They thought their payments were untraceable, but they were dead wrong. The untold story of the case shatters the myth of Bitcoin's anonymity.
Source of information from Wired, slightly modified, by Andy Greenberg
01
One early morning in the fall of 2017, in a middle-class suburb in suburban Atlanta, Chris M. Janczewski stood alone at the door of a house, and he was not invited to enter.
Minutes earlier, Homeland Security Investigators in bulletproof vests had taken their seats around the neat two-story brick house and slammed on the front door, swarming in when a family member who lived there opened the door. Janczewski, a criminal investigator at the IRS, quietly followed behind and watched as agents searched homes and seized electronic devices.
本故事摘自《Tracers in the Dark The Global Hunt for the Crime Lords of Cryptocurrency》一书
They separated the family and placed the father, the vice principal of a local high school and their subjects in a room; His wife was in another; Two children were placed in the third room. An agent turned on the television and played a program from the Mickey Mouse Club, trying to distract the children, trying to distract them from the invasion and interrogation.
In this raid, Janczewski flew in from Washington, D.C., only as an observer, to watch and advise the local Department of Homeland Security as it executed the search warrant. But it was Janczewski's investigation that brought the agents here to the seemingly ordinary house. He brought them here based on a strange, nascent evidence. Janczewski has been tracking the link to the Bitcoin blockchain, along that chain, until it connects this ordinary home to an extremely brutal place on the internet — and then connects that place to hundreds of people around the world. All are complicit in the same vast and indescribable network of abuse. These guys are all on Janczewski's long list of targets.
Over the past few years, Janczewski and his partner Tigran M. Gambaryan, along with a small group of investigators at a growing number of three-letter agencies in the United States, used this newly discovered technology to track down once seemingly untraceable cryptocurrencies, uncovering one epic crime after another that had never been seen before. But these methods have never led them to a case in which the fate of so many people, both victims and perpetrators, seems to hinge on the discovery of this new method of forensics. That morning, a search in the suburbs near Atlanta made Janczewski realize for the first time that the stakes were at stake. As he later put it, it was a "proof of concept".
From where Janczewski stood in front of the house, he could hear dhasa agents talking to his father, who answered in an intermittent, resigned voice. He heard agents in another room questioning the man's wife; She replied that yes, she had found certain pictures on her husband's computer, but he told her that he had accidentally downloaded them while pirating music. In the third room, he could hear two school-age children watching TELEVISION— about the same age as Janczewski's. They were going to have a snack and seemed to know nothing about the tragedy that was taking place in their house.
Janczewski remembers the moment that hit him hard: a high school administrator, husband and father of two. Whether he is guilty or not, the charges against him by this law enforcement team (as long as they show up in his home) will almost certainly ruin his life.
Once again, Janczewski thought of the investigative method that brought them here, like a digital divination wand, revealing a layer of illegal connections hidden beneath the visible world. He hoped (and it wasn't his last hope) that it didn't lead him astray.
A few months ago, on the south bank of the River Thames in London, South African-born tech entrepreneur Jonathan Levin walked into the headquarters of Britain's National Crime Agency. A friendly agent took him to the second floor, walked through the office kitchen, and poured him a cup of tea.
Two men, holding cups of tea, sat down at the agent's desk. Levin made a routine visit to the client there to find out how agents and his colleagues were using software developed by the company he co-founded. The company, called Qinalysis, is the world's first tech company to focus on tracking cryptocurrencies. The NCA is one of dozens of law enforcement agencies in the world that have learned to use The Chainalysis software to turn the preferred trading method of the digital underground world into an Achilles heel.
When Bitcoin first appeared in 2008, one of the basic promises of the cryptocurrency was that it only showed which bitcoins were located at which bitcoin addresses, without containing any information about the identity of the owners of those bitcoins. This layer of ambiguity left many early followers with the impression that Bitcoin may be the completely anonymous internet cash that liberals and crypto-anarchists have long awaited: a new financial world where digital briefcases filled with tokenless currencies can change hands in an instant around the world.
Bitcoin's mysterious inventor Satoshi Nakamoto even wrote in an early email describing the cryptocurrency that "participants can be anonymous." Thousands of users on dark web black markets such as Silk Road use Bitcoin as their central payment mechanism. But the counterintuitive truth about Bitcoin on which ChainAnalysis built its business is that every bitcoin payment is recorded in its blockchain, a permanent, immutable, and completely public record of every transaction in the Bitcoin network. Blockchain ensures that coins cannot be forged or used multiple times. But this is achieved by making everyone in the Bitcoin economy a witness to every transaction. In a sense, every crime payment is conclusive evidence in broad daylight.
Within a few years of Bitcoin's advent, academic security researchers — and subsequently the chainalysis company — began tearing cracks in the masks of Bitcoin user addresses and their true identities. When bitcoins move from one address to another, they can track bitcoins on the blockchain until they reach an address that can be linked to a known identity. In some cases, investigators can learn about their bitcoin address by making a transaction with someone, just as an undercover drug enforcement agent might make a buy. In other cases, they can trace the target coin to the account of the cryptocurrency exchange, where financial regulation requires users to prove their identity. At the time, a law enforcement client of Chainalysis quickly issued a subpoena to the exchange, enough to strip away any illusion of Bitcoin's anonymity.
Chainalysis combines these techniques of de-anonymizing Bitcoin users with methods that allow their "cluster" addresses, and the results show that sometimes tens to millions of addresses belong to a single person or organization. For example, when bitcoins from two or more addresses are spent in a single transaction, it indicates that the person creating the "multi-input" transaction must control the two spender addresses, allowing Chainalysis to merge them into one identity. In other cases, Chainalysis and its users track "stripping chains" — a process similar to tracking a wad of cash, where users constantly take it out, peel off a few bills, and put it back in different pockets. In these stripping chains, Bitcoin will be transferred from one address, a portion paid to the recipient, and then the remainder returned to the consumer who "changed" the address. Identifying these changing addresses allows investigators to track the process of a sum of money jumping from one address to another, delineating its path in the noise of the Bitcoin blockchain.
Thanks to these tricks, Bitcoin has effectively become the opposite of "untraceable," having dutifully documented evidence of their dirty transactions for years. By 2017, agencies such as the FBI, the Drug Enforcement Administration, and the IRS's Criminal Investigation Division had tracked bitcoin transactions and conducted investigations again and again with the help of Chainalysis.
These cases started small but have since gained momentum. Investigators tracked the transactions of two corrupt federal agents and found that before the Silk Road was destroyed in 2013, one agent stole bitcoin from the dark web market and another agent sold law enforcement intelligence to its creator, Ross Ulbricht. Next, they tracked down the information from Mt. The Gox exchange stole $500 million in bitcoin and showed that the proceeds were laundered by Russian administrators at another crypto exchange, BTC-e, which eventually located the exchange's servers in New Jersey. Finally, they traced the traces of Bitcoin, confirming the identity of alphaBay's founder. This dark web market has expanded to 10 times the size of the Silk Road. (In fact, as Levin was talking to NCA agents, a coalition of six law enforcement agencies was gathering in Bangkok to arrest AlphaBay's creator.) )
Levin is as he has stayed on the radar of Chainalysis's next major investigation. After discussing several open cases with him, NSA agents referred to an ominous website on the dark web that had recently entered the bureau's field of vision. The website is called "Welcome to Video".
He was stunned by what he saw: an entire network of criminal payments designed to keep secrets exposed to him.
The National Criminal Investigation Service stumbled upon the site in a horrific case involving a criminal named Matthew Falder. Falder, a scholar in Manchester, England, would pretend to be a female artist, ask strangers for nude photos on the internet, and then threaten to share those photos with family or friends unless the victims recorded their increasingly degrading and depraved behavior. Eventually, he would force his victims to self-harm and even sexually abuse others in front of camera. At the time of his arrest, he had locked up 50 people, at least 3 of whom had attempted suicide.
