The Inside Story of the Bitcoin Bust That Shut Down the Internet's Largest Child Abuse Website

They were under the impression that their payments were untraceable. They were completely incorrect. The secret narrative behind the lawsuit that shattered Bitcoin's anonymity myth.

Chris Janczewski stood alone inside the threshold of a home he had not been allowed to enter early one fall morning in 2017, in a middle-class suburb on the outskirts of Atlanta.

Armed Homeland Security Investigations officers in bulletproof vests had gathered around the clean two-story brick house moments before, hammered on the front door, and poured inside when a member of the family living there opened it. Janczewski, a criminal investigator for the Internal Revenue Service, trailed silently behind. He was now standing in the entranceway, in the midst of a flurry of activity, watching the agents examine the premises and take electronic equipment.

They divided the family, putting the father, an assistant principle at the local high school who was the subject of their inquiry, in one room, his wife in another, and the two children in a third. In an attempt to distract the youngsters from the invasion of their home and the interrogation of their parents, an agent turned on a television and turned on Mickey Mouse Clubhouse.

Janczewski was merely there as an observer, a guest brought in from Washington, DC, to keep an eye on and assist the local Homeland Security team while it carried out its warrant. But it was Janczewski's inquiry that led the agents here, to this ordinary-looking house with a well-kept yard among all the ordinary-looking residences they might have found anyplace in the United States. He'd brought them there on the basis of some bizarre, fledgling proof. Janczewski had tracked the Bitcoin blockchain's linkages, dragging on the chain until it connected this ordinary home to an incredibly horrible location on the internet—and then to hundreds more guys all across the world. They're all part of the same vast network of horrible cruelty. All of these people are now on Janczewski's hit list.

Over the previous few years, Janczewski, his partner Tigran Gambaryan, and a small group of investigators from a growing list of three-letter American agencies had used this newfound technique to crack one criminal case after another on an unprecedented, epic scale, tracing a cryptocurrency that had previously seemed untraceable. But such approaches had never led them to a case like this one, where the destiny of so many individuals, both victims and perpetrators, seemed to hang in the balance. Janczewski's stakes were real for the first time during that morning's hunt in a suburb near Atlanta. It was "a proof of concept," as he subsequently phrased it.

Janczewski could hear the Homeland Security officials speaking to the father from his front porch, and the father answered in a broken, resigned tone. He overheard the agents interviewing the man's wife in another room, and she replied that she had seen specific photographs on her husband's computer, but that he had downloaded them by accident while pirating music. And he could hear two grade-school-aged children—kids approximately Janczewski's age—watching TV in the third room. They requested a snack, totally unaware of the catastrophe that was developing for their family.

Janczewski recalls the severity of the situation sinking in: he was a high school principal, a spouse, and a father of two children. Whether he was guilty or not, the charges leveled against him by these group of law enforcement agents—their sheer presence in his home—would almost surely wreck his life.

Janczewski considered the research process that had led them here as a digital divining rod, uncovering a secret layer of criminal links under the surface. For the umpteenth time, he hoped it hadn't led him wrong.


A UK-born South African IT entrepreneur called Jonathan Levin had stepped into the plain brick offices of the UK's National Crime Agency—counterpart Britain's to the FBI—on the south bank of the Thames a few months earlier on a summer's day in London. A pleasant representative brought him to the second level of the building and into the office kitchen, where he was offered a cup of tea. Levin agreed to leave the tea bag in, as he normally did while visiting the NCA.

The two guys sat at the agent's desk amid a cluster of cubicles, drinks in hand. Levin was on his way to a regular client visit to see how the agent and his coworkers were utilizing the software that he'd cofounded. Chainalysis was the world's first software startup to focus completely on a task that seemed like an oxymoron only a few years ago: tracking bitcoin. Hundreds of law enforcement organizations across the world had learnt to utilize Chainalysis' software to transform the digital underworld's favored mode of trade into its Achilles' heel.

When Bitcoin originally launched in 2008, one of its main promises was that it would only tell which currencies were stored at which Bitcoin addresses—long, unique sequences of letters and numbers—without revealing any information about the owners of those coins. Many early adopters were under the impression that Bitcoin could be the fully anonymous internet cash that libertarian cypherpunks and crypto-anarchists had been waiting for: a new financial netherworld where digital briefcases full of unmarked bills could change hands across the globe in an instant.

In an early email outlining Bitcoin, Satoshi Nakamoto, the mystery creator of the cryptocurrency, even said that "participants can remain anonymous." Thousands of users on dark-web illegal markets such as Silk Road had adopted Bitcoin as their primary payment method. But the paradoxical fact about Bitcoin, on which Chainalysis had built its company, was this: Every Bitcoin payment is recorded in the blockchain, which is a permanent, immutable, and completely public record of every transaction in the Bitcoin network. The blockchain prevents currency from being counterfeit or spent multiple times. But it does it by making every transaction visible to everyone in the Bitcoin ecosystem. Every illicit payment is, in some ways, a visible smoking gun.

Academic security researchers—and subsequently organizations like Chainalysis—began ripping massive holes in the masks between Bitcoin users' addresses and their real-world identities within a few years of Bitcoin's inception. They could track bitcoins as they went from address to address on the blockchain until they found one that was linked to a recognized person. An investigator might learn someone's Bitcoin addresses by trading with them, similar to how an undercover narcotics agent would conduct a buy-and-bust operation. In other circumstances, they might track a target's coins to an account at a cryptocurrency exchange where users had to authenticate their identities due to banking rules. A brief subpoena to the exchange from one of Chainalysis' law enforcement customers was all it took to dispel any illusions about Bitcoin's privacy.

Chainalysis had coupled these approaches for de-anonymizing Bitcoin users with methods that allowed it to "cluster" addresses, revealing that a single individual or group may own hundreds to millions of addresses. When coins from two or more addresses were spent in a single transaction, for example, Chainalysis discovered that whomever produced the "multi-input" transaction had control of both spender addresses, allowing Chainalysis to group them together as a single identity. In other circumstances, Chainalysis and its users might follow a "peel chain," which is similar to tracing a single wad of cash as it is repeatedly taken out, peeled off a few dollars, and reinserted into a new pocket. Bitcoins would be transferred out of one address when a fraction was paid to a recipient, and the remaining returned to the spender at a "change" address in those peel chains. Separating those change addresses may allow a detective to track a quantity of money as it moved from one address to the next, tracing its route through the Bitcoin blockchain's noise.

Bitcoin has turned out to be the polar opposite of untraceable thanks to techniques like these: a type of honeypot for cyber criminals who had meticulously and irreversibly logged proof of their bad dealings for years. By 2017, law enforcement organizations such as the FBI, the Drug Enforcement Administration, and the Internal Revenue Service's Criminal Investigation Division (or IRS-CI) have traced Bitcoin transactions to conduct one investigation after another, frequently with the aid of Chainalysis.

The cases had started as modest but quickly grew in size. Investigators had tracked the movements of two dishonest federal officials and discovered that one had stolen bitcoins from Silk Road and the other had sold law enforcement information to its inventor, Ross Ulbricht, before the dark-web market's takedown in 2013. They then traced down half a billion dollars in bitcoins stolen from the Mt. Gox exchange and demonstrated that the money were laundered by the Russian administrator of another cryptocurrency exchange, BTC-e, finally finding the business's servers in New Jersey. Finally, they tracked down the creator of AlphaBay, a dark-web bazaar that had grown to ten times the size of Silk Road, using bitcoin traces. (A coalition of half a dozen law enforcement agencies was converging in Bangkok to arrest AlphaBay's inventor even as Levin was seated in London talking to the NCA agent.)

Levin was on the watch for Chainalysis' next major investigation, as he usually was. After going over a few ongoing cases with him, the NCA agent brought up an ominous dark web site that had lately come to the agency's attention. Welcome to Video was the name of the show.

"What he saw astounded him: a whole network of illicit payments, all designed to remain hidden, was laid open in front of him."

The webpage was discovered by the NCA while investigating a horrible case involving an offender named Matthew Falder. Falder, a Manchester-based scholar, pretended to be a female artist and solicited nude pictures from strangers on the internet, threatening to share the photos with relatives or friends unless the victims filmed themselves performing progressively degrading and immoral behaviors. He'd eventually push his victims to self-harm and even sexually assault others in front of the camera. He had targeted 50 persons by the time he was apprehended, at least three of them had attempted suicide.

The NCA discovered that Falder was a registered user of Welcome to Video on his computers, a criminal operation that dwarfed even Falder's crimes in scope. The evidence had subsequently been sent from the NCA's child exploitation investigations unit to the computer crime team, which included the cryptocurrency-focused agent at Levin's desk. Welcome to Video seems to be one of the few sites selling access to child sexual assault clips in return for bitcoin. At first look, it was evident that its collection of photographs and films was unusually extensive, and that it was being accessed—and constantly renewed with brand-new content—by a global user base.

The kind of images that was traded on Welcome to Video was often referred to as "child pornography," but child activists and law enforcement are increasingly referring to it as "child sexual abuse material" to eliminate any question that it contains acts of violence against children. For years, CSAM, as it is commonly shortened, has been a large undercurrent of the dark web, a collection of thousands of websites secured by anonymity technologies such as Tor and I2P. Those anonymity technologies, which were utilized by millions of people throughout the world to escape online monitoring, had also become the backbone of a heinous network of abuse, which frequently thwarted law enforcement efforts to identify CSAM site users and administrators.

