Security
Headlines
HeadlinesLatestCVEs

Headline

Child Abusers Are Getting Better at Using Crypto to Cover Their Tracks

Crypto tracing firm Chainalysis found that sellers of child sexual abuse materials are successfully using “mixers” and “privacy coins” like Monero to launder their profits and evade law enforcement.

Wired
#web#git#acer#sap

For those who trade in child sexual exploitation images and videos in the darkest recesses of the internet, cryptocurrency has been both a powerful tool and a treacherous one. Bitcoin, for instance, has allowed denizens of that criminal underground to buy and sell their wares with no involvement from a bank or payment processor that might reveal their activities to law enforcement. But the public and surprisingly traceable transactions recorded in Bitcoin’s blockchain have sometimes led financial investigators directly to pedophiles’ doorsteps.

Now, after years of evolution in that grim cat-and-mouse game, new evidence suggests that online vendors of what was once commonly called “child porn” are learning to use cryptocurrency with significantly more skill and stealth—and that it’s helping them survive longer in the internet’s most abusive industry.

Today, as part of an annual crime report, cryptocurrency tracing firm Chainalysis revealed new research that analyzed blockchains to measure the changing scale and sophistication of the cryptocurrency-based sale of child sexual abuse materials, or CSAM, over the past four years. Total revenue from CSAM sold for cryptocurrency has actually gone down since 2021, Chainalysis found, along with the number of new CSAM sellers accepting crypto. But the sophistication of crypto-based CSAM sales has been increasing. More and more, Chainalysis discovered, sellers of CSAM are using privacy tools like “mixers” and “privacy coins” that obfuscate their money trails across blockchains.

Perhaps because of that increased savvy, the company found that CSAM vendors active in 2023 persisted online—and evaded law enforcement—for a longer time than in any previous year, and about 57 percent longer than even in 2022. “Growing sophistication makes identification harder. It makes tracing harder, it makes prosecution harder, and it makes rescuing victims harder,” says Eric Jardine, the researcher who led the Chainalysis study. “So that sophistication dimension is probably the worst one you could see increasing over time.”

Better Stealth, Longer Criminal Lifespans

Scouring blockchains, Chainalysis researchers analyzed around 400 cryptocurrency wallets of CSAM sellers and more than 10,000 buyers who sent funds to them over the past four years. Their most disturbing finding in that broad economic study was that crypto-based CSAM sellers seem to have a longer lifespan online than ever, suggesting a kind of relative impunity. On average, CSAM vendors who were active in 2023 remained online for 884 days, compared with 560 days for those active in 2022 and just 112 days in 2020.

To explain that new longevity for some of the most harmful actors on the internet, Chainalysis points to how CSAM vendors are increasingly laundering their proceeds with cryptocurrency mixers—services that blend users’ funds to make tracing more difficult—such as ChipMixer and Sinbad. (US and German law enforcement shut down ChipMixer in March 2023, but Sinbad remains online despite facing US sanctions for money laundering.) In 2023, Chainalysis found that about 46 percent of CSAM vendors used mixers, up from around 22 percent in 2020.

Chainalysis also found that CSAM vendors are increasingly using “instant exchanger” services that often collect little or no identifying information on traders and allow them to swap bitcoin for cryptocurrencies like Monero and Zcash—"privacy coins" designed to obfuscate or encrypt their blockchains to make tracing their cash-outs of profits far more difficult. Chainalysis’ Jardine says that Monero in particular seems to be gaining popularity among CSAM purveyors. In the company’s investigations, Chainalysis has seen it used repeatedly by CSAM sellers laundering funds through instant exchangers, and in multiple cases it has also seen CSAM forums post Monero addresses to solicit donations. While the instant exchangers did offer other cryptocurrencies, including the privacy coin Zcash, Chainalysis’ report states that “we believe Monero to be the currency of choice for laundering via instant exchangers.”

Chainalysis’s chart of how long CSAM vendors who were active in each year had persisted online, suggesting that their resilience to takedown has steadily increased over time.