On Fader's computer, the NCA discovered that he was a registered user of Welcome to Video, a crime syndicate whose size dwarfed Even Fader's atrocities. The evidence trail was then transferred from the NSA's Child Exploitation Investigation Team to the Computer Crimes Group, which included agents focused on cryptocurrencies, and Levin is now sitting at his desk. Welcome to Video is one of the few websites that sells child sexual abuse clips in exchange for bitcoin. At a glance, its library of images and videos is huge, and it is being accessed by an ever-expanding user base around the world, often updated with brand new materials.
Images of this type of trafficking on Welcome to Video have increasingly been referred to by child advocates and law enforcement as "child sexual abuse material" to dispel any suspicion that it involves violence against children. CSAM has for years represented the vast undercurrent of the dark web, made up of thousands of websites protected by anonymous software such as Tor and I2P. Used by millions of people around the world trying to avoid online surveillance, these anonymity tools have also become a shadow infrastructure for a repugnant abuse of the web, which often frustrates law enforcement efforts to identify CSAM website visitors or administrators.
NCA's agent showed Levin a Bitcoin address, which the agency has determined is part of the Welcome to Video financial network. Levin suggested they load it into Chainalysis's cryptographic tracking software tool, Reactor. He put down his teacup, pulled his chair up to the agent's laptop, and began drawing a collection of addresses for the site on the Bitcoin blockchain that represented the wallets that Welcome to Video received payments from thousands of customers.
He was taken aback by what he saw: many users of the child abuse site and its administrators did almost nothing to cover up their cryptocurrency tracks. The entire criminal payment network, which was intended to be kept secret, was exposed to him.
Over the years, Levin has witnessed some darknet operators figure out his company's crypto tracking tricks. They will avoid investigators through a large number of intermediary addresses or "mixer" services, or use the more difficult-to-track cryptocurrency Monero. But when he saw the Welcome to Video cluster in the NCA office that day, Levin immediately saw that its users were much more naïve. Many people simply buy bitcoin from a cryptocurrency exchange and send it directly from their own wallet to Welcome to Video.
The content of the site's wallet is cleared on several exchanges — bithumb and Coinone in South Korea and Huobi in China — where they are converted into traditional currencies. Someone seems to have been using a large number of, multiple-input transactions to collect funds from the site and then cash it out. This makes it easy for Reactor to automatically cluster thousands of addresses at once, determining that they all belong to a single service — Levin can now mark them as Welcome to Video in software. What's more, Levin can see that the clusters of exchanges that surround and are connected to the cluster may have the data necessary to identify the vast number of anonymous users of the site — not just who is cashing bitcoin from the site, but also who is buying it and putting it into it. The blockchain connection between Welcome to Video and its customers is one of the most obvious criminal connections Levin has ever seen.
These consumers of child sexual assault seem completely unprepared for the state of modern financial forensics on the blockchain. press. By the standards of the cat-and-mouse game Levin had played for years, Welcome to Video was like a hapless rodent who had never met a predator.
As he sat in front of an NCA agent's laptop, Levin perhaps realized more clearly than ever that he was living in the "golden age" of cryptocurrency tracking — blockchain investigators like Qinalysis had already gained a significant lead over their targets. He remembers thinking, "We've created something very powerful, and we're one step ahead of these operators." "You have committed heinous crimes, and our technology has broken through them in an instant and revealed with very clear logic who is behind it."
Seeing that someone had cashed out most of Welcome to Video's revenue through two exchanges in South Korea, Levin could already guess that the administrator was most likely located there. Many users of the site appear to pay the site directly from the address where they bought coins on exchanges such as Coinbase and Circle in the United States. Destroying this global network of child abuse may only require the involvement of another law enforcement agency in the United States or South Korea, which can ask for detailed information from these exchanges. Levin had this institution in mind.
"Some people might be interested," he told NCA agents.
But first, as he prepared to leave, Levin silently remembered the first five characters of the "Welcome to Video address" that agents showed him. Chainalysis' Reactor software has a feature that automatically completes a Bitcoin address based on its first few unique numbers or letters. Five characters is enough – a short password unlocks a living map of a global criminal conspiracy.
02
One night in Thailand, Levin meets Chris Janczewski and Tigran Gambaryan spoke. On the night of early July 2017, two IRS special investigators were sitting at Bangkok's Suvarnabhumi airport, frustrated by being ignored in the largest darknet market battle in history.
By 2017, the IRS had mastered some of the most ingenious cryptocurrency tracking tools in the U.S. government. In fact, it was Gambaryan who tracked down the bitcoins of two corrupt agents during the Silk Road investigation and then cracked the BTC-e money laundering case. Through a partnership with Levin, Gambaryan even tracked down AlphaBay's servers and located them in a data center in Lithuania.
However, when Gambaryan and Janczewski came to Bangkok to arrest AlphaBay's administrator, The French-Canadian Alexander Katz, they were excluded from the inner circle of Drug Enforcement Agency and FBI agents in charge of the operation. They were not invited to the scene of Kaz's arrest or even to the offices of other agents and prosecutors watching the live video of the arrests.
It was very typical for Gambaryan and Janczewski. IRS-CI agents, like their counterparts at the FBI and the Drug Enforcement Administration, do reconnaissance work, carrying guns and making arrests. But because of the IRS's poor public image, they often found other agents treating them like accountants. When they were introduced at the meeting, peers from other law enforcement departments would joke, "Don't audit me." Most IRS-CI agents heard this phrase so many times that they would immediately roll their eyes.
While doing nothing in Bangkok, Gambaryan and Janczewski spent a lot of time thinking about their next case, browsing Reinactor, Chainalysis' blockchain tracking software, to get inspired. Darknet markets like AlphaBay seem to have been messed up by Thailand's actions, and it will take months or even years for them to recover. The agents had considered taking action against a dark web gambling site. But illegal online casinos don't seem to deserve their attention.
On the day they left Thailand, Gambaryan and Janczewski arrived at the airport to find their flight to Washington severely delayed. They were trapped in the terminal, with hours to spare, and they sat half-dreaming, bored. To pass the time, Gambaryan decided to call Levin of Chainalysis to discuss the next case. When Levin picked up the phone, he had news to tell everyone. He's been investigating a website that doesn't meet the IRS's usual goals, but he hopes they'll be willing to check it out: Welcome to Video.
Child sexual exploitation cases have historically been the focus of investigations by the FBI and the Department of Homeland Security, rather than the IRS. In part, that's because pictures and videos of child sexual assault are often shared without a money deal, which investigators call the "baseball card trading" system, which makes them outside the IRS's jurisdiction. Welcome to Video is different. It has a funding thread, and it seems very clear.
Shortly after returning to Washington, Gambaryan and Janczewski hired a technology analyst named Aaron Bice from a contract technology company called Excygent, with whom they had investigated cryptocurrency exchange BTC-e. Together they charted the Welcome to Video in Reactor and saw what Levin immediately realized: how clearly it was about targeting itself. Its entire financial structure is in front of them, with thousands of Bitcoin addresses clustered together, many of which almost unabashedly make payments and withdrawals on exchanges. Soon, Janczewski turned the case over to federal prosecutor Zia Faruqui. Faruqui immediately accepted the offer to deal with Welcome to Video and formally launched the investigation.
Gambaryan, Janczewski, Bice and Faruqui form a team dedicated to cracking down massive child exploitation networks. Janczewski is a tall Midwestern agent with a square chin, like a hybrid of Sam Rockwell and Chris Evans, wearing horn-framed glasses when looking at a computer screen. He proved his abilities in counterterrorism, drug smuggling, government corruption and tax evasion cases, and was later recruited from the IRS office in Indiana to the Computer Crime Group in Washington, D.C. Bice is an expert in data analysis and, in Janczewski's words, has the computer skills of a "cyborg." Faruqui is an assistant U.S. prosecutor with extensive experience in national security and money laundering prosecutions. He had an almost manic concentration and nervousness, spoke comically fast, and in the eyes of his colleagues he barely slept. Then there's Gambaryan, an agent with thick hair and a neat beard who, by 2017, had become an IRS cryptocurrency whisperer and dark web expert. Faruqui called him the "Bitcoin Jesus."
The team began to realize that while the case seemed simple, its complexity was actually overwhelming.
However, none of the four had dealt with cases of child sexual exploitation. They are not trained to deal with images and videos of child abuse, and simply owning them is a felony in the hands of ordinary Americans. They are not emotionally or psychologically prepared for the images they are about to be exposed to.
Still, when the two agents showed Faruqui what they saw in the blockchain, the prosecutor wasn't intimidated by their collective inexperience in the field of child exploitation. As a lawyer focused on money laundering cases, he sees no reason why they can't treat Welcome to Video as a fundamental financial investigation in the face of evidence of criminal payments handed to him by Janczewski and Gambaryan.
"We will treat this case like any other case," he said. "We will investigate this matter by tracking the funds."
Janczewski remembers feeling a dazed shock when he saw a set of thumbnails alone, and his brain almost refused to accept everything it saw. Illustration: PARTY OF ONE STUDIO
When Janczewski and Gambaryan first copied the url mt3plrzdiyqf6jim.onion, they were greeted by a bare website with only the words "Welcome to video" and a login prompt. They each registered a username and password and entered.
After the first greeting page, the website displays a large number of seemingly endless video titles and thumbnails arranged in squares of four static diagrams each video that are apparently automatically selected from the frames of the file. These little pictures are a catalogue of scene after scene of children being sexually abused and raped.
The agents were ready to view the images, but they remained defenseless about reality. Janczewski remembers the dazed shock he felt when he saw the thumbnails, and his brain almost refused to accept everything it saw. He found that the site had a search page with the misspelled "Serach videos." Below the search bar, it lists the popular keywords entered by the user. The first is "one year old" and the second is "two years old".
Janczewski thought at first he must have misunderstood. He had expected to see records of sexual abuse of adolescents or minors. But as he scrolled the mouse, he found that the site was filled with videos of abusing young children and even babies.
"Is this true? "No," Janczewski numbly recounted his reaction when he first visited the site. "There's so much video on this?" No. This can't be true. ”
The two agents knew that at some point they would have to at least actually watch some advertising videos. But fortunately, when they first visited the site, they could not access these videos; To do this, they have to pay bitcoins to the address provided by the website to each registered user, where they can buy "points" that they can then use for download transactions. Since they weren't undercover agents, they didn't have the authorization to buy those points — and they weren't particularly eager to buy them either.
There is a copyright date at the bottom of the website: March 13, 2015. Welcome to video has been online for over two years. Even at a glance, it has grown to become one of the largest video libraries of child sexual abuse ever seen by law enforcement.
"You can't rape a child and bring down a Server in South Korea." Simply taking a website offline is not their top priority.
Janczewski and Gambaryan analyzed the site's mechanics and found that users could earn points not only by buying points, but also by uploading videos. The more these videos are subsequently downloaded by other users, the more points they get. "Don't upload adult pornography," the upload page prompted. The page also warns that uploaded videos will be checked for uniqueness; Only new material will be accepted — a feature that, to agents, appears to be designed to encourage more child abuse.
However, Gambaryan found the most disturbing part of the site to be a chat page where users can comment and react. The page is filled with posts in various languages, hinting at the site's international reach. Most of the discussions sent Gambaryan shuddering — the kind of casual comments one might find on a regular YouTube channel.
For years, Gambaryan has hunted down a wide variety of criminals, from small-scale fraudsters to corrupt federal law enforcement colleagues to cybercrime bosses. He usually feels like he can fundamentally understand his goals. Sometimes, he even develops sympathy for them. "Some of the drug dealers I know may be more humane than some white-collar tax evaders," he muttered. "I can understand some of these criminals. Their motivation is simply greed. ”
But now he entered a world where people were driven by motives that he could not understand, driven by a motive that he could not understand. Having spent his childhood in war-torn Armenia and post-Soviet Russia, where he worked as a crime underground, he considered himself intimately familiar with the worst things people could do. Now he felt too naïve: the first time he saw Welcome to Video, he exposed and destroyed the hidden remnants of his idealism about human nature. "It killed a small part of me," Gambaryan said.
When Gambaryan and Janczewski saw firsthand what Welcome to Video really stood for, they realized the urgency of the case even surpassed that of ordinary blacknet investigations. Every day the site goes live, more children are abused.
Gambaryan and Janczewski know that their best clues are still on the blockchain. On top of that, the site doesn't seem to have any mechanism for its clients to withdraw funds from their accounts. There is only one address where they can pay points on the website. This means that the bitcoins worth more than $300,000 they can see flowing out of the site almost certainly belong to the site's administrators.
Gambaryan began contacting his contacts in the Bitcoin community for exchange staff who might know executives at two South Korean exchanges, Bithumb and Coinone, where most of Welcome to Video's funds were remitted and a small portion of the money received by a U.S. exchange. He found that whenever the issue of child exploitation is mentioned, the cryptocurrency industry's usual resistance to government intervention seems to have evaporated. "No matter what kind of libertarian you want to be, that's everyone's bottom line," Gambaryan said. Even before he issues a formal legal request or subpoena, employees at the three exchanges are ready to help. They promised to provide him with details of the address he had extracted from reactor as soon as possible.
Gambaryan couldn't help it: He sat in front of the computer screen in his DC office cubicle and laughed at the vulnerability he found.
Meanwhile, Gambaryan continues to investigate the Welcome to Video website itself. After signing up for an account on the site, he wanted to try some sort of basic check on its security — he thought the chances of success were slim, but nothing was lost. He right-clicks the page and selects View Page Source from the results menu. This way, he can see the website's original HTML before the Tor browser renders it into a graphic web page. In any case, looking at a large number of blocks of code is certainly better than looking at the endless scrolls of human depravity.
Almost immediately, he found what he was looking for: an IP address. In fact, to Gambaryan's surprise, every thumbnail on the site seems to show the IP address of the server it actually hosts in the site's HTML: 121.185.153.64. He copied the 11-digit number into the computer's command line and ran a basic traceoute function, following its path over the Internet back to the server's location.
Incredibly, the results show that the computer was not obscured at all by Tor's anonymized network; Gambaryan is looking at the actual, unprotected addresses of the Welcome to Video server. This confirmed Levin's initial hunch that the site was running on a residential connection to an internet service provider outside of Seoul, South Korea.
The administrators of Welcome to Video seem to have made a novice mistake. The site itself is hosted on Tor, but its thumbnail on the home page appears to have been fetched from the same computer without routing the connection via Tor, which may have been a false attempt to make the page load faster.
Gambaryan couldn't help but laugh: He was sitting in front of a computer screen in his cubicle in his D.C. office, staring at an exposed location by a webmaster, and he could feel the day of his arrest getting closer and closer.
Janczewski was at a shooting range in Maryland, waiting for his turn for shooting training when he received an email from a U.S. cryptocurrency exchange subpoenaed by his team. The email contained information about the identity of the Creator to Video administrator suspected of cashing out the site's revenue.
The attachment to the email showed a middle-aged South Korean man with an address outside of Seoul, which perfectly matched the IP address found by Gambaryan. The documents even included a photo of the man holding an ID card, apparently to prove his identity to the U.S. exchange.
For a moment, Janczewski felt as if he were coming face to face with the administrator of Welcome to Video. But he remembers that something was wrong at the time: the man in the photograph had visibly dirty hands and dirt in his fingernails. He looks more like a farm worker than the kind of keyboard-wielding person he'd expected to run a website on the dark web.
Over the next few days, as other exchanges fulfilled their subpoenas, the answers began to become clear. Two South Korean exchanges sent Gambaryan documents about the people who controlled the Cashome to Video cash-out address. They mentioned not only the middle-aged man, but also a younger man, 21, named Son Jong-woo. The two people listed the same address and last name. Are they father and son?
The agents believe they are approaching the site's administrators. But they came to understand that simply shutting down a website or arresting its administrators would hardly meet the needs of justice. Welcome to Video's bitcoin address base forms a large and busy point of contact on the blockchain, including both consumers and, more importantly, producers of child sexual abuse materials.
By this time, Faruqui had assembled a team of other prosecutors to help, including Lindsay Suttenberg, an assistant U.S. prosecutor who specializes in child exploitation cases. She noted that even taking a website offline isn't necessarily their top priority. "You can't rape a child and bring down a Korean server," Faruqui summed up her argument.
The team began to realize that although the incident seemed simple at first, the complexity was actually unbearable after easily identifying the webmaster. They need to track not just the money of one or two webmasters in South Korea, but also hundreds of potential suspects around the world from this central point — both active abusers and facilitators of their complicity.
Gambaryan's right mouse button to discover the site's IP address, as well as the rapid cooperation of cryptocurrency exchanges, were all lucky breakthroughs. The real work is yet to come.
03
Just two weeks after Levin provided the lead, a team of IRS-CI agents and prosecutors knew almost exactly where the Host to Video was. But they also know they need help to go further. They have neither ties to South Korea's National Police Agency — which is known for formalism and insurmountable bureaucracy — nor the resources to arrest potentially hundreds of website users, an operation that requires far more personnel than the IRS is capable of.
Faruqui suggested they let the Department of Homeland Security investigate the case and work with an office in Springs, Colorado. He chose this institution and its distant outpost because he had once worked there with an agent named Thomas Tamsi. A year ago, Faruqui and Tamsi together cracked a North Korean arms deal that sought to smuggle arms parts through South Korea and China. During the course of the investigation, they flew to Seoul to meet with the South Korean National Police, and under the introduction of HSI's contacts in Seoul, they spent an evening drinking and singing karaoke with South Korean officials.
Others on the team couldn't bear to listen to Suttenberg describe the videos. "They would ask me not to say it and write it down," she recalled, "and then they would tell me it was worse to write it down." ”
At a particularly memorable moment that night, South Korean agents had been mocking the diet of the U.S. team's alleged hot dogs and hamburgers. One agent mentioned shannakji, a small octopus that some Koreans eat not only raw, but also while still alive. Tamsi replied gamblingly that he was going to try.
A few minutes later, several South Korean agents brought a fist-sized, live-jumping octopus to the table. Tamsi put the whole squirming octopus in his mouth, chewing and swallowing, its tentacles squirming between his lips, black ink dripping from his face onto the table. Tamsi said: "It's terrible.
Koreans think it's funny. Tamsi gained near-legendary status in certain circles of the South Korean National Police, where he came to be known as the "Octopus Man."
Like most of their group, Tamsi has no experience in child exploitation cases. He has never even been involved in the cryptocurrency investigation. But Faruqui insists they need octopus men in order to make progress in South Korea.
Soon after, Tamsi and an HSI agent authorized to carry out covert operations flew to Washington, D.C. They rented a conference room at a hotel, and under Janczewski's watchful eye, undercover agents logged into Welcome to Video, paid a sum of bitcoin, and began downloading gigabytes of video.
This bizarre location choice — a hotel rather than a government office — was chosen to better disguise the identity of agents in case Welco to Video could still somehow track its users under Tor's protection, and also to give the SAR Prosecutor's Office jurisdiction in the event of prosecution. (At the very least, HSI agents used Wi-Fi hotspots when downloading to avoid stealing the most harmful content from the network through the hotel's network.) )
As soon as the undercover agents' work was over, they shared the files with Janczewski, who watched the videos over the next few weeks, and they categorized all the clues they could find to identify the people involved, which also flooded their minds with images of child abuse that would be enough for anyone to have nightmares for the rest of their lives.
Suttenberg's years of experience as a child exploitation prosecutor numbed her; She'll find that the rest of the team can't even bear to listen to what she describes the video, let alone watch. "They would ask me not to say it, to write it down," she recalled, "and then they would tell me it was worse to write it down." ”
Janczewski, the lead investigator in the case, was tasked with collating an affidavit as material for any alleged documents that might eventually be submitted to the court. That means watching dozens of videos, looking for those that represent the worst material on a site, and then writing a technical description for a jury or judge. He likens the experience to a scene in Clockwork Orange: an endless montage that he's been trying to divert his gaze from, but is asked not to.
Watching the videos, he says, changes him, though he can only describe them in abstract terms — and even he's not sure he fully understands. "There's no turning back," Janczewski said vaguely. "Once you know what you know, you can't not be unaware of it. Everything you see in the future comes in through that prism that you know now. ”
In the first weeks of fall 2017, the team investigating the Welcome to Video network began the painstaking process of tracking every possible user of the site on the blockchain and sending hundreds of legal requests to exchanges around the world. To help analyze every clue to Welcome to Video's bitcoin address cluster in Reactor, they hired a staff member from Chainalysis named Aron Akbiyikian, a former Armenian-American police officer from Fresno who Gambaryan had known since childhood and recommended him to Levin.
Akbiyikian's job is to conduct what he calls a "cluster audit" — squeezing every possible trail of investigation out of the site's cryptocurrency tracking. That means he's going to manually track payments from one previous address to another until he finds the exchange where Welcome to Video customers bought bitcoin, and the identifying information that the exchange might have. Many Users of Welcome to Video make his job simple. Akbiyikian said, "It's a beautiful reactor cluster." "It's so clear." In some cases, he would trace the payment chain through several jumps before the funds reached the exchange. But for hundreds of users, he said, he could see wallet addresses receiving money from the exchange and then putting the money directly into the Cluster to Video cluster, which, as Akbiyikian put it, created "the cleanest possible clue."
As exchange feedback on these users' identities began to pour in, the team began to build a more complete profile of their goals. They began collecting hundreds of names, faces, and photographs of men — almost all men from all walks of life around the world. Their descriptions cross the boundaries of race, age, class, and nationality. All of them seem to have one thing in common, which is their gender and their economic connection to a cosmopolitan, hidden paradise for child abuse.
At this point, the team believed they had confidently locked down the site's South Korean administrators. They have obtained a search warrant for Son Jong-woo's Gmail account and his many transaction records, and they can see that he appears to be the only one who has received cashed out proceeds from the site, not his father, who, to investigators, is increasingly like an unsuspecting participant whose son hijacked his identity to create a cryptocurrency account. In Son Jong-woo's email, they first found a picture of him, a selfie he showed friends of him losing a tooth in a car accident. He was a thin, inconspicuous-looking young Korean with wide-open eyes and a Beatles-style black hair.
But as the image of the administrator took shape, so did the profiles of hundreds of other men who had used the site. The investigative team immediately took note of some of them: To the disappointment of Thomas Tamsi and his Homeland Security colleagues, one of the suspects was an HSI agent in Texas. With another fear, they saw a man who was the vice principal of a high school in Georgia. The school administrator posted a video of herself singing karaoke with the school's teenage girls on social media. The videos may be considered innocent, but given what they know about the man's bitcoin payments, agents with more experience in child exploitation warned Janczewski that the videos may reflect a form of inducing behavior.
These people have a privileged position and have access to victims. Investigators immediately realized that, as they suspected, they needed to arrest some users of Welcome to Video as soon as possible, even before they could arrange to smash the site. Child exploitation experts had reminded them that some perpetrators had systems in place to warn others when law enforcement arrested or controlled them. Still, the Welcome to Video team believes they have no choice but to take the risk and act quickly.
Around the same time, another suspect came into their sight for a different reason: He lived in Washington, D.C. In fact, the man's home is near the U.S. Attorney's Office, near the Capital's Galaxy Place neighborhood. He happened to live in an apartment that one of the prosecutors had only recently moved out of.
They realized that that location might work for them. Janczewski and Gambaryan could easily search the man's home and his computer as a test case. If this proves that the man is a client of Welcome to Video, they can sue the entire case in the SAR's jurisdiction, thus overcoming a key legal hurdle.