Levin was shown a Bitcoin address that the NCA had discovered was part of Welcome to Video's financial network. Levin proposed they run it via Chainalysis' Reactor crypto-tracing program. He put down his tea and drew his chair closer to the agent's laptop, where he began mapping out the site's collection of Bitcoin blockchain addresses, which represented the wallets where Welcome to Video had received payments from thousands of consumers.

He was astounded by what he saw: many of the users on this child abuse website—and, by all appearances, the site's administrators—had done practically little to hide their bitcoin tracks. He was confronted with a whole network of illicit payments, all of which were supposed to be kept hidden.

Levin had observed as certain dark-web operators picked up on his firm's crypto-tracing tactics over the years. They'd send money through a series of intermediate addresses or "mixer" services to confuse investigators, or they'd use the cryptocurrency Monero, which is supposed to be significantly more difficult to track. However, Levin could tell by glancing at the Welcome to Video cluster at the NCA office that day that its users were significantly more ignorant. Many others had simply bought bitcoins on cryptocurrency exchanges and then deposited them directly from their wallets to Welcome to Video's account.

The contents of the website's wallets were then liquidated at a few exchanges—Bithumb and Coinone in South Korea, and Huobi in China—and changed back into conventional cash. Someone appeared to be constantly using massive, multi-input transactions to collect and pay out the site's money. Reactor was able to cluster hundreds of addresses rapidly and automatically, concluding that they all belonged to a single service, which Levin could now identify in the program as Welcome to Video. Furthermore, Levin could see that the network of exchanges around and connecting to that cluster certainly included the information needed to identify a large number of the site's anonymous users—not only who was cashing out bitcoins, but who was buying bitcoins to put into it. The blockchain linkages between Welcome to Video and its consumers were among Levin's most blatantly damning connections.

These victims of child sexual assault appeared to be completely unprepared for the current state of blockchain financial forensics. Welcome to Video was a poor rodent that had never faced a predator by the criteria of the cat-and-mouse game Levin had been playing for years.

As Levin sat in front of the NCA agent's laptop, it seemed to him, maybe more vividly than ever before, that he was living in the "golden era" of bitcoin tracing—that blockchain investigators like those at Chainalysis had a large lead on those they were pursuing. He recalls thinking, "We've produced something really strong, and we're a step ahead of these sorts of operators." "You've got a horrendous crime, a terrible thing occurring in the world, and our technology has broken through in an instant and shown who's behind it in very obvious reasoning."

Levin could already surmise that the administrator was in South Korea since someone was paying out the majority of Welcome to Video's income through the two exchanges there. Many of the site's customers appeared to be paying it straight from the addresses where they'd bought the coins on US-based exchanges like Coinbase and Circle. Bringing down this worldwide child abuse network may be as simple as enlisting the help of another law enforcement agency in the US or Korea, one that could demand identifying information from those transactions. Levin had a certain agency in mind.

He informed his NCA host, "I have several folks that might be interested."

But first, Levin discreetly recalled the first five characters of the Welcome to Video address the agent had shown him as he prepared to depart. The Reactor software from Chainalysis provided an autocomplete option for Bitcoin addresses based on the first few unique digits or characters. A single simple password would be enough to open the living map of a worldwide criminal enterprise.

=======

Levin chatted with Chris Janczewski and Tigran Gambaryan in the evening in Thailand. The two IRS Criminal Investigation special agents were seated in Bangkok's Suvarnabhumi Airport that night in early July 2017, stewing over their disappointment at being left out of the largest dark-web market takedown in history.

By 2017, the IRS had amassed a team of some of the best bitcoin tracers in the country. Gambaryan, in reality, was the one who tracked down the two corrupt Silk Road operatives' bitcoins and ultimately broke the BTC-e money laundering case. Gambaryan had even tracked down the AlphaBay server, placing it at a data center in Lithuania, thanks to Levin's help.

When Gambaryan and Janczewski arrived in Bangkok to arrest AlphaBay's administrator, the French-Canadian Alexandre Cazes, they were mainly excluded from the operation's inner circle of DEA and FBI agents. They hadn't been invited to Cazes' arrest scene, or even to the office where other agents and prosecutors were watching a video streaming of the arrest.

The story was completely typical for Gambaryan and Janczewski. IRS-CI agents, like their FBI and DEA counterparts, undertook shoe-leather investigative work, carried firearms, and made arrests. However, due of the IRS's shabby public image, they frequently encountered other agents who viewed them as accountants. When they were presented at meetings, their friends from other law enforcement agencies would jest, "Don't audit me." The remark had been repeated so many times by IRS-CI agents that it elicited an automatic eye roll.

Gambaryan and Janczewski were stuck in Bangkok and spent much of their time lazily pondering what their next case should be, scouring Chainalysis' blockchain-tracing program Reactor for inspiration. The Thailand operation appeared to have left dark-web markets like AlphaBay in shambles, and it would take months, if not years, for them to recover. A dark-web gaming site was examined by the agents as a target. Illegal internet casinos, on the other hand, did not appear to be worth their time.

Gambaryan and Janczewski arrived at the airport on the day of their departure from Thailand to discover that their flight to Washington, DC had been severely delayed. They sat half-awake and bored in the airport, literally looking at the wall, with hours to kill. Gambaryan decided to phone Chainalysis' Levin to discuss the future cases to pass the time. Levin had some good news to give as he picked up the phone. He'd been investigating a website that didn't suit the IRS's regular targets but that he thought they'd be prepared to investigate: Hello and welcome to Video.

The FBI and Homeland Security Investigations have generally been the focus of child sexual exploitation prosecutions, not the IRS. Part of this was due to the fact that most child sexual assault photographs and films were traded without payment, in what investigators dubbed a "baseball card trading" scheme, putting them outside the IRS's purview. Welcome to Video was a unique experience. There was a money trail, and it appeared to be extremely evident.

Soon after they returned to DC, Gambaryan and Janczewski engaged the help of Aaron Bice, a technical analyst from the contract technology firm Excygent, with whom they'd previously studied the crypto exchange BTC-e. Together, they mapped out Welcome to Video in Reactor and realized what Levin had already noticed: how obvious it was as a target. Thousands of clustered bitcoin addresses were set out in front of them, many with scarcely veiled pay-ins and cash-outs at exchanges they knew they could push for identifying information. It indeed appear to be a "slam dunk," as Levin put it. Janczewski quickly presented the evidence to Zia Faruqui, a federal prosecutor, who was immediately convinced on the concept of prosecuting Welcome to Video and formally launched an inquiry.

Gambaryan, Janczewski, Bice, and Faruqui formed an odd team to investigate a large-scale child trafficking ring. Janczewski was a tall Midwestern agent with a square jaw who wore horn-rimmed glasses when staring at a computer screen, appearing like a cross between Sam Rockwell and Chris Evans. After demonstrating his worth in a slew of counterterrorism, drug trafficking, government corruption, and tax evasion cases, he'd been recruited to the DC computer crimes team from the IRS office in Indiana. Bice was a specialist in data analysis and, as Janczewski put it, "half robot" when it came to computer abilities. Faruqui was a seasoned US attorney with a track record of prosecuting national security and money laundering cases. He exhibited an almost frantic focus and intensity, spoke in a hilariously quick patter, and appeared to be scarcely sleeping, according to his coworkers. Then there was Gambaryan, an IRS agent with buzzed hair and a tidy beard who had earned a reputation as the IRS's bitcoin whisperer and dark-web specialist by 2017. He was dubbed "Bitcoin Jesus" by Faruqui.

The team came to understand that, as straightforward as this "slam dunk" case appeared to be, it was actually rather intricate.

Despite this, none of the four had ever worked on a case involving child sexual exploitation. They had no experience dealing with photographs and films of child abuse, which were illegal in the hands of ordinary Americans. They'd never seen these kinds of radioactively distressing things before, and they didn't have any emotional or psychological preparation for the vivid nature of what they were going to view.

Despite their lack of expertise in the field of child abuse, Faruqui was unfazed when the two agents showed him what they found on the blockchain. As a money-laundering attorney, he saw no reason why they couldn't approach Welcome to Video as a financial inquiry based on the proof of unlawful payments Janczewski and Gambaryan had provided him.

Levin chatted with Chris Janczewski and Tigran Gambaryan in the evening in Thailand. The two IRS Criminal Investigation special agents were seated in Bangkok's Suvarnabhumi Airport that night in early July 2017, stewing over their disappointment at being left out of the largest dark-web market takedown in history.

By 2017, the IRS had amassed a team of some of the best bitcoin tracers in the country. Gambaryan, in reality, was the one who tracked down the two corrupt Silk Road operatives' bitcoins and ultimately broke the BTC-e money laundering case. Gambaryan had even tracked down the AlphaBay server, placing it at a data center in Lithuania, thanks to Levin's help.

When Gambaryan and Janczewski arrived in Bangkok to arrest AlphaBay's administrator, the French-Canadian Alexandre Cazes, they were mainly excluded from the operation's inner circle of DEA and FBI agents. They hadn't been invited to Cazes' arrest scene, or even to the office where other agents and prosecutors were watching a video streaming of the arrest.

The story was completely typical for Gambaryan and Janczewski. IRS-CI agents, like their FBI and DEA counterparts, undertook shoe-leather investigative work, carried firearms, and made arrests. However, due of the IRS's shabby public image, they frequently encountered other agents who viewed them as accountants. When they were presented at meetings, their friends from other law enforcement agencies would jest, "Don't audit me." The remark had been repeated so many times by IRS-CI agents that it elicited an automatic eye roll.

Gambaryan and Janczewski were stuck in Bangkok and spent much of their time lazily pondering what their next case should be, scouring Chainalysis' blockchain-tracing program Reactor for inspiration. The Thailand operation appeared to have left dark-web markets like AlphaBay in shambles, and it would take months, if not years, for them to recover. A dark-web gaming site was examined by the agents as a target. Illegal internet casinos, on the other hand, did not appear to be worth their time.

Gambaryan and Janczewski arrived at the airport on the day of their departure from Thailand to discover that their flight to Washington, DC had been severely delayed. They sat half-awake and bored in the airport, literally looking at the wall, with hours to kill. Gambaryan decided to phone Chainalysis' Levin to discuss the future cases to pass the time. Levin had some good news to give as he picked up the phone. He'd been investigating a website that didn't suit the IRS's regular targets but that he thought they'd be prepared to investigate: Hello and welcome to Video.

The FBI and Homeland Security Investigations have generally been the focus of child sexual exploitation prosecutions, not the IRS. Part of this was due to the fact that most child sexual assault photographs and films were traded without payment, in what investigators dubbed a "baseball card trading" scheme, putting them outside the IRS's purview. Welcome to Video was a unique experience. There was a money trail, and it appeared to be extremely evident.

Soon after they returned to DC, Gambaryan and Janczewski engaged the help of Aaron Bice, a technical analyst from the contract technology firm Excygent, with whom they'd previously studied the crypto exchange BTC-e. Together, they mapped out Welcome to Video in Reactor and realized what Levin had already noticed: how obvious it was as a target. Thousands of clustered bitcoin addresses were set out in front of them, many with scarcely veiled pay-ins and cash-outs at exchanges they knew they could push for identifying information. It indeed appear to be a "slam dunk," as Levin put it. Janczewski quickly presented the evidence to Zia Faruqui, a federal prosecutor, who was immediately convinced on the concept of prosecuting Welcome to Video and formally launched an inquiry.

Gambaryan, Janczewski, Bice, and Faruqui formed an odd team to investigate a large-scale child trafficking ring. Janczewski was a tall Midwestern agent with a square jaw who wore horn-rimmed glasses when staring at a computer screen, appearing like a cross between Sam Rockwell and Chris Evans. After demonstrating his worth in a slew of counterterrorism, drug trafficking, government corruption, and tax evasion cases, he'd been recruited to the DC computer crimes team from the IRS office in Indiana. Bice was a specialist in data analysis and, as Janczewski put it, "half robot" when it came to computer abilities. Faruqui was a seasoned US attorney with a track record of prosecuting national security and money laundering cases. He exhibited an almost frantic focus and intensity, spoke in a hilariously quick patter, and appeared to be scarcely sleeping, according to his coworkers. Then there was Gambaryan, an IRS agent with buzzed hair and a tidy beard who had earned a reputation as the IRS's bitcoin whisperer and dark-web specialist by 2017. He was dubbed "Bitcoin Jesus" by Faruqui.

The team came to understand that, as straightforward as this "slam dunk" case appeared to be, it was actually rather intricate.

Despite this, none of the four had ever worked on a case involving child sexual exploitation. They had no experience dealing with photographs and films of child abuse, which were illegal in the hands of ordinary Americans. They'd never seen these kinds of radioactively distressing things before, and they didn't have any emotional or psychological preparation for the vivid nature of what they were going to view.

Despite their lack of expertise in the field of child abuse, Faruqui was unfazed when the two agents showed him what they found on the blockchain. As a money-laundering attorney, he saw no reason why they couldn't approach Welcome to Video as a financial inquiry based on the proof of unlawful payments Janczewski and Gambaryan had provided him.

“We’re going to treat this case like we would any other,” he said. “We are going to investigate this by following the money.”

Collage of multicolored squares over a red checked background

Janczewski remembers the blank shock he felt at the parade of thumbnails alone, the way his brain almost refused to accept what it was seeing.

Illustration: Party of One Studio

When Janczewski and Gambaryan first copied the unwieldy web address, mt3plrzdiyqf6jim.onion, into their Tor browsers, they were greeted by a bare-bones site with only the words “Welcome to video” and a login prompt, a minimalism Janczewski compared to the Google homepage. They each registered a username and password and entered.
The site then presented a massive, seemingly unending collection of movie titles and thumbnails, arranged in squares of four stills per film, presumably picked automatically from the files' frames, after that first welcoming page. Those few photos were a catalogue of atrocities, with scene after scene of youngsters being raped and sexually assaulted.

The agents had mentally prepared themselves to view these sights, but the actuality had caught them off guard. Janczewski recalls his brain nearly refusing to recognize what he was seeing when he first saw the procession of thumbnails alone. He discovered a search page on the site with the misspelled words "Serach videos" typed at the top. It highlighted popular keywords users have put beneath the search area. The shorthand for "one-year-old" was the most common. The acronym for "two-year-old" was the second most common.

Janczewski initially assumed he had misunderstood. He had anticipated to witness videos of young teenagers or maybe preteens being sexually abused. But as he browsed, he became increasingly repulsed and saddened to see that the site was littered with footage of toddlers and even newborns being abused.

"Really, this is a thing?" No," Janczewski adds, numbly recalling his initial responses to the scene. "How come there are so many videos on here?" No. This can't possibly be true."

The two agents were well aware that they would have to watch at least some of the marketed films at some time. However, users were unable to access them on their initial visits to the site; in order to do so, they would have to send bitcoins to an address supplied by the site to each registered user, where they could purchase "points" that could then be exchanged for downloads. They didn't have the authority to buy those points since they weren't undercover agents, and they weren't especially interested in doing so.

A copyright date was listed at the bottom of various pages on the site: March 13, 2015. Hello and welcome to For more than two years, video has been available on the internet. Even at first glance, it was evident that it had evolved into one of the largest libraries of child sexual assault recordings ever discovered by law enforcement.

"You can't let a child get raped while you try to bring down a South Korean server." Taking the site down couldn't possibly be their top priority.

When Janczewski and Gambaryan looked into the site's mechanisms, they discovered that users could earn points by posting movies as well as purchasing them. The more times the films were downloaded by other users, the more points they would receive. "Do not upload adult porn," the upload page stated emphatically, with the final two phrases emphasized in red. The portal also said that uploaded recordings would be screened for originality, with only fresh content being accepted—a feature that the agents felt was specifically meant to encourage greater child abuse.

The part of the site that bothered Gambaryan the most was the chat area, where visitors could write comments and replies. It was brimming with posts in every language imaginable, indicating the site's global reach. Much of the conversation struck Gambaryan as chillingly mundane, like anything you'd see on a regular YouTube channel.

For years, Gambaryan had been on the lookout for crooks of all shades, from small-time con artists to corrupt federal law enforcement officers to cybercriminal kingpins. He typically had the impression that he had a firm grasp on his objectives. He'd even felt pity for them on occasion. He pondered, "I've known drug traffickers who are probably nicer people than certain white-collar tax evaders." "I could identify with a few of these crooks." Their sole motivation is greed."
But now he'd joined a world where people were doing crimes he didn't fathom, motivated by motives he couldn't comprehend. He felt himself to be familiar with the worst that people were capable of after a childhood in war-torn Armenia and post-Soviet Russia, as well as a career digging into the criminal underground. Now he realized he'd been naive: his first viewing of Welcome to Video revealed and crushed a buried vestige of his humanity idealism. "It took a piece of me away," Gambaryan says.

Gambaryan and Janczewski realized the case required a level of urgency that went beyond that of a typical dark-web investigation as soon as they saw what Welcome to Video actually signified. Every day the site was live, more children were abused.

The greatest leads, Gambaryan and Janczewski understood, were still in the blockchain. Importantly, the site did not appear to provide a way for clients to withdraw funds from their accounts. There was simply an address where they could pay for credits on the site, and there didn't appear to be a moderator where they could request a refund. That meant that all of the money they saw leaving the site—more than $300,000 in bitcoins at the time of the transactions—belonged to the site's administrators virtually likely.

Gambaryan began contacting his Bitcoin contacts, looking for employees at exchanges who might know executives at the two Korean exchanges, Bithumb and Coinone, where the majority of Welcome to Video's money had been cashed out, as well as one US exchange that had received a small fraction of the funds. The mere idea of child exploitation seems to dispel the bitcoin industry's customary aversion to government action, he discovered. "This is where everyone kind of drew the line," Gambaryan adds, "as libertarian as you want to be." Staff at all three exchanges were eager to assist him even before he submitted a formal legal request or subpoena. They promised to bring him account information for the addresses he had retrieved from Reactor as soon as possible.