Chainalysis

The CSAM adoption curve for those instant exchangers—and, Chainalysis suggests, the privacy coins they offer—is steep: Chainalysis found that 52 percent of CSAM vendors active in 2023 sent money to instant exchangers that let users trade bitcoins for Monero, up from around 17 percent in 2020. Two CSAM vendors that Chainalysis tracked, for example, each received about $100,000 worth of cryptocurrency payments since 2020 and over the past four years almost entirely shifted from cashing out those funds at traditional cryptocurrency exchanges to trading them on instant exchangers that offered Monero. (To avoid disrupting any ongoing law enforcement investigations, Chainalysis declined to name those vendors, other CSAM sellers, or any of the instant exchangers they’ve used.)

Chainalysis’ researchers went so far as to correlate CSAM vendors’ use of instant exchangers offering Monero to those sellers’ increased survival rates online: After a thousand days, about one out of five CSAM vendors who used the Monero-friendly instant exchangers were still active versus just one in 25 CSAM sellers who didn’t. “The data suggests that Monero helps CSAM vendors stay in business longer,” Chainalysis’ report reads.

Fewer Agents of Exploitation—and Smarter Ones

Even as the resilience of CSAM sellers who used crypto grew in 2023, Chainalysis says the overall scale of the problem may be declining by some measures. While the company found that the number of CSAM-related cryptocurrency transactions was up 89 percent since 2019, it dropped by 22 percent from 2022 to 2023. Chainalysis also counted only 43 new vendors selling CSAM for cryptocurrency in 2023, compared to 112 the previous year.

The company’s researchers speculate that the decline may be due in part to the CSAM underground’s increased awareness that cryptocurrency can be traced. In the highly publicized case of the Welcome to Video dark web site, one of the biggest-ever online repositories of CSAM videos, Bitcoin tracing allowed law enforcement to identify and arrest 337 men around the world and to remove 23 children from exploitative situations. (As an example of the publicity around the case, WIRED detailed the investigation in a 2022 magazine cover story.) “It’s possible that the Welcome to Video case was a wake-up call for a lot of people,” says Sasha Plotnikova, a cybercrime researcher at Chainalysis.

The Internet Watch Foundation, a UK-based anti-CSAM organization that Chainalysis consulted in its research, says it has seen a similar trend in its own analysis of cryptocurrency’s use by CSAM sellers. Over the past half-decade, the IWF has seen a “steady increase” in online offers of CSAM in exchange for cryptocurrency, one of the foundation’s analysts told WIRED. That trend peaked in 2022, however, with the IWF recording 1,025 instances of CSAM sellers offering to accept crypto that year, just 11 more than in 2021.

At the same time, the analyst for the IWF, who asked to remain unnamed due to the sensitivity of their work, echoed Chainalysis’ finding that Monero is now being used in the CSAM industry. “We’ve definitely seen cases of sites asking for payment in Monero,” the analyst told WIRED.

Apex Predators

Beyond Monero’s common perception as being untraceable, to what degree Monero really does protect CSAM vendors remains a subject of debate and secrecy. Chainalysis has long maintained public silence on whether it offers Monero-tracing capabilities to its customers. But a leaked slide from one of the company’s presentations to Italian police in 2021 claimed that Chainalysis can provide a “usable lead” in 65 percent of cases in which it worked with law enforcement to trace Monero and could identify the likely sender, but not the recipient, in another 20 percent of cases.

On that same leaked slide, Chainalysis also referred to a case in which “customers of a CSAM website in Asia were identified from transactions with the administrator’s seized Monero wallet.”

Chainalysis declined to answer WIRED’s questions on Monero tracing. But its report hints that law enforcement might “consider investment in specialized blockchain analysis services that can make Monero tracing possible,” as well as calling for instant exchangers to build safeguards that prevent their abuse by CSAM sellers.

Taken together, the study suggests a form of complex and messy natural selection playing out in the internet’s exploitation economy. The sellers of child abuse images and videos who once naively believed that simply using cryptocurrency would protect them from law enforcement are disappearing. They’re being replaced by a new generation of surviving CSAM sellers who are far more careful in their cryptocurrency transactions. But in an ecosystem where cryptocurrency tracers like Chainalysis remain the real apex predators, even those more resilient members of the digital child abuse industry may not be as safe as they think.

Updated at 11 am ET, January 11, 2024, with more complete historical data from the Internet Watch Foundation.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist