FacebookTwitterLinkedIn

US and South Korean Law Enforcement take down Massive Child Porn Site

The US Department of Justice (DoJ) announced that through the cooperation of US, South Korean, and other law enforcement agencies across the globe, they have managed to take down a Dark Web child pornography website along with the arrest of the individual running the site. Further, the DoJ rescued several minors who were actively being abused by contributors to the website. According to the announcement the officials managed to seize approximately eight terabytes of material involving the exploitation of minors as well as further arresting more than 300 people worldwide involved with the website in one form or the other.

The individual maintaining and operating the website, Welcome to Video, is a South Korean national named Jong Woo Son who has been indicted on nine separate counts by a federal grand jury sitting in the US District of Columbia. The Dark Web site is seen as the largest child sexual exploitation market by volume of content known.

law enforcements take down child porn website

The 23-year-old is currently in custody serving a sentence in South Korea, where he was already charged and convicted for operating the site. Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division stated to the press that in a clear warning to other similar sites and operations,

“Darknet sites that profit from the sexual exploitation of children are among the most vile and reprehensible forms of criminal behavior. This Administration will not allow child predators to use lawless online spaces as a shield. Today’s announcement demonstrates that the Department of Justice remains firmly committed to working closely with our partners in South Korea and around the world to rescue child victims and bring to justice the perpetrators of these abhorrent crimes.”

According to the DoJ, the site was the first to monetize child exploitation by giving each uploader a unique Bitcoin wallet address, which other users could use to buy content. Analysis of the website revealed that at least one million unique addresses, which conversely means that there were at least one million users. Agents from the US, South Korea, and the UK seized the servers belonging to Son on March 18, 2019. Further law enforcement officials have arrested and charged 337 site users across 24 US States and 11 other countries. The data stored on the servers is currently been analyzed by the National Center for Missing and Exploited Children (NCMEC) who confirmed that 250,000 unique videos existed on the server before being seized, with 45 percent of the videos currently analyzed containing new images that have not been previously known to exist.

child porn website seized appearance

While the takedown of the site and subsequent arrests are a victory for law enforcement across the globe, the rescue of at least 23 minor victims residing in the US, UK, and Spain who were being abused will be what many of the agents involved in investigations are most proud of.

Blockchain Analysis Leads to Arrests

It was through the tracing of the Bitcoin transactions that the IRS Criminal Investigation (IRS-CI) unit was able to pinpoint the location of the site operator to South Korea. IRS-CI Chief Don Fort noted that,

“Through the sophisticated tracing of bitcoin transactions, IRS-CI special agents were able to determine the location of the Darknet server, identify the administrator of the website and ultimately track down the website server’s physical location in South Korea. This large-scale criminal enterprise that endangered the safety of children around the world is no more. Regardless of the illicit scheme, and whether the proceeds are virtual or tangible, we will continue to work with our federal and international partners to track down these disgusting organizations and bring them to justice.”

In a blog post published by firm Chainalaysis, the software used by IRS-CI was developed by the firm. The same software was used in the seizure and arrest of Alexander Vinnick the operator of a cryptocurrency exchange which allowed cybercriminals to exchange their ill-gained Bitcoin and Monero for hard currency. The software works by tracking and tracing the activity regarding certain wallets. It then takes all the data and builds a graph showing the flow of funds in and out of the wallet address. In this instance, it was shown that the wallets associated with the Dark Web site utilized several cryptocurrency exchanges. It was this information that allowed IRS-CI officials to contact the exchanges and request information regarding the suspected transactions.

For many people, the Know Your Customer (KYC) rules implemented by many banks can be a pain. Having to prove who you are continually can be seen as a chore. Here is an excellent example of why such rules are important. As many of the exchanges kept KYC records to maintain the reputations of legitimate and law-abiding businesses, the IRS could request those records to identify those using the site. In instances where users attempted to hide their identities, further Chainalanysis confirmed that open source intelligence tools, as well as a bit of investigation work, was used to make more positive identifications.

In another bit of good news, the DoJ unsealed a forfeiture complaint on the day of the announcement. The complaint revealed that cryptocurrency accounts were used fraudulently by 24 individuals in five countries to fund the website and make payments which promoted the exploitation of children. Those funds will hopefully be recovered and returned to those who were victims of the crime. The use of technology to promote and profit from the exploitation of children is indeed a heinous crime. This is indeed a victory for law enforcement and it is hoped that such actions would deter other such criminals in the future.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal