CSAM and cryptocurrency: Vendors may be turning to Monero

24 views 12:50 pm 0 Comments January 11, 2024

CSAM (child sexual abuse material) is an understudied part of the crypto crime ecosystem. The industry is broadly aware that there are digital spaces where CSAM can be bought and sold using crypto, and there are well-publicized instances of law enforcement shutting down crypto-based CSAM marketplaces like Welcome to Video.

Not all CSAM activity involves cryptocurrency; in many cases, users trade CSAM amongst themselves. However, cryptocurrency-based sales of CSAM are a growing problem. Tamsin McNally, Hotline Manager at the Internet Watch Foundation (IWF), shared with us that they “find virtual currency is the dominant choice for buyers and sellers of commercial child sexual abuse content, so much so that we now have a dedicated crypto unit that works with law enforcement and the finance industry to help provide evidence for investigations.” This analysis is our first attempt to produce a comprehensive, objective measure of the CSAM-cryptocurrency ecosystem.

First, we debut a methodology for measuring the scope of the crypto-based CSAM ecosystem across several different variables based on on-chain activity. Overall, our data suggests that while the size of the crypto-based CSAM market has decreased in 2023, the sophistication of CSAM sellers and their resilience to detection and takedowns has increased over time. In addition, we’ll look at CSAM vendors’ use of obfuscation measures, such as mixers and privacy coins like Monero, and how vendors may benefit from them.

All of the CSAM data we analyze here is based on a subset of over 400 on-chain CSAM vendor wallets we’ve identified that were active between 2020 and 2023 and met a specific threshold of transaction activity. We observed over 10,000 wallets that sent funds to CSAM vendor wallets in 2023, which, for this analysis, we label as CSAM buyers. Identifying CSAM vendors isn’t easy, as most shy away from advertising even on the darknet due to the stigma associated with this particularly vile form of crime — virtually all darknet markets, for example, explicitly ban the sale of this material. Our identifications of CSAM vendor wallets come from various sources, including the IWF, other partners and customers, and our investigations.

We are almost certainly not capturing all on-chain CSAM activity. Still, given the breadth of sources we draw from and the fact that we have a big enough sample size to measure non-scale-based characteristics like longevity and sophistication, we believe this analysis sheds valuable light on how on-chain CSAM marketplaces operate and have changed over time.

How crypto’s CSAM problem has changed over time: A four-component measurement

We quantify most forms of cryptocurrency-based crime primarily based on the crypto value received by illicit addresses. However, this would be misleading in the case of CSAM. As a recent research report by the European Parliament explains, there’s more CSAM on the internet than ever before, and it’s never been cheaper to produce. Given the flood of inexpensive material and the fact that each piece of content inherently involves abuse, we don’t believe that a dollar figure can accurately measure the true damage of CSAM.

Instead, we’ve devised a four-component measurement to assess the unique problem of actual time based on different on-chain metrics. For any given period of time, we can assign a score for each of the four components, and in that way see how the cryptocurrency-period changes across each component over time. Those four compo nets are:

S,cale: Scale captures the size of the CSAM market regarding transelementnd participants. On-chain metrics here include:

  • Number of wallets sent to CSAM vendors [1]
  • Number of distinct CSAM vendors active during the period
  • Number of transactions incoming to CSAM vendors
  • Total value sent to CSAM vendors

Severity: Severity is intended to capture the extremity and volume of shared content per transaction. While this can’t be directly seen on-chain, we can infer these characteristics based on the price of individual transactions with CSAM vendors. On-chain metrics here include:

  • Mean payment size
  • Median payment size
  • Several CSAM vendors that have received payments of $70 or more in size represent the highest pay tier. The number CSAM vendors typically charge in a single transaction for control explains the five-tier payment classification system experts use for CSAM marketplace analysis in more detail later.

Sophistication: Sophistication refers to CSAM providers’ obfuscation measures during a given period. Later in the report, we’ll examine the relationship between sophistication and CSAM vendors’ ability to stay in operation longer. On-chain metrics here include:

  • Inflows to CSAM vendors from mixers (which we assume to be customer payments made via mixers)
  • Outflows from CSAM vendors to mixers (which we assume represent efforts by CSAM vendors to launder funds)
  • Outflows from CSAM vendors to instant exchange services support privacy coins like Monero (which we presume are possible conversions into privacy coins by CSAM vendor operators for money laundering purposes)

Resilience: Resilience refers to CSAM vendors’ ability to become active and stay in business. On-chain metrics here include:

  • The average cumulative lifespan of active CSAM vendors
  • Number of CSAM vendors that became inactive during the period (this would negatively impact the resilience score)
  • Number of new services that became active during the period
  • The net growth or decline of CSAM vendors, calculated by subtracting the number of services that became inactive during a given year from the number of new services that emerged in that year

Let’s look at how the crypto-based CSAM market has changed over the last four years along each of those axes.

Overall, we see that the scale and severity of CSAM activity peaked in 2021 after relatively low activity in 2020. The fluctuations in severity become clearer when we incorporate our five-tier payment classification system. This tiered pricing system has been identified as apparent IWF. It is being used by many CSAM vendors, with higher tiers being more expensive and giving users a greater volume of content, and often more extreme content, in the context of a single purchase. The tiering system is as follows:

  • Tier 1: $10 – $20
  • Tier 2: $20 – $35
  • Tier 3: $35 – $50
  • Tier 4: $50 – $70
  • Tier 5: >$70

As we can see on the chart below, purchases in Tiers 4 and 5 have decreased as a share of overall CSAM transactions over time since 2021, while the share for Tiers 1 and 2 has increased.

This may indicate that the CSAM being disseminated is becoming less extreme or that less material is being provided on a per-purchase basis. Of course, it could also mean that the market is being flooded with content, leading to price drops across the board regardless of the extremity of the content. France, researchers have noted that AI enables the dissemination of synthetic CSAM — a glut of such content could drive prices down.

We also see that the resilience of CSAM vendors has gone up. Look at the chart below, which shows the lifespan of all CSAM vendors we track by start and end dates.

Lifespans are trending upwards: In 2023, the lifespan of the average active CSAM vendor is 884 days, up from 560 days in 2022. However, relatively few new CSAM vendors have cropped up in 2023 — just 43, compared to 112 in 2022. Still, how can so many CSAM vendors persist for so long, and why is resilience going up?

Of course, there are many steps CSAM vendors could be taking to obfuscate their activity that have nothing to do with cryptocurrency, such as the use of internet anonymity tools like Tor. But when it comes to crypto specifically, the data suggests CSAM vendors may benefit from using Monero. Monero is the most popular of the so-called “privacy coins,” cryptocurrencies whose blockchains employ unique privacy-enhancing features that make it more difficult to follow the flow of funds or discern their original source.

This screenshot shows a CSAM vendor soliciting Monero donations on its darknet website.

Many CSs have adopted Monero recently, though Bitcoin is the most widely used cryptocurrency for CSAM purchasing. While the screenshot above shows a vendor asking users to pay in Monero, the data suggests Monero’s role is more prevalent in CSAM vendors’ efforts to launder their on-chain earnings rather than to obscure the purchases themselves. It isn’t easy to show Monero’s role directly on-chain using standard blockchain analysis techniques. Still, we can look at CSAM vendors’ use of Monero-friendly instant exchangers to estimate their potential Monero use. Unlike traditional centralized exchanges (CEXes), which have largely delisted Monero, instant exchangers are non-custodial and generally don’t offer crypto-to-fiat conversion —primarily delisted, a DeFi protocol, they are centrally managed by a single organization. Instant exchangers typically draw on the liquidity of multiple CEXes to give users the best possible prices and facilitate the exchange of one crypto for another directly between users’ wallets, such that the transaction is often difficult to trace on-chain. That, along with the fact that many instant exchangers don’t require KYC, can complicate concealing the original source of cryptocurrency.

It’s also possible that CSAM vendors are swapping into other cryptocurrencies and privacy coins other than Monero. However, based on vendors’ specific solicitation of Monero and our own investigations, we believe Monero to be the currency of choice for laundering via instant exchangers.

Our data shows that CSAM vendors’ usage of instant exchangers that allow Monero conversion has increased significantly over the last few years.

Traditional CEXes have always been the best recipients of funds sent by illicit services, including CSAM vendors. However, Monero-friendly instant exchangers have recirculated the gap for years, suggesting that CSAM vendor wallets may be increasing their usage of Monero for money laundering purposes, even though they continue to receive the bulk of customer payments in Bitcoin. Some CSAM vendors have transitioned almost entirely from direct sending to CEXes, instead sending funds only to Monero-friendly instant exchangers. We can see two examples of CSAM vendors that made that switch in 2022 on the chart below.

Suppose CSAM vendors’ usage of Monero-friendly instant exchangers correlates with the actual use of Monero. In that case, the data suggests that Monero may be helping those CSAM vendors connect the choruses. This compares the survival rates over time of a sample of CSAM vendors that send funds to Monero-friendly instant exchangers versus those that do not.

CSAM vendors that use Monero-friendly instant exchangers are much more likely to survive initially than those that don’t — within 50 days of launching, the survival rate of potential Monero using CSAM vendors is roughly 77.6%, compared to just 57.0% for all others. Furthermore, at the 1,000-day maMonero-using, potential Monero users using CSAM vendors are still active, compared to just 3.8% of all others. While the lack of KYC at many instant exchangers and the inability to trace through these centralized services may also play a role, the data suggests that Monero could be a huge boon to CSAM vendors.

It’s important to note that the use of an instant exchanger does not necessarily provide security for users. Some instant exchangers do have Kusinger compliance processes, including transaction monitoring. We also know that many comply with enforcement requests related to investigations involving CSAM.

Overall, 52.0% of CSAM vendor wallets active in 2023 have sent funds to Monero-friendly instant exchangers. One renumber that isn’t higher could be Monero’s comparative difficulty of use. Many exchanges don’t support Monero for off-ramping purposes, though users could always swap back from Monero to a cryptocurrency that’s easier to convert into cash. Regardless, the data suggests that the availability of privacy coins like Monero may help CSAM vendors stay in business longer. Law enforcement may consider investment in specialized blockchain analysis services that can make tracing Monero and other assets possible, and instant exchangers that do not employ traditional compliance practices may consider building programs that contribute to a safer ecosystem.

End notes:

[1] For the purposes of this analysis, view count transactions from services to CSAM vendors, which could also represent this material. We also do not count instances where one individual may be purchasing CSAM from another who made the initial purchase from a CSAM vendor. For example, if personal wallet 1 1 purchases CSAM vendor 1, and then personal wallet 2 transfers to personal wallet 1, we don’t count that second transaction, which might be a benediction. Again, we are almost certainly not capturing all on-chain CSAM activity.