS-CI and
Chainalysis would together go on to disrupt North Korean hackers,
terrorism financing campaigns, and two of the largest
bitcoin-laundering services in the world. Or that they would track
down close to 70,000 bitcoins stolen from the Silk Road and another
120,000 stolen from the exchange Bitfinex, totaling to a value of more
than $7.5 billion at today’s exchange rates, the largest financial
seizures—crypto or otherwise—in the Department of Justice’s history.
But as he answered Monahan, Levin thought again of the blockchain’s
bounty of evidence: the countless cases left to crack, the millions of
cryptocurrency transactions eternally preserved in amber, and the
golden age of criminal forensics it presented to any investigator
ready to excavate them.
“There’s so much more to do,” Levin said. “We’re just getting started.”
More information about the cypherpunks
mailing list