As the investigation deepened, however, they found that the man had been a congressional worker and held a senior position at a prominent environmental group. Would the arrest or search of the home of such a backgrounded target person provoke a public outcry that would lead to the failure of their case?
However, just as they set their sights on the suspect, they found him surprisingly silent on social media. Someone on the team wanted to bring up his travel history. They found that he had flown to the Philippines and was preparing to fly back to Washington via Detroit.
The suitcase is not fully open yet. The man had ordered a pizza the night before, some of which remained on the table without eating.
The findings gave investigators and prosecutors two ideas: First, the Philippines is a notorious sex tourism destination that often targets children — HSI's office in Manila has been dealing with child exploitation cases. Second, when the man flew back to the U.S., Customs and Border Protection could lawfully detain him and ask to look at his equipment for evidence — a strange and controversial provision in the U.S. Constitution that could come in handy in this case.
Will their suspects in Washington sound the alarm at the beginning of the investigation and uncover the truth of the investigation?
"Yes, it all has the potential to ruin our case," Janczewski said. "But we have to act."
In late October, Customs and Border Protection at Detroit Metropolitan Airport stopped a man flying back to Washington from the Philippines, asked him to pull aside, and took him to a secondary checkpoint. Despite his outcry, border agents insisted on taking his computer and cell phone before allowing him to leave.
A few days later, on October 25, prosecutors who had lived in the same Washington apartment building as the suspect saw an email from the management of her old building; Despite moving out, she is still on the recipient list. The email noted that the parking ramp in the alley behind the building would be closed that morning. The email explained that a resident, who did not want to be named, jumped from the balcony of his apartment and fell to his death there.
Prosecutors linked the two, deducing from the facts that the jumpers were their "test cases" of Welcome to Video. Janczewski and Gambaryan immediately drove to the apartment building to confirm to the management that the first target of their investigation had just committed suicide.
Later in the day, two IRS-CI agents returned to the scene of the man's death with search warrants. They took the elevator up to the 11th floor with the building manager, who was very confused by the IRS's intervention, but he silently opened the door for them. Inside, they found an upscale, somewhat messy, high-ceilinged apartment. The suitcase is not fully open yet. The man had ordered a pizza the night before, and some of it was still on the table without eating it.
Janczewski remembers feeling the gloomy silence of the man's empty home as he imagined the desperate choice he had faced the night before. Looking down from the balcony on the 11th floor, agents could see a spot in the alley below, where the sidewalk had recently been washed.
The Metropolitan Police Department in Washington, D.C., offered to show agents a surveillance video of the man falling from a building and dying. They politely refused. Meanwhile, Detroit's Customs and Border Protection confirmed that they had searched computers seized from the man at the airport — some of which was stored encrypted but others did not — and found videos of child exploitation, as well as secretly recorded videos of. Their goal of deciding to target the man had been achieved: their experimental case had yielded a positive result.
Prosecutors in Washington suspended their work and acknowledged the surreal impact of the man's death — their investigation into a website spanning half the world had led to suicides of people a few blocks away. "It's just a reminder of how serious the problem we're investigating is," Faruqui said. Still, the group agreed that they couldn't let suicide affect their work.
"We have to focus on the victims here," Faruqui remembers them saying to each other. "It provides a clear line of thinking."
Janczewski said he would prefer the man to be arrested and prosecuted. But by this time, he had been forced to watch hour after hour of video of child sexual assault. Early in the case, he put his emotions aside and had little sympathy for a customer who was clearly buying the materials.
He admits that if he feels anything, it's a relief: They still have hundreds of Welcome to Video customers to pursue.
Janczewski discovered something that shocked him: Somewhere in the video, the girl in the video wore a red flannel shirt tied around her waist. Photo by Tabitha Soren
The next person on their list is the high school vice principal. A few days later, Janczewski flew to Georgia and joined a tactical team of HSI agents in a search operation. It was the first time he had come face-to-face with an alleged Welcome to Video client in his hometown.
Despite his stoicism, this second test case had a bigger impact on Janczewski than Washington's goal. In this neat brick two-story building, parents are questioned in different rooms. The kids were as old as Janczewski's children and were watching a Mickey Mouse Club show. As he stood at the entrance to that house on the outskirts of Atlanta, the full cost of the investigation struck him—every name on their list was a person with connections and, in many cases, a family. Accusing suspects of committing such an unforgivable crime also has an irreversible impact on their lives.
Janczewski and HSI agents spent a long time in that house, searching the house, questioning the man, and seizing his equipment for analysis. Faruqui said that in addition to the evidence that the man paid for the content of welcome to Video, the man also admitted to "inappropriately touching" the students at his school. The man was later accused of sexually assaulting a minor, but he pleaded not guilty.
For Janczewski, at least, his last doubts were dispelled within hours after his first confrontation with a suspect based solely on cryptocurrency tracking. "At the end of the day, I feel more confident," he said. "We were right." Blockchain doesn't lie.
The team is steadily completing their short list of "Welcome to Video goals and test cases" with high priority. But in December 2017, they uncovered a different clue that would again disrupt their priorities.
While tracking The Welcome to Video's financial records, investigators have been carefully documenting the entire contents of the site's chat page. On that page, users are still commenting on a steady stream. The site seems completely unmanaged, with administrator email not being seen anywhere. But Janczewski began to notice that there was an account that repeatedly sent messages that seemed to provide the site with what was closest to a contact. It contains an address on Torbox, a privacy-focused Tor-based email service.
Is this the moderator of the site? Or even the administrator, the owner of the site, the guy they now think of as Son Jong-woo?
When Janczewski tried to decipher the person behind the information, he checked the username in front of the "@" in the Torbox address, a unique string of 6 characters, and after checking if it matched the users in Welcome to Video, sure enough, he found that there was a person who had uploaded more than a hundred videos with the same username.
On the wall, Janczewski noticed a poster he had seen in the video. For a moment he felt as if he had slipped through his computer screen and fallen into a horror movie scene.
Excygent's Aaron Bice compared Torbox's email address with BTC-e's database for clues during an IRS-CI investigation into cryptocurrency exchanges. As a result, Bice found a match: an account on BTC-e was registered with an email address that contained a unique string of the same six characters. This isn't Torbox's email address, but from Sigaint, another privacy-focused email service.
Janczewski knows that Torbox and Sigaint, both of which are themselves dark web services, will not respond to legal requests for user information. But BTC-e's data includes the IP addresses of the same user who have logged into the exchange in the last 10 times. Out of 10 logins, 9 of the IP addresses were masked by a VPN or Tor. But on one visit to BTC-e, the user made a mistake: they exposed their actual home IP address. "This opens the whole door," Janczewski said.
One tracking showed the IP address pointed to a residential internet connection — this time not in South Korea, but in Texas. Is there a second Welcome to Video administrator, and this one is in the U.S.? Janczewski and Bice continue to demand users' account information from Internet service providers with increasing urgency.
It was a Friday morning in early December, and when Janczewski received the results of the subpoena, he was drinking coffee at a desk in the IRS-CI office. He opened the email and found a name and a home address. The man, an American in his thirties, lives in a small town outside the city of San Antonio. He is unlikely to work with a 21-year-old South Korean who runs a child exploitation website outside of 15 time zones. But Janczewski was even more shocked when he found out about the man's employment. He was another DhEA staff member, this time a Border Patrol officer.
Janczewski soon began gathering publicly available information about the agent from his social media accounts. He first found the Man's wife's Facebook page, and later to the man's own account, whose name was written upside down to disguise its meaning. Bice also dug up his Amazon page, where he appeared to leave reviews on hundreds of products and put others on a "wish list," including external storage devices that could hold gigabytes of video, hidden cameras, and more.
Finally, Janczewski, with a creepy sense of dread, saw the Border Patrolman's wife, who had a young daughter, create a crowdfunding page on GoFundMe to raise money to legally adopt the girl as his stepdaughter. , Janczewski thought. "Did he upload a video of his daughter?"
Janczewski looked back at Welcome to Video and saw some thumbnails of the video uploaded by the username showing the sexual assault on a young girl of his daughter's age. He realized it was now his responsibility to separate this Border Patrol agent from the victim as quickly as possible.
For the next 10 days, Janczewski barely left his desk. He would drive home, have a quick dinner with his family in a cottage in Arlington, Virginia, and then drive back to the office to work late, calling Bice and Faruqui frequently until late at night.
Faruqui said, "Your time is rarely zero-sum." "Every moment we don't deal with that case, there's probably a little girl who gets raped."
Janczewski had their undercover HSI agents download videos uploaded by Texas agents, and then he began the torturous process of watching the videos one by one. After watching a few videos, he found that in the video, the girl in the video had a red flannel shirt tied around her waist. He looked back at the girl's picture on the GoFundMe homepage and saw that she was wearing the same red flannel dress.
Is this Border Patrol agent an administrator at Welcome to Video? Or moderator? It doesn't matter. Janczewski now believes he has found the identity of an active child rapist who lives with his victims and has been documenting his crimes and sharing his crimes with thousands of other users. This Texan has become their number one target.
Two weeks before Christmas, the 10th day after he confirmed the Border Patrol officer's identity, Janczewski flew south Texas with HSI's Thomas Tamsi and his team's prosecutor, Lindsey Suttenberg, who is concerned about child exploitation. On a cool, dry night, about 100 miles from the Mexican border, Tamsi and a group of Texas police officers tracked the target as he drove home after work and stopped him. Together with a group of FBI agents, they took the man to a nearby hotel for interrogation.
The panel's initial list of high-priority suspects was finally checked. They can turn to their main target: Son Jong-woo.
Meanwhile, Janczewski and a group of local Homeland Security investigators entered the man's house and began searching for evidence. Janczewski recalls that the two-story house was dilapidated and disheveled — except for the man's orderly home office on the second floor, where they found his computer. Walking through the hallway of the office, he came to the girl's bedroom and immediately recognized that this was where the man had uploaded the video. On the wall, he noticed a poster he had seen in the video, and for a moment he felt as if he had fallen through his computer screen into a horror movie scene.
IRS agents and prosecutors brought in an FBI interviewer who had experienced child exploitation, who separated the girl from the agents who searched her home and took her to a safer place. The girl eventually told the interviewers in detail about the abuse she had suffered.
Shortly after conducting a search of the Border Patrol agent's home, Janczewski arrived at the hotel room, where other agents were questioning their suspect. For the first time, he saw the target he had targeted in the past week and a half. The man was tall and burly, still in uniform, with thinning hair. Janczewski said he initially refused to talk about any physical abuse he might have committed, but he eventually admitted to owning, sharing and eventually making videos of child sexual assault.
Janczewski was struck by the nearly dispassionate way the man described his actions. He gave the password to the home computer to the interrogator, and an agent who was still at home began extracting evidence from the machine and sending it to Janczewski. It included a detailed spreadsheet of each child sexual exploitation video that the man had accumulated on his hard drive, and on the surface it was filmed in his own home.
Another spreadsheet on the man's computer contained a long list of login credentials for other Welcome to Video users. During the interrogation, the man explained his plans: He would post messages on the site's chat pages, pretend to be administrators, and then have the hooked user send him usernames and passwords, which he would use to log into their accounts and watch their videos.
The Border Patrol agent is not an administrator or moderator of Welcome to Video at all, just a particularly cunning visitor willing to trick other users into satisfying his appetite.
After a tense 10 days, they identified and arrested another person suspected of child abuse and even rescued the victim. But when Janczewski flew back to Washington, he knew that Welcome to Video's vast network of abuses was still very complete. Until they shut down the site, it will continue to offer videos that included Border Patrol agents uploading from Texas to anonymous consumers like him.
04
In early January 2018, Washington, D.C. investigators received news from Thomas Tamsy that he and his team had arrested another federal law enforcement client of Welcome to Video, the HSI agent who had appeared early in their blockchain tracking and subpoena. Although the second agent appeared to have nothing to do with the Border Patrol agent's case, he had also worked in Texas, less than an hour from the man's home they had just raided.
In addition to this horrific coincidence, the news of the arrest of HSI agents also means that the list of top suspects in the SAR investigation team was finally checked. They can turn to their main target, Son Jong-woo, and the Welcome to Video server, which he controls.
By February, the South Korea-focused initiative was taking shape. Prior to the Texas arrests, Janczewski, Gambaryan, Faruqui and Tamsi had flown to Seoul to meet with the South Korean National Police. At a dinner hosted by local HSI commissioners, the head of the KNPA personally told Tamsi that Americans would be helped by his "best team." Soon, they began spying on Son Jong-woo's whereabouts. His home is located in the Chungnam area, two and a half hours south of Seoul.
It was the middle of winter on the Korean Peninsula, and just a week after the Pyeongchang Winter Olympics in South Korea, American agents arrived in Seoul again. Gambaryan had to stay for an untimely meeting, and the head of the agency offered to speak. But Janczewski and Faruqui brought in Aaron Bice and a Korean-American, computer crime prosecutor, Youli Lee. So far, the international power surrounding this case has also been growing. Britain's National Crime Agency launched an investigation into Welcome to Video after Levin's visit to London and sent two agents to Seoul, with the German Federal Police joining the coalition. It turns out that the Germans had been independently tracking down the site's administrators before they learned of the IRS's investigation, but they never got the cooperation of the South Korean National Police.
Faruqui remembers once when they were standing in the cold wind outside a hotel in Seoul, a German official asked him how the Americans had so quickly gotten South Koreans to join in. "Oh, Octopus Man." Faruqui explains. "You don't have an octopus man, but we do."
During the first few days in Seoul, the arrest team met repeatedly at the office of the South Korean National Police to discuss their plans. According to Gambaryan's tracking of IP addresses, it seems to indicate that the site's servers are not located in the data centers of any web hosting company, but in Son Jong-woo's own apartment, where the evidence center of a mass video network of child sexual assaults is located in his home. That makes things simple: They'll arrest him, shut down his website, and use that evidence to convict him. The team made a plan to arrest him at his apartment early Monday morning.
Then, on the previous Friday, Janczewski had a cold. For most of the weekend, he spent time with prosecutor Youli Lee, wandering dazedly between Markets and Shops in Seoul. On Sunday night, he took a dose of what he hoped was the Korean equivalent of Nyquil, intending to get some sleep and recover in time to go all out in time for the arrest.
That's when KNPA informed the team that plans had changed: Son Jong-woo unexpectedly drove to Seoul for the weekend. The team now tracking his whereabouts believe he has begun driving late at night back to his home in the south of the city.
If the police could have driven to Son's house that night and set up a card there, maybe when he returned, they could arrest him at his doorstep. That way, he can't destroy evidence, or commit suicide. Janczewski said: "We had to act hastily.
That night, Faruqui insisted that the group cheer up in the hotel lobby. Then he and Lee went upstairs to sleep. Janczewski, half asleep from his cold medicine, walked into the pouring rain from his hotel room with a pillow, got into a car with the HSI liaison, and began the long night journey south. HSI agents had asked Janczewski to drive another car in the convoy without letting one of the Koreans on his team drive it, who he said was notoriously poor in driving skills. But Janczewski insisted he was taking too much of his medication to drive on the dark, wet roads of the country, 7,000 miles from home.
A few hours later, the team arrived at the parking lot of Son's apartment and began their long surveillance in the rain. When they saw Son's car finally drive into the apartment's parking lot, it was already after midnight.
A group of South Korean agents had been there waiting for him. A particularly majestic sergeant, with a team of plainclothes officers, sideways into the elevator next to Son as he enters the elevator. The agents silently took the elevator with him up to the floor where Son was and walked out as he left. Just as he reached the front door, they arrested him without any resistance.
