Menu

How Bitcoin transactions helped police bust a massive child porn ring

Back View of Teenage Hacker Working in Computer and Infecting with Virus Data Servers of Government ...

Shutterstock

Impact

Oct. 18, 2019

This week, the United States Department of Justice announced that it had shut down what is believed to be the largest child pornography ring operating on the dark web. A South Korean man known as Jong Woo Son was indicted for the operation of the site, which was called Welcome to Video. Another 337 people — including residents of the United States, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia — have all been arrested and charged for using the site. Welcome to Video was able to operate for years without interruption, hidden by the anonymity of Tor servers and Bitcoin transactions. But authorities were eventually able to not only determine who was behind the massive illegal operation but track down users of the site as well, which calls into question just how anonymous these technologies truly are.

To understand what led to the indictment of arrest of hundreds of people that participated in the exploitation of children, it's important to first understand how the technology that protected those participants worked in the first place.

How the darknet and Tor works

Welcome to Video was a darknet site, which means it was not visible on the standard version of the internet that you use every day. It doesn't come up in Google searches, it isn't indexed in the way that the public web is and it can't be linked to in a way that will point your standard internet browser right to it. Darknet sites are hosted on a worldwide, decentralized network of thousands of computers that are known as nodes. When you access a normal website, your computer communicates directly with the server that site is hosted on. When you access a darknet site, your connection bounces through a series of these nodes, creating a form of encryption that makes the connection essentially anonymous and untraceable. This style of encryption is often compared to an onion because of its layered protection.

That brings us to the way that you actually access these hidden sites: through The Onion Routing network, or Tor. Tor is a specialized browser that allows you to connect with these otherwise hidden sites. However, because of the nature of these sites, they typically aren't easy to find. There is no real darkent equivalent of Google, a person can't type in "child pornography" and suddenly be presented with Welcome to Video as the top search result. They would need to have the specific address where the site is hosted to be able to connect to it. Those address are often a random scramble of letters and numbers rather than an easy to remember domain name that you'd find on the standard web.

How Bitcoin and blockchain works

Many of the sites on the darknet are commerce based. They allow users to exchange money for goods and services, a la an Amazon or eBay on the standard internet. The difference, of course, is that the anonymity of the darknet allows for the trade of things that would otherwise be illegal. The most famous of these sites is Silk Road, one of the first major darknet markets. The site hosted a considerable amount of illegal drug trade before it was shut down by the FBI in 2013. Other sites on the darknet offer even more nefarious products, ranging from firearms and other deadly weapons to the services of hitmen. Then there are sites like Welcome to Video, which traffic heavily in child pornography.

Because these sites are offering illegal products, transactions can't be completed using standard currency. Punching in your credit card number is not an option — it would link the transaction directly to you and the merchant who completed the transaction. This is where cryptocurrency like Bitcoin comes in. Bitcoin transactions require users to have a digital wallet that stores the cryptocurrency and provides an address from which transactions can be sent and received. A vendor on the darknet also has a wallet with a unique address that a person would send Bitcoin to in order to complete a transaction.

Instead of that transaction being processed by a bank, which controls the ledger and ensures the exchange is completed, Bitcoin relies on the blockchain. The blockchain is a shared public ledger where every transaction is posted. Those posted transactions include a mathematical proof that serves as a verifying signature from the sender's wallet. That proof has to be confirmed by mining machines, which use their processing power to solve the complicated math equation and ensure the validity of the transaction. Once that is done, the money has changed hands and the transaction is complete — and there is little indication as to who sent and received that money, save for wallet addresses that typically aren't tied directly to a person's identity. These transactions can be made even harder to track by operating a tumbler — a program that routes Bitcoin payments through a series of fake transactions, making it next to impossible to track the actual orgins and end point of the transaction chain.

A Bitcoin ATM is seen in Hong Kong, . Bitcoin is the world's most popular virtual currency. Such cur...

Kin Cheung/AP/Shutterstock

How Welcome To Video got caught

When the darknet's complicated series of nodes are operating correctly and the blockchain functions as intended, sites like Welcome To Video get to carry out their business in what is essentially complete anonymity. There are the occasional cracks in the armor of these services, and law enforcement have used those in the past to bust up illegal operations — a major security flaw in the Tor browser discovered last year may have allowed law enforcement to track users and may have played a role in the crackdown on darknet markets that has taken place in the last few years. It's also possible for law enforcement to, over time, track and analyze Bitcoin trades posted on the blockchain in order to discern a potential source of the transactions.

However, in the case of Welcome To Video, the issue was more user error than security flaws. While Tor hides the host server of a site like Welcome To Video behind a series of transfer points, the site's operator made a major mistake and left the actual IP address of his server in the site's source code. According to a report from TechCrunch, IP addresses associated with the host servers were exposed as far back as 2017, and hackers were able to intercept the IP addresses of thousands of people who had logged onto the site.

That reported security failure by Jong Woo Son was allegedly compounded by his own lax practices to protect his identity when it came to Bitcoin transactions. People on Welcome to Video would exchange Bitcoin for content from the site. The Bitcoin would be transferred to a wallet set up for the site, which, according to the indictment, Jong Woo Son would then transfer to his own personal wallet. According to the Department of Justice's indictment, agents at the IRS transferred Bitcoin to the Welcome to Video wallet and managed to track those payments when they were withdrawn and moved to a different wallet, hosted by a Bitcoin exchange. Jong Woo Son's personal information — including his name, phone number and email address — were allegedly associated with the wallet on that exchange.

For the most part, services like the darknet and blockchain are anonymous — especially if no one is looking. While law enforcement and others do have tools to track cryptocurrecny transactions on the blockchain, it's possible to throw them off the scent if a person has the right tools. What brought down Welcome To Video and its users is the same thing that typically brings down criminals operating on the darknet: they just simply made a mistake somewhere along the way. Human error is almost always the biggest downfall when it comes to security and anonymity.