The Justice Department announced charges against the web admin and hundreds of users of the “world’s largest” child sexual exploitation marketplace on the dark web/TOR.
In November 2017, Bryce Durbin was working for CBS as the security editor at ZDNet. A hacker group reached out to him over an encrypted chat claiming to have broken into a dark web site running a massive child sexual exploitation operation.
The group claimed it broke into the dark web site, which it said was titled “Welcome to Video,” and identified four main server IP addresses running the site. They also provided him with a text file containing a sample of about one thousand IP addresses of individuals who they said had logged in to the site without the users knowledge.
Bruce’s editor-in-chief discussed how the dark web site was already under federal investigation, and writing about it could jeopardize that effort. He also said “There was no legal way we could access the site to verify it was what the hackers claimed.”
The hackers gave him a specially created username and password for the site, which they said was created just for him to verify the claims. But they couldn’t access the site for any reason — even for journalistic reasons. So he decided to report the information to the FBI while protecting the sources. Nothing was heard back from the FBI for awhile; until recently (two years later). But back to some very interesting information:
They found individuals accessed the dark web site from the networks of the U.S. Army Intelligence, the U.S. Senate, the U.S. Air Force and the Department of Veterans Affairs, as well as Apple, Microsoft, Google, Samsung and several universities around the world. We could not identify, however, specific individuals who accessed the site. They just used who.is for these IP’s they had.
U.S. prosecutors said in the indictment, filed in August 2018 but unsealed Wednesday, that the dark web site — confirmed as “Welcome to Video” — had some 250,000 user-uploaded graphic images and videos of children who were being sexually abused. The government called it the “largest darknet child pornography website” in a press release.
After news of the site’s removal had been reported, The screenshot above was the TOR hidden address and the seized logo on the website being displayed. According to the indictment, federal agents began investigating the site in September 2017, two months before the hackers breached the site. The site’s administrator, Jong Woo Son, had been running the operation from his residence in South Korea since 2015.
The indictment said the main landing page to the site contained a security flaw that let investigators discover some of the IP addresses of the dark web site — simply by right-clicking the page and viewing the source of the website.
It was a major error, one that would trigger a chain of events that would ensnare the entire site and its users.
Prosecutors said in the indictment that they found several IP addresses: 18.104.22.168 and 22.214.171.124. One of the IP addresses the hackers gave him was 126.96.36.199 — an address on the same network subnet as the dark web site.
It was long-awaited confirmation that the hackers were telling the truth. They did in fact breach the site. But whether or not the government knew about the breach remains a mystery.
It’s believed the indictment was kept under seal until after the individuals suspected of being involved in the site were arrested.
In total, there were 337 arrests, including a former Homeland Security special agent and a Border Patrol officer.
Authorities were able to rescue 23 children who were being actively abused.
Bryce reached out to the federal agents, and was told the FBI was not involved in the investigation. The Internal Revenue Service’s Criminal Investigation division, and the Homeland Security Investigations unit, were the ones working the case. IRS received an anonymous tip that jump started the investigation.
While authorities from the U.K. and South Korea also contributed to the investigation. The IRS used technology to trace bitcoin transactions, which the dark web site used to profit from the child exploitation videos. Users would have to pay in bitcoin to download content or upload their own child exploitation videos. The government also launched a civil forfeiture case to seize the bitcoins allegedly used by 24 individuals in five countries who are accused of funding the site.