There are more than 250,000 videos on the server, in terms of quantity, more than any child sexual abuse material case in history.
During that arrest and subsequent hours-long search of Son's apartment, Janczewski and other foreigners have been trapped in cars in a rainy parking lot. Only the national police have the right to prey on Son or enter his home. When South Korean officials handcuffed the young Son Jong-woo, they asked if he agreed to let Janczewski or any American in as well. Unsurprisingly, Son refused. As a result, Janczewski was only able to visit the small, inconspicuous apartment that Son shared with his divorced father, the man with dirty hands in the first photo they examined, through FaceTime, while South Korean agents searched for evidence and seized his device.
The South Korean agent who took Janczewski around ended up pointing his phone camera at a desktop computer on the floor of Son's bedroom, a cheap-looking tower computer with the chassis open on one side. The inside of the computer shows that Son seems to have added hard drives one by one, each filled with megabytes of video of child exploitation.
This is the server of Welcome to Video.
Janczewski recalls: "I thought there was something glowing and ominous, and it turned out to be this bulky computer. It's so weird. This bulky computer, which has wreaked havoc around the world, is on this kid's floor. ”
When they saw Son's car finally drive into the building's parking lot, it was already past midnight.
Illustration: Hokyoung Kim
On the way back, Janczewski understood exactly why HSI liaisons had asked him to drive another car. The elderly HSI employee, somehow lost his way after this sleepless night, made a wrong turn on the exit ramp of the highway, and nearly crashed, which frightened his passenger, Aaron Bice.
After barely escaping the disaster, the sun began to rise and the rain stopped, and the group stopped at a stop on the side of the highway and ate a meal of instant noodles for breakfast. Janczewski was still sick, exhausted, and shocked at how much it all seemed. He had been looking forward to this moment for more than six months, but he was not overjoyed.
No high-fives, no celebrations. The agents returned to their cars and continued the long journey back to Seoul.
The next day, after finally getting some sleep, Janczewski began to understand how lucky they were. He learned from analysts who had checked Son Jong-woo's computers that Son wasn't encrypting his servers. Everything is there: everything about Welcome to Video, its user database, and the wallet that handles all Bitcoin transactions.
Now they can see the entirety of the video collection and the scale is staggering. There are more than 250,000 videos on the server, which, by quantity, is more than any child sexual abuse case in history. When they later shared the videos with the National Center for Missing and Abused Children (NCMEC), NCMEC found that 45 percent of them had never been seen before. The center helps catalog, identify, and delete CSAM material on the Internet. Welcome to Video's uniqueness checks and reward system for fresh content seem to have served their purpose, sparking countless new cases of documented child abuse.
For investigators, however, the real reward is the site's user information. South Korea's National Police gave the U.S. team a copy of the Welcome to Video database, and they began working in the U.S. Embassy building in Seoul, reconstructing the collected data on their own machines. Meanwhile, in order to avoid revealing to website users the news that the site was shut down, they quickly set up a home page on their own server that looked like Welcome to Video, using a private key extracted from a real server to take over their dark web address. When users visit the site, it now displays only a message saying that the site is under construction and will soon be "upgraded" back, which also mimics Son's broken English spelling typos.
Bice spent two days re-establishing the site's user data into a form they could easily query — Janczewski and Faruqui stood behind him, pestering him to see if the system was ready. When Bice was finished, the U.S. team got the full directory of the site's pseudonymous users, listed by their Welcome to Video usernames. They can now link every bitcoin payment they initially screened on the blockchain to those usernames and find exactly what each user uploads or downloads.
By the end of February, when Americans were ready to go home, they had consolidated the anonymized identities removed from cryptocurrency exchange subpoenas into a searchable database. It mapped the entire Welcome to Video network, including users' real names, photos, and payment records of those who paid for the site and specific content of child abuse videos purchased by those customers. "You can see the whole picture," Janczewski said. "It's like a collection of dictionaries, thesaurus, and Wikipedia."
Lined up in front of them is the complete structure of welcome to Video's global child exploitation, including details of hundreds of consumers, collectors, sharers, producers, and actual abusers. Now the final phase of the case can begin.
In the weeks that followed, Colorado's Thomas Tamsi team began sending their Welcome to Video dossiers to HSI agents, local police, and foreign police agencies around the world. These "target packages" include descriptions of the suspects, their transaction records, any other evidence they have gathered about them, and a brief introduction to how Bitcoin and its blockchain worked.
The defendants in this case are too widespread and international for a simultaneous global crackdown. Instead, searches, arrests, and interviews began to unfold across the globe, prioritizing those who were active abusers, then uploaders, and finally downloaders. Slowly, as Users of Welcome to Video were picked up one by one, the DC team began to hear feedback about the results of their work — sad, sometimes reassuring, but often tragic.
If it weren't for cryptocurrencies, and the years-long trap set by its alleged untraceability, the 337 pedophiles arrested in this case, as well as the rescued victims, might never have been discovered.
A Kansas IT worker had deleted all the child abuse videos on his computer before agents arrived. When they discovered that his wife ran an infant daycare at home, they made his arrest a top priority. Prosecutors said he confessed to the crime when the remaining files in the computer's storage matched records on the Welcome to Video server.
A repeat offender in Washington, D.C., attempted suicide when an HSI team entered his home; He hid in the bathroom and cut his own throat. One of the arresters happened to have received training as an army medic. He managed to stop the bleeding and let the man survive. Later, they found 450,000 hours of child abuse videos on his computer — including videos of Texas girls uploaded by Border Patrol agents.
Months passed, and all sorts of dirty, sad, and appalling stories kept piling up. An elderly man in his 70s uploaded more than 80 videos of child abuse. A man in his early 20s who suffered from traumatic brain injury who took medications that boosted his libido and reduced his impulse control was thought to have the same level of cognitive development as the abused children he witnessed. When the communications records of a man in New Jersey were disclosed through a search warrant, they appeared to show that he was negotiating to buy a child for his own sexual exploitation.
Thomas Tamsi, as the HSI agent in charge of the case, coordinated more Welcome to Video arrests than anyone else, so much so that those actions became blurred and only the most shocking moments remained clearly in his mind. He found the nearly naked defendant in the basement, and the suspect told him he had been in the Boy Scouts and that "the kids were always attracted to him". The victim's parents vehemently denied that their friends might have done the things Thamsi described, and their faces turned white when Tamsi printed out the edited screenshots.
These cases span the globe and extend far beyond the United States. In the Czech Republic, Spain, Brazil, Ireland, France and Canada, dozens of Welcome to Video users have been arrested. In Britain, the whole case began with a tip provided to Levin by an agent, whose National Crime Agency arrested a 26-year-old man on suspicion of abusing two children and posted more than 6,000 documents to the site. In another international case, a Hungarian ambassador to Peru downloaded content from the Welcome to Video website and found more than 19,000 CSAM images on his computer. He was quietly removed from his post in South America, taken to Hungary and charged; he eventually pleaded guilty.
For the DC team, many international cases fall into some sort of black hole: A Saudi Arabian Welcome to Video user was caught by law enforcement in that country after returning to his country. Faruqui and Janzewski said they had never heard of the man's fate; he had been handed over to Saudi Arabia's own judicial system, which imposed sharia-based whipping or even beheading on some sex offenders. When agents searched the car of a Chinese living near Seattle and working at Amazon, they found a teddy bear, as well as a map of the area's playground, even though the man himself had no children. The man then fled to China, where prosecutors knew he was never found again.
Of the hundreds of intelligence packages sent out by the group, each listed Chris M. Janczewski's contact details, if you have any questions, you can call this phone. Janczewski finds herself explaining over and over again to HSI agents and local police officers in the U.S. and around the world about blockchain and its central role in this case, many of whom have never even heard of Bitcoin or the dark web. Janczewski said: "You get a clue that says, 'This is a website, this is an interesting internet fund.'" He imagined that those who received the intelligence must have seen the clue, "Now you need to arrest this guy because some nerdy accountant said so." ”
In total, Janczewski traveled to 6 countries and spoke to more than 50 different people to help explain the case, often multiple times per conversation — including a team of U.S. prosecutors and agents with whom he had more than 20 conversations. Bice, who oversees rebuilding server data, said he spoke to more agents and officials — more than 100, according to his count.