Gambaryan couldn't stop himself from laughing as he sat in front of his computer screen in his DC cubicle, marveling at the weakness he'd identified.

Meanwhile, Gambaryan resumed his investigation into the Welcome to Video website. After creating an account on the site, he decided to perform a rudimentary security check—a long shot, he reasoned, but it wouldn't cost him anything. He did a right-click on the page and selected "View page source" from the menu that appeared. This would allow him to see the site's raw HTML before it was transformed into a graphical web page by the Tor Browser. At the very least, gazing at a big block of code is preferable to staring at an unending scroll of heinous human depravity.

He almost immediately recognized what he was looking for: an IP address. To Gambaryan's amazement, every thumbnail picture on the site appeared to reflect the IP address of the server where it was physically located, 121.185.153.64, within the site's HTML. He typed the 11 digits into his computer's command prompt and used a rudimentary traceroute tool to track the course of the data through the internet back to that server's location.

Surprisingly, the findings revealed that this machine was not at all veiled by Tor's anonymizing network; Gambaryan was viewing the exposed address of a Welcome to Video server. The site was hosted on a home connection of an internet service provider in South Korea, outside of Seoul, confirming Levin's first suspicion.
Hello and welcome to The administrator of the video seems to have made a rookie error. The site itself was Tor-hosted, but the thumbnail photos on its main page looked to have been grabbed from the same computer without going via Tor, maybe in an attempt to make the page load quicker.

Gambaryan couldn't stop himself from laughing as he sat in front of his computer in his DC cubicle, looking at the exposed position of a website administrator whose arrest he could feel approaching.

Janczewski was waiting his turn in a marksmanship drill at a shooting range in Maryland when he received an email from the American bitcoin exchange his team had subpoenaed. It featured information on the presumed Welcome to Video administrator who had paid out the site's revenues there.

The email's contents indicated a middle-aged Korean guy with an address outside of Seoul, which matched the IP address Gambaryan had discovered perfectly. A photo of the individual holding up his ID was included in the paperwork, presumably to confirm his identification to the American exchange.

For a brief period, Janczewski believed he was staring directly at the administrator of Welcome to Video. However, he recalls thinking something wasn't quite right: the man in the photograph had visibly unclean hands, with mud beneath his fingernails. He resembled a farm laborer rather than the hands-on-keyboard type he'd imagined to be running a dark web site.
As the other exchanges completed their subpoenas over the next few days, the solution began to take shape. The guys in charge of Welcome to Video's cash-out addresses were the subject of Gambaryan documents supplied by one Korean exchange and then the other. They mentioned not just that one middle-aged man, but also Son Jong-woo, a considerably younger male of 21 years. Both males had the same address and had the same surname. Is it possible that they were father and son?

The agents thought they were getting close to the administrators of the site. They had realized, however, that simply shutting down the site or arresting its administrators would not serve the interests of justice. Welcome to Video had created a vast, bustling nexus of both consumers and—far more importantly—producers of child sexual abuse materials on the blockchain, and this constellation of Bitcoin addresses laid out a vast, bustling nexus of both consumers and—far more importantly—producers of child sexual abuse materials.

Faruqui had enlisted the assistance of a team of additional prosecutors by this point, including Lindsay Suttenberg, an assistant US attorney with experience in child abuse cases. She also pointed out that pulling the site offline shouldn't be their top concern. Faruqui summed up her point by saying, "You cannot let a kid be raped while you try to take down a server in South Korea."

The team realized that, as straightforward as this "slam dunk" case appeared at first, it was actually daunting in its complexity following the easy identification of the site's operators. They'd have to track the money not only to one or two web administrators in Korea, but to hundreds of potential suspects all around the world, including both active abusers and their complicit audience of enablers.

Gambaryan's right-click identification of the site's IP address and the crypto exchanges' immediate collaboration were fortunate breaks. The main job was still to come.
========
The team of IRS-CI officers and prosecutors knew nearly exactly where Welcome to Video was hosted barely two weeks after Levin brought along his tip. They understood, though, that they'd need assistance to get any farther. They didn't have any ties to the Korean National Police Agency, which was known for its formality and impenetrable bureaucracy, and they didn't have the resources to arrest hundreds of the site's users, an operation that would need considerably more staff than the IRS could assemble.

Faruqui advised that they enlist the help of Homeland Security Investigations, working with a specific field office in Colorado Springs. He'd picked that agency and its far-flung outpost because of a specific agent there, an investigator called Thomas Tamsi, with whom he'd previously worked. A year previously, Faruqui and Tamsi had uncovered a North Korean arms smuggling organization attempting to transfer weapon components through South Korea and China. They'd gone to Seoul as part of that investigation to meet with the Korean National Police, where they spent an evening drinking and singing karaoke with Korean cops after being introduced by an HSI liaison there.

Others on the crew were irritated by Suttenberg's description of the footage. "They'd order me to shut up and write everything down," she recalls, "and then they'd tell me that was even worse."

The Korean operatives had been slamming the US squad for their purported hot-dog-and-hamburger diets at one point throughout the night. Some Koreans consume sannakji, a little octopus that is not just uncooked but also alive and writhing, according to one agent. Tamsi had cheerfully replied that he'd give it a shot.

A fist-sized, live octopus wrapped around a chopstick was presented to the table by a couple of Korean agents a few minutes later. Even as its tentacles wriggled between his lips and black ink spilled from his face onto the table, Tamsi placed the entire wriggling mollusk in his mouth, chewed, and swallowed. Tamsi describes the experience as "extremely terrible."

This made the Koreans laugh very loud. Tamsi became a near-legendary figure inside the Korean National Police, earning the moniker "Octopus Guy" in the process.

Tamsi, like the rest of their group, had no prior experience with situations of child exploitation. He'd never even worked on a crypto-investigation before. Faruqui, on the other hand, believed that they needed Octopus Guy to make advances in Korea.
Tamsi and a colleague HSI agent approved for undercover operations travelled to Washington, DC not long after. They leased a hotel conference room, and the undercover agent signed on to Welcome to Video, paid a quantity of bitcoins, and began downloading terabytes of films while Janczewski watched.

The unusual choice of location—a hotel rather than a government building—was intended to conceal the agent's identity in case Welcome to Video could follow its users despite Tor's security, as well as to give the DC attorney's office jurisdiction when it came time to prosecute. (At least the HSI agent used a Wi-Fi hotspot to avoid downloading the internet's most dangerous content through the hotel's network.)

When the undercover agent's work was finished, they shared the files with Janczewski, who spent the next few weeks watching the videos, cataloging any clues they could find to the identities of the people involved while also saturating their minds with enough images of child abuse to fill anyone's nightmares for the rest of their lives.

Suttenberg's years as a child exploitation prosecutor had left her desensitized; other attorneys on the team couldn't bear hearing her explain the contents of the tapes, let alone watching them. "They'd order me to shut up and write everything down," she recalls, "and then they'd tell me that was even worse."

As the case's main agent, Janczewski was responsible with preparing an affidavit that would be included in any charging document they brought to court. This entailed watching dozens of films, identifying the ones that represented the site's most severe content, and then providing technical summaries for a jury or judge. He compares the experience to a scene from A Clockwork Orange, in which he was continuously tempted to escape his attention yet was unable to.

He claims that seeing those movies changed him in ways he can only articulate in general terms—things he isn't sure he completely comprehends. Janczewski says, vaguely, "There's no going back." "You can't unknow what you know once you know it." And everything you see in the future is filtered through the lens of what you already know."

The team investigating the Welcome to Video network began the laborious task of tracking every conceivable user of the site on the blockchain and sending out hundreds of legal demands to exchanges all over the world in the early weeks of fall 2017. They hired a Chainalysis employee called Aron Akbiyikian, an Armenian-American former police officer from Fresno whom Gambaryan had known since boyhood and had recommended to Levin, to help study every tendril of Welcome to Video's cluster of Bitcoin addresses in Reactor.

Akbiyikian's mission was to conduct a "cluster audit," which entailed extracting every potential investigative hint from the site's bitcoin traces. That required meticulously tracing payments from one previous address to the next until he discovered the exchange where a Welcome to Video client had purchased bitcoins—and the identifying information that the exchange most certainly held. Many Welcome to Video users had made his work simple for him. "It was a lovely grouping in Reactor," recalls Akbiyikian. "It was very obvious." He would follow payment chains back through multiple hops before the money arrived at an exchange in certain circumstances. However, he claims that he saw wallet addresses receive money from exchanges and then deposit the cash straight into Welcome to Video's cluster for hundreds of users, transactions that established "leads as clean as you could wish," as Akbiyikian described it.
As the team began to get answers from exchanges with those individuals' identifying information, they began the process of compiling increasingly detailed profiles of their targets. They began collecting the names, faces, and images of hundreds of men—almost all of them men—from all walks of life and from all corners of the globe. Race, age, class, and nationality were all blurred in their descriptions. The only thing these people seemed to have in common was their gender and their financial ties to a global, hidden sanctuary of child abuse.

By this point, the crew believed they'd successfully tracked down the site's Korean administrator. They'd obtained a search warrant for Son Jong-Gmail woo's accounts and many of his exchange records, and they could see that he was the only one who appeared to be receiving the site's cashed-out proceeds—not his father, who appeared to the investigators to be an unwitting participant, a man whose son had stolen his identity and used it to open crypto-currency accounts. They discovered images of Son Jong-woo for the first time in his emails—selfies he'd shot to show pals where he'd damaged a tooth in an automobile accident, for example. He was a slender, nondescript young Korean man with wide-set eyes and a mop-top of black hair a la the Beatles.
However, as their depiction of the administrator grew, so did the profiles of the hundreds of other males who had visited the site. A few stood out to the investigators right away: To the dismay of Thomas Tamsi and his Homeland Security colleagues, one of the suspects was an HSI agent in Texas. Another, who they regarded with fear, was the associate principle of a Georgia high school. On social media, the school administrator had uploaded recordings of himself performing karaoke-style duets with adolescent females from his school. Otherwise, the films may have been misconstrued as harmless. Agents with greater expertise with child exploitation cautioned Janczewski that the man's Bitcoin payments may be a kind of grooming, based on what they knew about them.

These were guys in positions of authority who could have had access to victims. The detectives rapidly realized that, as they had expected, they would need to arrest some of Welcome to Video's members as soon as possible, even before the site could be taken down. Experts in child exploitation had warned them that some criminals had mechanisms in place to inform others if they were caught or compromised by law enforcement—code words or dead man's switches that sent out alarms if they were away from their computer for a specific amount of time. Nonetheless, the Welcome to Video research team felt compelled to act immediately and accept that risk.

Around the same time, another suspect appeared on their radar for a different reason: he was based in Washington, DC. In reality, the man's residence was only down the street from the US Attorney's office, in the Gallery Place district of Washington, DC. He lived in the same apartment building as one of the prosecutors, who had only recently moved out.

They understood that location may be valuable to them. As a test case, Janczewski and Gambaryan could simply search the man's residence and computers. They would be able to charge the entire case in DC's judicial district if it showed the man was a Welcome to Video client, overcoming a significant legal obstacle.

However, upon further investigation, they discovered that the individual was a former congressional staffer with a high-ranking position with a respected environmental group. Is it possible that arresting or searching the house of a target with such profile will result in a public outcry, thereby sinking their case?

However, they discovered that he had gone suspiciously silent on social media just as they were focusing their attention on this suspect in their midst. Someone on the team thought it would be a good idea to get his travel records. He had travelled to the Philippines and was ready to fly back to DC through Detroit, they discovered.

There were luggage from the trip that had not yet been entirely unpacked. The man had placed an order for pizza the night before, and a portion of it remained on the table unfinished.

This revelation prompted the agents and prosecutors to consider two possibilities: To begin with, the Philippines was a well-known destination for sex tourism, particularly that which preyed on children—the HSI office in Manila was regularly swamped with child abuse cases. Second, if the individual returned to the United States, Customs and Border Protection may legitimately hold him and seek access to his equipment in order to look for evidence—a strange and contentious exception to Americans' constitutional rights that could come in useful in this case.

Would their DC-based suspect raise the alarm and suffocate their investigation just as it was getting underway?
"Yes, this had the potential to derail our case," adds Janczewski. "However, we had no choice but to act."

Customs and Border Protection stopped a man disembarking from an aircraft from the Philippines on his way back to Washington, DC in late October, requesting him to step aside and escorting him to a secondary screening area. Despite his objections, the border authorities demanded his computer and phone before allowing him to go.

On October 25, a prosecutor who had lived in the same DC apartment building as the suspect received an email from her previous building's management; although having moved out, she had remained on the distribution list. The parking garage ramp in an alley behind the skyscraper will be closed that morning, according to the email. It revealed that an unknown individual had landed there after leaping to their death from their apartment's balcony.

The prosecutor was able to connect the dots. The jumper used as a "test case" for their Welcome to Video campaign. Janczewski and Gambaryan drove straight to the apartment rise and confirmed with management that their first target had just committed suicide.

With a search warrant, two IRS-CI officers returned to the location of the man's death later that day. They took the elevator to the 11th level with the building manager, who was perplexed as to why the IRS was involved but unlocked the door for them without saying anything. They discovered an upmarket, fairly dirty flat with high ceilings on the inside. There were luggage that had not yet been completely unpacked after a vacation. The man had placed an order for pizza the night before, and a portion of it remained on the table unfinished.

Janczewski recalls the melancholy silence of the man's empty house as he reflected on the difficult decision he had made the night before. The agent could see the location in the alleyway below where the pavement had previously been hosed down from the balcony, which was 11 levels below.

The agents were handed a security camera footage of the victim falling to his death by the DC Metropolitan Police Department. They graciously refused the invitation. Meanwhile, the Detroit Customs and Border Protection office stated that they had inspected the computer taken from the guy at the airport—some of its storage was encrypted, but other sections were not—and discovered child exploitation movies as well as secretly recorded adult sex videos. Their choice to go for the man had paid off: their test case had turned out to be affirmative.

Prosecutors in DC took a small break from their work to meet and express their sorrow at the man's death—their investigation of a site hosted halfway across the world had already resulted to someone killing themself only blocks away. "It was simply a reminder of the gravity of what we were looking into," Faruqui recalls. Despite this, the group decided that the suicide could not be a distraction from their job.

"We have to concentrate on the victims here," Faruqui recalls them saying to each other. "That clarifies everything."

Janczewski says he would have much preferred that the man be arrested and charged. But he had, by this point, been forced to watch hour after hour of child sexual abuse videos. He had put aside his emotions early on in the case, and he had few sympathies to spare for an apparent customer of those materials.

 

If he felt anything, he admits, it was relief, given the time that the suicide had saved him: They still had hundreds more Welcome to Video customers to pursue.

Red flannel buffalo plaid shirt with fingerprints and smudges on the art

Janczewski spotted something that gave him a jolt: At one point in the recording, the girl in the video had a red flannel shirt tied around her waist.

Photograph: Tabitha Soren

Next on their list was the high school assistant principal. Just days later, Janczewski flew down to Georgia and joined a tactical team of HSI agents as they carried out their search. For the first time, he came face-to-face with an alleged Welcome to Video client in his own home.

Despite his stoicism, the second test scenario had a greater impact on Janczewski than the DC objective had. The neat, well-kept two-story brick residence. In separate rooms, the parents were interrogated. Mickey Mouse Clubhouse is being watched by children of the same age as Janczewski's. As he stood in the foyer of that house outside of Atlanta, the entire weight of the inquiry dawned on him: every name on their list had personal links and, in many cases, a family. Even charging suspects of such a heinous murder had an irreparable impact on their life, as he put it, because it was "a scarlet letter for someone who absolutely cannot be undone."

Janczewski and the HSI agents stayed long enough at the house to search it, examine the guy, and confiscate his electronic equipment for study. Faruqui claims that the guy acknowledged to "inappropriately touching" pupils at his school, in addition to evidence of the man's payments for content on Welcome to Video. Later, the guy was charged with sexual assault of juveniles, to which he pleaded not guilty.
Any remaining suspicions Janczewski had after his initial encounter with a suspect based solely on bitcoin tracing were eliminated in a couple of hours. "I felt more confidence at the end of the day," he adds. "We were on the right track." The blockchain has not deceived anyone.

The team was steadily working through their prioritized set of Welcome to Video goals and test cases. However, in December 2017, they discovered a new kind of lead—one that would once again throw their priorities into disarray.

Investigators had been cautious to capture the complete contents of the site's chat page while they followed Welcome to Video's financial trails, where members were still submitting a constant stream of remarks against a backdrop of spam and trolling characteristic of any anonymous web forum. The site appeared to be completely unmoderated, with no visible admin email or assistance contact information. However, Janczewski began to notice a series of messages from one account that looked to give the closest thing the site had to a help-desk contact: "Contact the administration if you need assistance in repairing issue," the messages stated. It contained a Torbox address, a Tor-based email service with a privacy focus.

Was this a legitimate site moderator? Or perhaps the site's owner, Son Jong-woo, who they now suspect to be the administrator?

Janczewski investigated the username before the "@" in the Torbox address, a unique-looking string of six characters, to see whether it matched a user on Welcome to Video as he sought to figure out who was behind those messages. He discovered that someone with the identical username had posted over a hundred films.

Janczewski saw a poster on the wall that he'd seen in the films. He felt as if he'd dropped through his own computer screen into the set of a horror movie for a brief period.

Aaron Bice of Excygent came up with the notion of comparing this Torbox email address to a database acquired from BTC-e during the IRS-investigation CI's of the crypto exchange, in order to look for hints in its rich mine of criminal underworld user data. Bice discovered a match: On BTC-e, one account had been created with an email address that had the identical six-character string. It wasn't a Torbox email account, but rather one from Sigaint, a privacy-focused email provider.

Janczewski was well aware that Torbox and Sigaint, both dark-web services, would refuse to comply with legal inquiries for their users' data. However, the BTC-e data includes IP addresses for ten previous logins by the same user on the exchange. Nine out of ten times, the IP address was hidden behind a VPN or Tor. However, the customer had made a mistake on a single visit to BTC-e: they had disclosed their genuine home IP address. Janczewski recalls, "That unlocked the whole door."

A traceroute revealed that the IP address pointed to a household internet connection in Texas, not Korea. Was there a second Welcome to Video administrator, this time in the United States? Janczewski and Bice drew the thread tighter and tighter, subpoenaing account information from the user's internet service provider.

Janczewski was having coffee at his desk in the IRS-CI office on a Friday morning in early December when he received the findings of that subpoena. He found a name and a home address in the email when he opened it. An odd accomplice for a 21-year-old Korean administering a child exploitation site from 15 time zones away was an American in his thirties who resided in a village outside of San Antonio. When Janczewski checked up the man's job title, he discovered he worked for the Department of Homeland Security, this time as a Border Patrol agent.
Janczewski started collecting public information on the agent from his social media profiles right away. He discovered the man's wife's Facebook profile first, then an account for the man himself, with his name typed backwards to disguise it. Bice also dredged up his Amazon website, where he appeared to have written ratings on hundreds of things and added others to his "wish list"—including terabyte-capable external storage devices, concealed cameras, and other cameras meant to be snaked through tight openings, such as holes bored in a wall.

Finally, with a sinking feeling of dread, Janczewski discovered that the Border Patrol agent's wife had a small daughter—and that he had set up a GoFundMe page to seek funds to officially adopt the child as his stepdaughter. Janczewski thought to himself, "Fuck." "Did he put footage of his daughter on the internet?"

When Janczewski returned to Welcome to Video, he noticed that some of the thumbnails of the movies published by this account depicted the sexual assault of a young girl about the daughter's age. He understood he now had a responsibility to quickly remove this Border Patrol agent from his victim.

Janczewski didn't leave his workstation for the following ten days. He'd drive home, have a brief supper with his family in their little Arlington, Virginia, townhouse, then return to work late, frequently contacting Bice and Faruqui late at night.

Faruqui explains, "You're rarely in a circumstance where your time is a zero-sum game." "A small girl may be raped every instant we weren't working on the case."

Janczewski requested that their undercover HSI agent download the tapes that the Texas agent had posted, and he began the arduous task of watching them one by one. He saw something that startled the pattern-matching subroutines of his brain a few films in: A red flannel shirt was knotted around the waist of the girl in the video at one point during the taping. He saw it when he returned his gaze to a photo of the girl put on the GoFundMe page: she was dressed in the same red flannel.

Was this Border Patrol agent a Welcome to Video administrator? Is there a moderator? It didn't make a difference. Janczewski now believes he has identified an active child rapist who lived with his victim and has been filming and sharing his crimes with tens of thousands of other people. The Texas guy had risen to the top of their list of targets.

Janczewski travelled to southern Texas with HSI's Thomas Tamsi and his team's child-exploitation-focused prosecutor, Lindsay Suttenberg, two weeks before Christmas, on the tenth day after identifying the Border Patrol agent. Tamsi and a squad of Texas State Police officers followed their target home from work on a calm, dry evening approximately a hundred miles from the Mexican border and pulled him over. They transported the man to a neighboring hotel for questioning with a group of FBI officers.

The team's preliminary list of high-priority suspects was ultimately completed. They could now turn their attention to Son Jong-woo, their main objective.

Meanwhile, Janczewski and a team of local Homeland Security officers went into the man's home to look for proof. Janczewski recalls the two-story house as run-down and unkempt, with the exception of the man's well-organized home office on the second level, where they discovered his computer. He came down the corridor from that office and instantly recognized the girl's bedroom as the location where the man's recordings were made. He spotted a poster on the wall that he'd seen in the recordings and felt for a brief minute as if he'd fallen through the screen of his own computer into the set of a horror movie.

The IRS agent and prosecutor had brought along an FBI interviewer with experience in child exploitation, who pulled the girl away from the officers examining her house and transported her to a safer area. The child ultimately told the interviewer about the abuse she'd been subjected to.
Janczewski arrived at the hotel room where other agents were interviewing their suspect shortly after the search of the Border Patrol agent's residence. For the first time, he beheld the object of his fixation during the previous week and a half. The man was large and muscular, still dressed in his uniform, and his hair was thinning. Janczewski claims that he originally refused to discuss any physical abuse he may have perpetrated, but that he gradually admitted to collecting, distributing, and—finally—making child sexual assault movies.

Janczewski was shocked by the man's detached, almost clinical description of his activities. He revealed the password to his home computer to his interrogators, and an agent who remained at the residence began removing evidence from the PC and forwarding it to Janczewski. It had extensive spreadsheets detailing every child sexual exploitation movie the man had gathered on his hard drives and, by all appearances, recorded in his own house.

Another spreadsheet on the man's computer had a huge list of login passwords for other Welcome to Video users. During interrogation, the guy detailed his plan: he'd pretend to be an administrator in messages posted to the site's chat page, then ask users who fell for the bait to provide him their usernames and passwords, which he'd use to log in to their accounts and watch their films.

The Border Patrol agent had never been a Welcome to Video administrator or moderator; instead, he had been a very cunning visitor to the site, eager to defraud his fellow users to feed his own lusts.

They'd located and apprehended another accused child abuser after a stressful ten days, and they'd even saved his victim. However, when he flew back to DC, Janczewski was well aware that Welcome to Video's far broader network of abuse was still in place. And until they shut the site down, it would continue to distribute its movies to an anonymous swarm of consumers just like him, including the ones the Border Patrol agent had uploaded from his Texas home office.
=======
The DC investigators received news from Thomas Tamsi in early January 2018 that he and his crew had arrested the other federal law enforcement client of Welcome to Video, the HSI agent who'd arrived early in their blockchain tracing and subpoenas. Despite appearing unrelated to the Border Patrol agent case, this second agent was based in Texas as well, less than an hour away from the man they had just raided.

Aside from that dreadful coincidence, the arrest of the HSI agent meant that the DC team's original list of high-priority suspects had now been completed. They may then turn their attention to their main target, Son Jong-woo, and the Welcome to Video server he controls.
That Korea-focused effort was coming together by February. Janczewski, Gambaryan, Faruqui, and Tamsi had travelled to Seoul to speak with the Korean National Police Agency before the Texas arrests. The director of the KNPA personally promised Tamsi—whose octopus-eating reputation preceded him—that the Americans would have the support of his "best squad" during a meal planned up by the local HSI attaché. They soon had Son Jong-woo under continual observation as he arrived and left from his flat in South Chungcheong, two and a half hours south of Seoul.

The American spies came in Seoul again in the dead of winter on the Korean peninsula, only a week after Korea held the Winter Olympics in Pyeongchang. Gambaryan was forced to stay behind for an ill-advised conference at which the agency's director had agreed to speak. However, Janczewski and Faruqui invited along Aaron Bice, a Korean-American computer crime prosecutor, and Youli Lee, a Korean-American computer crime prosecutor, to their squad. A considerable international force had gathered around the case at this time as well. The National Crime Agency of the United Kingdom, which had initiated its own investigation into Welcome to Video shortly after Levin's visit to London, dispatched two agents to Seoul, and the German Federal Police joined the alliance as well. The Germans had been investigating the site's administrators on their own before learning about the IRS's inquiry, but they had never been able to get the Korean National Police's help.

As they waited outside the Seoul hotel where they were staying in the cold, Faruqui recalls a German official asking him how the Americans had gotten the Koreans on board so fast. Faruqui had clarified, "Oh, Octopus Guy." "You don't have Octopus Guy," says the narrator. Octopus Guy is here."

The takedown team met several times at the Korean National Police headquarters during their initial days in Seoul to discuss their intentions. Based on Gambaryan's serendipitous right-click, their IP address tracking revealed that the site's server was strangely placed not in any web-hosting firm's data center, but in Son Jong-own woo's apartment—the evidential hub of a large child sexual assault video network, sitting directly in his own house. That made things simple: they'd arrest him, shut down his website, and use the evidence against him to condemn him. On a Monday morning, the crew planned to see him in his residence.

Then Janczewski caught a cold the day before. He spent the weekend in Seoul, dazedly roaming between markets and stores, trying to pronounce gaseubgi, the Korean name for humidifier. He took a tablet of what he assumed was a Korean version of Nyquil—he couldn't read the label—on Sunday evening in the hopes of getting some sleep and recuperating in time for the arrest.

The KNPA then informed the crew that the plan had changed: Son had traveled into Seoul for the weekend unexpectedly. The team tracking his locations now believes he's on his way back to his house south of the city late at night.
If the cops could drive down to Son's house that night and stake it out, they may be ready to arrest him at his door when he returns. That way, he wouldn't be able to destroy evidence or commit suicide, which was a major concern following the death of their Washington, DC, target. Janczewski explains, "We had to scramble."

Faruqui requested that the group raise their hands in a "Go team!" chant in their hotel lobby later that evening. He and Lee then walked up to their rooms to get ready for bed. Janczewski came out into the pouring rain, partly unconscious from cold medicine, holding a pillow from his hotel room, and got in a car with the HSI liaison to begin the lengthy night-drive south. The HSI agent had pleaded with Janczewski to drive another car in the caravan instead of an old Korean guy on his squad who was a notoriously lousy driver, according to the agent. Janczewski, on the other hand, said he was far too drugged to drive the dark, rainy roadways of a country 7,000 kilometers away.

A few hours later, the crew arrived in the rain at the parking lot of Son's apartment—a 10-story structure with a few modest buildings on one side and a large, barren rural landscape on the other. When they eventually saw Son's car roll into the complex's parking garage, it was already past midnight.

He was met by a squad of Korean spies who had been waiting for him. One especially imposing officer, dubbed "Smiley" by the HSI agents because he never smiled, led a squad of plainclothes cops into the elevator next to Son as he entered. The agents sat calmly in the elevator with Son, riding up to his level and exiting when he did. They apprehended him without a struggle as he approached his front door.

On the server, there were over 250,000 movies, which was more content by bulk than any other case of child sexual abuse materials in history.

Janczewski and the other foreigners remained locked in their automobiles in the rain-soaked parking lot during the arrest and the hours-long search of Son's apartment that followed. Only the National Police were allowed to touch Son or enter his residence. When the Korean authorities got the young Welcome to Video administrator detained, they inquired whether he'd agree to let Janczewski or any of the other Americans in. Son, predictably, declined. As the Korean officials inspected the flat for evidence and took his equipment, Janczewski was confined to a FaceTime tour of the modest and nondescript apartment that Son shared with his divorced father, the guy with the unclean hands in the first photo they'd seen.

The Korean agent who was showing Janczewski around ultimately aimed the phone's camera at a desktop computer on Son's bedroom floor, a cheap-looking tower-style PC with one side of its casing open. The insides of the computer revealed the hard drives that Son appeared to have inserted one by one, each one laden with terabytes of child exploitation movies.

This was the server that said "Welcome to Video."

“I was expecting some kind of glowing, ominous thing,” Janczewski remembers, “and it was just this dumpy computer. It was just so strange. This dumpy computer, that had caused so much havoc around the world, was sitting on this kid’s floor.”

Illustration of a person carrying an umbrella in a rainstorm with headlights behind them.

It was well past midnight when they saw Son’s car finally pull into the parking garage of the complex.

ILLUSTRATION: Hokyoung Kim
On the return trip, Janczewski learned exactly why the HSI liaison had wanted him to drive the other car. The elderly HSI staffer behind the wheel of the other vehicle in their caravan was somehow so disoriented after a sleepless night that he turned the wrong way down a highway exit ramp, narrowly avoiding a high-speed collision and terrifying his passenger, Aaron Bice.
After narrowly avoiding tragedy, the gang stopped at a truck stop along the highway to eat breakfast of gas station instant ramen as the sun rose and the rain stopped. Janczewski, who was still unwell and fatigued, was struck by how flat everything felt. His team had tracked down and rescued the administrator as well as the machine at the heart of the nefarious worldwide network they were investigating. He had been looking forward to this moment for almost six months. He was not, however, elated.

There were no high fives or congratulatory gestures. The agents climbed back into their cars and resumed their lengthy journey back to Seoul.

After finally obtaining some sleep the next day, Janczewski was able to see past the dreariness of the previous night's procedure and realize how fortunate they had been. Son Jong-woo had not encrypted his server, according to the forensic specialists who inspected his PCs. There was everything: all of Welcome to Video's content, its user information, and the wallets that had processed all of the company's Bitcoin transactions.

Now that they could see the full video collection, the size of it was mind-boggling. On the server, there were more than 250,000 movies, more content by volume than in any other case of child sexual abuse materials in history. When they shared the collection with the National Center for Missing and Exploited Children (NCMEC), which assists in cataloging, identifying, and removing CSAM items from the internet, they discovered that 45 percent of the films had never been seen before. The uniqueness check and reward system for new content implemented by Welcome to Video seems to have worked, with numerous new examples of child abuse being reported.

The site's user information, however, was the true prize for the investigators. The Korean National Police handed the US team a copy of Welcome to Video's databases, and they went to work rebuilding those data collected on their own workstation in a US Embassy building in Seoul. Meanwhile, they swiftly built up a look-alike Welcome to Video homepage on their own server to avoid alerting the site's visitors to the shutdown, using the private key extracted from the genuine server to take over its dark-web address. When visitors went to the site, it now only said it was under construction and will be back soon with "updates," replete with mistakes to replicate Son's sloppy English typing.

With Janczewski and Faruqui standing behind him, pressing him to ask whether the system was ready yet, Bice spent two days with his head down, reconstructing the site's user data in a manner they could readily query. The US team had a comprehensive directory of the site's pseudonymous users, listed by their Welcome to Video usernames, when Bice was finished. They could now correlate every Bitcoin payment they'd mapped out on the blockchain to those identities, and see what material each of those users had published or downloaded.
The Americans had merged the de-anonymized identities from their cryptocurrency exchange subpoenas into a searchable database by the time they were ready to return home at the end of February. It included the full Welcome to Video network, including members' true identities, photographs, and—for those who had paid into the site—a record of those payments as well as the specific child abuse movies to which they had purchased access. Janczewski explains, "You could see the complete panorama." "It was like a combination of a dictionary, thesaurus, and Wikipedia."

They had the whole structure of Welcome to Video's worldwide child exploitation ring laid out in front of them—hundreds of perfectly detailed profiles of customers, collectors, sharers, creators, and hands-on abusers alike. The case's last phase might now commence.

Thomas Tamsi's team in Colorado began delivering its Welcome to Video dossiers to HSI agents, local police, and foreign police agencies throughout the world in the weeks that followed. These "targeting packages" included descriptions of the suspects, records of their transactions, any other evidence they'd gathered about them, and short primers on how Bitcoin and its blockchain worked, given that they were being sent out to law enforcement agents who had, in some cases, never been involved in a cryptocurrency-related investigation.

There would be no concerted worldwide takedown, no attempt to generate shock and awe by arresting everyone at the same time. The defendants in the case were far too dispersed and multinational for such a coordinated operation. Instead, throughout the world, searches, arrests, and questioning began to be carried out, prioritizing individuals suspected of being active abusers, uploaders, and finally downloaders. As the users of Welcome to Video were challenged one by one, the DC team began to hear back about the outcomes of their work—harrowing, sometimes satisfying, and frequently heartbreaking.

Most of the 337 pedophiles arrested in the case—and their rescued victims—would have never been located if not for bitcoin and the years-long trap created by its supposed untraceability.

Before the agents arrived, a Kansas IT professional, whose arrest they'd prioritized after learning that his wife ran an at-home daycare for newborns and toddlers, had removed all of his child abuse films from his computer. Prosecutors claim he confessed when remains of files in the computer's storage matched information from the Welcome to Video server.

When the agents arrived in New York for a twenty-something guy, his father closed the entrance of their apartment, assuming it was a break-in. However, when the agents described the nature of their warrant, he turned on his son and allowed them to enter. According to authorities, the son had sexually molested the daughter of a family friend and had secretly videotaped another young girl through her webcam.

When the HSI team visited his residence in Washington, DC, a serial offender attempted suicide by hiding in his bathtub and slitting his own neck. One of the arresting agents had previously served in the Army as a medic. He was able to control the bleeding and save the man's life. They discovered 450,000 hours of child abuse movies on his computers later, including tapes of the girl in Texas that the Border Patrol agent had posted.

The stories continued to pile up throughout the months, a mix of the heinous, tragic, and heinous. A man in his sixties who has posted over 80 recordings of child abuse. A guy in his early twenties with catastrophic brain injury, whose medicine had increased his sexual desires while decreasing his impulse control, and who was assessed to have the same cognitive development as the preteens he'd witnessed being abused. When his conversations were disclosed through a search request, they appeared to indicate his talks to buy a youngster for his personal sexual exploitation.
As the case's chief HSI agent, Thomas Tamsi oversaw more Welcome to Video arrests than anybody else—more than 50, by his count—and was there for so many that they became a fog in his recollection, with only the most startling instances standing out. He discovered the mostly naked defendant in a cellar. The suspect who informed him he was a Boy Scout leader and that "children had always been drawn to him." Parents of victims whose faces turned white as he pushed printouts of censored images across the table, fiercely denying that a family friend could have done the crimes Tamsi claimed.

The instances were from all across the world, not just the United States. In the Czech Republic, Spain, Brazil, Ireland, France, and Canada, dozens of Welcome to Video users were detained. In England, where the investigation began with a tip to Levin, the National Crime Agency detained a 26-year-old man for allegedly abusing two children—one of whom they discovered naked on a bed in his home—and uploading over 6,000 files to the site. In a separate international example, a Hungarian ambassador to Peru was discovered to have over 19,000 CSAM photos on his computer after downloading content from Welcome to Video. He was removed discreetly from his job in South America, hauled to Hungary, and accused; he pled guilty.

Many of the foreign cases slipped into a black hole for the DC team: one Saudi Arabian Welcome to Video user returned home and was apprehended by his own country's law authorities. Faruqui and Janzewski said they never learned what happened to the guy; he was left to the Saudi legal system, which condemns certain sex offenders to Sharia-based penalties such as whipping or even beheading. Despite the fact that the guy had no children of his own, investigators discovered a teddy bear and a map of playgrounds in the region when they searched the car of a Chinese resident residing near Seattle with a job at Amazon. After then, the guy went to China and has never been found, according to prosecutors.

Chris Janczewski's contact was included as the number to call with any queries in each of the hundreds of intelligence packets that the team sent out. Janczewski found himself repeatedly describing the blockchain and its crucial significance in the case to HSI agents and local police officers around the United States and the world, many of whom had never heard of Bitcoin or the dark web. "You get this lead that says, 'Here's this website and this strange online money,'" Janczewski imagines the receivers of the intelligence packets seeing it, "and now you need to go arrest this guy because some geek accountant says so," Janczewski adds.

Janczewski visited six countries and met with almost 50 persons to assist explain the case, many of whom he spoke with many times—including one US prosecutor and agent team with whom he had over 20 discussions. ("Some were, politely, a little more high maintenance than others," he admits.) Bice, who managed the rebuilt server data, claims he spoke with hundreds of agents and officers.
In total, 337 persons were arrested for their connection with Welcome to Video between the start of the case and the year and a half that followed the server seizure. They also saved 23 youngsters from being sexually exploited.

Those 337 arrests only accounted for a minor portion of the overall number of Welcome to Video users. Thousands of accounts were discovered on the site when the US team analyzed their copy of the server data in Korea. However, the great majority have never deposited any bitcoins into the site's wallets. The investigators' trail frequently turned cold when they didn't have any money to pursue.

The bulk of the 337 pedophiles arrested in the Welcome to Video case—and their rescued victims—would have likely never been located if not for bitcoin and the years-long trap created by its alleged untraceability.
=======
The IRS and the US Attorney's Office in Washington, DC, had chosen an unconventional strategy, approaching a major case of child sexual abuse materials as a financial inquiry, and it had worked. Throughout their investigation, Bitcoin's blockchain had acted as their actual compass, guiding them through a pivotal case. Faruqui claims that without crypto tracing, they would not have been able to map out and identify so many of the site's visitors.

"That was the only way out of this gloom," he explains. "As the darknet grows darker, the only way to shine the light is to follow the money."

However, dumping money-laundering detectives into the CSAM swamp on the internet has taken its toll. Almost every member of the team had children, and almost all of them said that as a result of their work, they were considerably more protective of their children, to the point where their confidence in the people surrounding their family was severely harmed.
Janczewski, who relocated to Grand Rapids, Michigan following the case, would not allow his children to ride their bikes to school on their own, as he did as a youngster. Even seemingly innocuous exchanges, such as another pleasant parent offering to babysit his kids at the opposite end of a swimming pool, suddenly send him into a panic. Youli Lee claims she will not let her 9- and 12-year-old children use public restrooms alone. She also won't let them play at a friend's house unless the friend's parents have top-secret security clearances—an obviously arbitrary regulation, but one she claims assures the parents have been screened.

Faruqui claims that the 15 or so films he viewed as part of the inquiry are "indelibly etched" in his mind and have permanently increased his awareness of the hazards his children face in the world. He and his wife fight over his overprotective instincts, he claims. He cites his wife as saying, "You constantly see the worst of mankind, and so you've lost perspective." "And I tell them, 'You don't have perspective because you don't know what's out there,'" she says.

Yuki Gambaryan claims that the Welcome to Video case was the only time her hard-shelled, Soviet-born husband had opened up to her over a case and admitted that it had gotten to him emotionally. The sheer breadth of the cross-section of society that engaged in the site's misuse, according to Gambaryan, is what still bothers him.

"I observed that anybody can do it: physicians, teachers, and police enforcement," he remarked. "Whatever you want to call it—evil, whatever you want to call it—in it's everyone—or it can be in everyone."

Son Jong-woo stepped out of a Seoul prison in early July 2020, wearing a black long-sleeve T-shirt and carrying a green plastic bag containing his possessions. He had only served 18 months in prison because to Korea's lax rules on child sexual assault.

US prosecutors, including Faruqui, claimed that he should be extradited to the US to face charges in the American court system, but Korea refused. The convicted founder and administrator of Welcome to Video was let free.

Son's mystifyingly short sentence for running, by some estimates, the largest child sexual abuse materials website in history has left the DC-based team working on the Welcome to Video case very unsatisfied. However, Janczewski says he is heartened by the public outrage in Korea over the issue. Son's fast release sparked outrage on social media across the country. More than 400,000 individuals signed a petition opposing the judge's appointment to the country's highest court. One Korean member proposed a measure that would allow extradition rulings to be appealed, while the country's National Assembly passed new laws toughening the penalties for internet sexual abuse and downloading child sexual abuse materials.

Meanwhile, the case's repercussions lingered in the United States for years. Janczewski, Bice, and Suttenberg say they're still getting calls from cops who are following up on the leads they've compiled. They discovered proof in a bitcoin exchange account on the computer of the DC investigators' first test case, a former congressional staffer who committed suicide, indicating he'd also paid into a second source of dark-web pornographic files. They tracked the funds to a site called Dark Scandals, which turned out to be a smaller but no less distressing dark-web archive of sexual assault recordings.
Parallel to the tail end of the Welcome to Video investigation, Janczewski, Gambaryan, and the same group of prosecutors followed the Dark Scandals case, pursuing blockchain leads to trace the site's cash-outs. They detained the site's accused administrator in the Netherlands, a guy called Michael Rahim Mohammad, who went by the online nickname "Mr. Dark," with the cooperation of the Dutch national police. In the United States, he is facing criminal accusations, and his case is still pending.

The fate of the HSI agent they had detained in Texas just before their journey to Korea to carry out the site shutdown was arguably the most fascinating of the case's rippling consequences from the standpoint of Welcome to Video's money-laundering-focused agents and prosecutors. The Texan had adopted an unusual strategy to his legal defense: he had pled guilty to possessing child sexual assault materials while still appealing his conviction. He contended that his case should be dismissed because IRS officers tracked his Bitcoin transfers without a warrant, infringing on his Fourth Amendment right to privacy and constituting an illegal "search."

The argument was heard by a panel of appeal judges, who dismissed it. They detailed their decision in a nine-page judgement, laying down a precedent that spelt out in clear terms how far from private Bitcoin transactions were to them.

"Every Bitcoin user has access to the public Bitcoin blockchain, which allows them to view every Bitcoin address and its associated transactions." The identities of Bitcoin address owners can be determined by studying the blockchain as a result of this publicity," the court stated. "There is no constitutional privacy interest in the information on the blockchain, hence there is no encroachment into a constitutionally protected area."

The American legal system has long ruled that a search only requires a warrant if it enters a domain where the defendant has a "reasonable expectation of privacy." According to the courts, no such expectation should have existed in this case: Because IRS officers had invaded his privacy, the HSI agent was not ensnared in the Welcome to Video dragnet. The courts found that he was apprehended because he mistookly assumed his Bitcoin transactions were ever confidential in the first place.
Photo illustration showing handcuffs and an infinity symbol made from circles over a red background

Levin thought again of the blockchain’s bounty of evidence: the countless cases left to crack, the millions of cryptocurrency transactions eternally preserved in amber, and the golden age of criminal forensics it presented to any investigator ready to excavate them.

Photograph: Jooeun Bae
Chris Janczewski believes the full significance of the Welcome to Video case didn't reach him until it was publicly publicized in October 2019 and a seizure notice was put to the site's main page. That morning, Janczewski received an unexpected call from Charles Rettig, the IRS commissioner.

Rettig informed Janczewski that the case was "this generation's Al Capone," which is possibly the greatest honor that can be offered within IRS-CI, where Capone's arrest for tax fraud has taken on almost legendary proportions.

The Justice Department conducted a news conference the same day to reveal the investigation's findings. In front of a gathering of media, US attorney Jessie Liu delivered a speech about the case and how agents were able to prevail against "one of the greatest forms of evil conceivable" by tracking the money.

Jonathan Levin of Chainalysis was in the audience. Following that, an IRS employee called Greg Monahan, who had been in charge of Gambaryan and Janczewski, came over to thank Levin for his assistance in the case. After all, Levin's tip to two idle IRS officials at the Bangkok airport had begun it all. Monahan told Levin that the inquiry was the most significant of his career, and that he could finally retire knowing that he had contributed to something genuinely valuable.

Levin extended his hand to the IRS-CI supervisor. At the time, neither he nor Monahan could have imagined the instances that would follow: how IRS-CI and Chainalysis would work together to destroy North Korean hackers, terrorist funding schemes, and two of the world's largest bitcoin-laundering firms. Or that they'd track down over 70,000 bitcoins taken from the Silk Road and another 120,000 stolen from the exchange Bitfinex, totalling more than $7.5 billion at today's exchange rates, making them the greatest financial seizures—crypto or otherwise—in US history.

But when he replied to Monahan, Levin was reminded of the blockchain's wealth of evidence: the innumerable crimes yet to be solved, the millions of bitcoin transactions kept in amber for all time, and the golden age of criminal forensics it offered to any investigator willing to dig them out.

"There's still a lot of work to be done," Levin remarked. "We're just getting started," says the narrator.

Updated at 4:00 p.m. on 4/12/2022 PT: Jonathan Levin was born in the United Kingdom, not South Africa, as previously stated.
=======
Related Video:
** Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of USA GAG nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.

Follow us on Google News

Recent Search