Ultimately, a year and a half from the start of the case to the time the server was seized, law enforcement around the world arrested no less than 337 people for their involvement in Welcome to Video. They also rescued 23 children from sexual exploitation.
The 337 arrested users are still just a small fraction of welcome to Video's total registered users. When the U.S. team checked their copy of server data in South Korea, they found that there were thousands of accounts on the site. But the vast majority of them have never paid any bitcoins to the site's wallet. With no funds to trace, investigators' leads usually disappear.
In other words, if it weren't for the years-long trap set by cryptocurrencies and its supposed untraceability, most of the 337 pedophiles arrested in the Welcome to Video case, as well as most of the rescued victims, would probably never have been discovered.
05
The IRS and the U.S. Attorney's Office in Washington, D.C., took an unprecedented approach to treating a large-scale case of child sexual abuse material as a financial investigation, and it was successful. In all of their investigative work, Bitcoin's blockchain has been their guiding light, leading them through a landmark case. Faruqui believes that without cryptocurrency tracking, they will never be able to find and identify so many users of the site.
"That's the only way through the darkness," he said.
However, throwing money laundering investigators into the deepest recesses of the Internet's CSAM sinkhole has paid the price. Almost every team member has children of their own, and almost all say that because of their work, their protection for these children has increased so much that their trust in those around their families has been severely impaired.
Janczewski, who moved from Washington to Grand Rapids, Michigan after the case, does not allow his children to ride their bikes to school, as he did as a child himself. Even seemingly innocent interactions — such as a friendly parent offering to look after his child at the other end of the pool — can now trigger a red alert in his head. Youli Lee says she won't let her 9- and 12-year-olds go to public toilets on their own. She would also not allow children to go to a friend's house to play unless the friend's parents had a top-secret security review.
Faruqui said he watched around 15 videos during the course of his investigation that left an "indelible mark" on his mind and permanently raised his awareness of the dangers that the world poses to children. He said he and his wife had an argument over their overprotection tendencies. "You always see the worst side of human nature, so you lose insight," he said of his wife. "I said, 'You lack vision because you don't know what's out there.'" ”
Gambaryan's wife, Yuki, said the Welcome to Video case was the only time her war-hardened, Soviet-born husband had discussed a case with her, admitting that it had made him realize he was emotionally struggling with it. Gambaryan said the breadth of the social classes involved in the site's abuse, in particular, still haunts him to this day.
"I see that everyone can do that: doctors, principals, law enforcement officers," he reflects. Whatever you call it, evil, or whatever it is: it exists in everyone— or it can exist in anyone. ”
In early July 2020, Son Jong-woo walked out of a prison in Seoul wearing a black long-sleeved T-shirt carrying a green plastic bag containing his belongings. Because South Korea's laws on child sexual abuse were too lenient, he was sentenced to only 18 months in prison.
U.S. prosecutors, including Faruqui, advocated that he should be extradited to the U.S. to face charges in the U.S. judicial system, but South Korea rejected their request. The creators and administrators of Welcome to Video are freed.
The Washington team in charge of the Welcome to Video case remains deeply unhappy with Son's confusing light sentence for running the largest child sexual assault materials website in history. But Janczewski said he was pleased by the strong response from South Korean society to the case. After Son's swift release, anger erupted on social media in the country. More than 400,000 people have signed petitions preventing the judge in charge of the case from being considered for office on the country's Supreme Court. A South Korean lawmaker has introduced a bill to allow extradition verdicts to be appealed, and South Korea's parliament has introduced new bills to strengthen penalties for online sexual abuse and downloading of child sexual abuse materials.
Meanwhile, in the United States, the chain reaction in the case lasted for years. Janczewski, Bice and Suttenberg said they still get calls from law enforcement officials based on clues they've gathered. On the computers of the first test case of Washington investigators — a former congressional worker who committed suicide — they found out in a cryptocurrency trading account that he had also paid fees to another dark web source of material. They tracked the money down to a website called Dark scandal, which turned out to be a small but equally disturbing library of dark web sexual abuse records.
Janczewski, Gambaryan and the same group of prosecutors followed up on the Dark scandal case at the end of the Welcome to Video investigation, and similarly, tracking blockchains can track the site's cash outflows. With the help of the Dutch National Police, they arrested the site's alleged administrator in the Netherlands, a man named Michael Rahim Mohammad, whose screen name was "Mr. Dark." He faces criminal charges in the United States and the case is still pending.
From the perspective of money-laundering-focused agents and prosecutors in Welcome to Video, the most interesting ripple effect of the case may have come from the fate of the HSI agents they arrested in Texas, just before they traveled to South Korea to carry out the site smashing. The Texas man took a rare form of legal defense: He admitted to possessing child sexual abuse material, but he also appealed his conviction. He believes his case should be dismissed because IRS agents have confirmed his identity by tracking his bitcoin payments without a search warrant. He claimed it violated his Fourth Amendment privacy and was an unconstitutional "search."
A panel of appellate judges considered this argument and dismissed it. In a nine-page opinion paper, they explained their ruling, setting a precedent that clearly articulated how far they believe Bitcoin's transactions are from privacy.
"Every Bitcoin user has access to the public Bitcoin blockchain and can see each Bitcoin address and the corresponding transfer. Because of this openness, the identity of the owner of a Bitcoin address can be determined by analyzing the blockchain. "This is not an infringement of constitutionally protected areas, because there is no constitutional privacy interest in information on the blockchain."
The U.S. justice system has long held that a search warrant is only needed when a search enters an area where the defendant has "reasonable privacy expectations." The judge's ruling held that such an expectation should not have existed in the present case. The HSI agent was not caught in the seine of Welcome to Video for an IRS agent who violated his privacy. The judge concluded that he was caught because he mistakenly believed that his bitcoin transactions were private in the first place.
Photograph by JOOEUN BAE
Chris Janczewski said he didn't feel the full impact of the case until October 2019, the day the Welcome to Video case was finally publicly announced and the seizure notice was posted on the website's homepage. That morning, Janczewski unexpectedly received a call from IRS Commissioner Charles Rettig.
Rettig told Janczewski that the case was "the Al Capone of this generation" — perhaps the highest compliment that can be given within the IRS-CI, and that the story of Capone's arrest for tax evasion is almost mythical.
On the same day, the Ministry of Justice held a press conference to announce the results of the investigation. Speaking to a group of reporters, U.S. lawyer Jessie Liu spoke to a group of reporters about the case's significance — how tracking money allowed agents to triumph over "one of the worst forms of evil imaginable."
Jonathan Levin of Chainalysis sat in the audience. Later, an IRS official named Greg Monahan, the director of Gambaryan and Janczewski, came over to thank Levin for his role in the case. After all, it all started with the intelligence Levin provided to two bored IRS agents at Bangkok airport. Monahan told Levin that it was the most important survey of his career and that he could retire now because he knew he had worked in a truly valuable job.
Levin shook the hand of the IRS director. At the time, neither he nor Monahan knew what would happen next: IRS-CI and Chainalysis would join forces to combat North Korean hacking, terrorist financing, and two of the world's largest bitcoin money laundering services. They will track down nearly 70,000 bitcoins stolen from Silk Road, as well as another 120,000 bitcoins stolen from the Bitfinex exchange, with a total value of more than $7.5 billion at today's exchange rate, the largest financial seizure in the history of the Justice Department — whether for cryptocurrencies or other forms.
But in response to Monahan's question, Levin again thought of the vast amount of evidence for blockchain: countless cases to be solved, millions of cryptocurrency transactions permanently preserved in amber, and the golden age of criminal forensics it showed any investigator ready to mine them.
Levin said, "There's still a lot to do." "We're just getting started."