Child Abusers Are Getting Better at Using Crypto to Cover Their Tracks

21 views 1:00 pm 0 Comments January 11, 2024

For those who trade in child sexual exploitation images and videos in the darkest recesses of the internet, cryptocurrency has been both a powerful tool and a treacherous one. Bitcoin, for instance, has allowed denizens of that criminal underground to buy and sell their wares with no involvement from a bank or payment processor that might reveal their activities to law enforcement. However, the public and surprisingly traceable transactions recorded in Bitcoin’s blockchain have sometimes led financial investigators directly to pedophiles’ doorsteps.

Now, after years of evolution in that grim cat-and-mouse game, new evidence suggests that online vendors of what was once commonly called “child porn” are learning to use cryptocurrency with significantly more skill and stealth—and that it’s helping them survive longer in the internet’s most abusive industry.

Today, as part of an annual crime report, cryptocurrency trading firm Chainalysis revealed new research that analyzed blockchains to measure the changing scale and sophistication of the cryptocurrency-based sale of child sexual abuse materials, or CSAM, over the past four years. Total revenue from CSAM sold for cryptocurrency has decreased since 2021, Chainalysis found, along with the number of new CSAM sellers accepting crypto. However, the sophistication of crypto-based CSAM sales has been increasing. More and more, Chainalysis discovered that sellers of CSAM are using privacy tools like “mixers” and “privacy coins” that obfuscate their money trails across blockchains.

Perhaps because of that increased savvy, the company found that CSAM vendors active in 2023 persisted online—and evaded law enforcement—for a longer time than in any previous year, about 57 percent longer than in 2022. “Growing sophistication makes identification harder. It makes tracing harder, prosecution harder, and rescuing victims harder,” says Eric Jardine, the researcher who led the Chainalysis study. “So that sophistication dimension is probably the worst one you could see increasing over time.”

Better Stealth, Longer Criminal Lifespans

Scouring blockchains, Chainalysis researchers analyzed around 400 cryptocurrency wallets of CSAM sellers and more than 10,000 buyers who sent funds to them over the past four years. Their most disturbing finding in that broad economic study was that crypto-based CSAM sellers seem to have a longer lifespan online than ever, suggesting a kind of relative impunity. On average, CSAM vendors active in 2023 remained online for 884 days, compared with 560 days for those involved in 2022 and just 112 days in 2020.

To explain that new longevity for some of the most harmful actors on the internet, Chainalysis points to how CSAM vendors are increasingly laundering their proceeds with cryptocurrency mixers—services that blend users’ funds to make tracing more challenging—such as ChipMixer and Sinbad. (US and German law enforcement shut down ChipMixer in March 2023, but Sinbad remains online despite facing US sanctions for money laundering.) In 2023, Chainalysis found that about 46 percent of CSAM vendors used mixers, up from around 22 percent in 2020.

Chainalysis also found that CSAM vendors are increasingly using “instant exchanger” services that often collect little or no identifying information on traders and allow them to swap bitcoin for cryptocurrencies like Monero and Zcash—”privacy coins” designed to obfuscate or encrypt their blockchains to make tracing their cash-outs of profits far more complex. Chainalysis’ Jardine says that Monero is gaining popularity among CSAM purveyors. In the company’s investigations, Chainalysis has seen it used repeatedly by CSAM sellers laundering funds through instant exchangers. CSAM forums have also seen Monero addresses posted to solicit donations in multiple cases. While the instant exchangers did offer other cryptocurrencies, including the privacy coin Zcash, Chainalysis’ report states that “we believe Monero to be the currency of choice for laundering via instant exchangers.”

Graph showing the increasing online longevity of CSAM vendors

Chainalysis’s chart of how long CSAM vendors who were active each year had persisted online, suggesting that their resilience to takedown has steadily increased over time.

Chainalysis

The CSAM adoption curve for those instant exchangers—and, Chainalysis suggests, the privacy coins they offer—is steep: Chainalysis found that 52 percent of CSAM vendors active in 2023 sent money to instant exchangers that let users trade bitcoins for Monero, up from around 17 percent in 2020. For example, two CSAM vendors that Chainalysis tracked have received about $100,000 worth of cryptocurrency payments since 2020. Over the past four years, almost entirely shifted from cashing out those funds at traditional cryptocurrency exchanges to trading them on instant exchangers that offered Monero. (To avoid disrupting ongoing law enforcement investigations, Chainalysis declined to name those vendors, other CSAM sellers, or any of the instant exchangers they’ve used.)

Chainalysis researchers went so far as to correlate CSAM vendors’ use of instant exchangers offering Monero to those sellers’ increased survival rates online: After a thousand days, about one out of five CSAM vendors who used the Monero-friendly instant exchangers were still active versus just one in 25 CSAM sellers who didn’t. “The data suggests that Monero helps CSAM vendors stay in business longer,” Chainalysis’ report reads.

Fewer Agents of Exploitation—and Smarter Ones

Even as the resilience of CSAM sellers who used crypto grew in 2023, Chainalysis says the overall scale of the problem may be declining by some measures. While the company found that the number of CSAM-related cryptocurrency transactions was up 89 percent since 2019, it dropped by 22 percent from 2022 to 2023. Chainalysis also counted only 43 new vendors selling CSAM for cryptocurrency in 2023, compared to 112 the previous year.

The company’s researchers speculate that the decline may be partly due to the CSAM underground’s increased awareness that cryptocurrency can be traced. In the highly publicized case of the Welcome to Video dark web site, one of the biggest-ever online repositories of CSAM videos, Bitcoin tracing allowed law enforcement to identify and arrest 337 men around the world and to remove 23 children from exploitative situations. (As an example of the publicity around the case, WIRED detailed the investigation in a 2022 magazine cover story.) “It’s possible that the Welcome to Video case was a wake-up call for many people,” says Sasha Plotnikova, a cybercrime researcher at Chainalysis.

The Internet Watch Foundation, a UK-based anti-CSAM organization that Chainalysis consulted in its research, says it has seen a similar trend in its analysis of CSAM sellers’ cryptocurrency use. Over the past half-decade, the IWF has seen a “steady increase” in online offers of CSAM in exchange for cryptocurrency, one of the foundation’s analysts told WIRED. That trend peaked in 2021, with the IWF recording 1,014 CSAM sellers offering to accept crypto that year. But in 2022, the last year it has data available, those reported cases fell to 781.

At the same time, the analyst for the IWF, who asked to remain unnamed due to the sensitivity of their work, echoed Chainalysis’ finding that Monero is now being used in the CSAM industry. “We’ve seen cases of sites asking for payment in Monero,” the analyst told WIRED.

Apex Predators

Beyond Monero’s common perception as untraceable, to what degree Monero protects CSAM vendors remains a subject of debate and secrecy. Chainalysis has long maintained public silence on whether it offers Monero-tracing capabilities to its customers. But a leaked slide from one of the company’s presentations to Italian police in 2021 claimed that Chainalysis could provide a “usable lead” in 65 percent of cases in which it worked with law enforcement to trace Monero and could identify the likely sender, but not the recipient, in another 20 percent of cases.

On that leaked slide, Chainalysis also referred to a case where “customers of a CSAM website in Asia were identified from transactions with the administrator’s seized Monero wallet.”

Chainalysis declined to answer WIRED’s questions on Monero tracing. But its report hints that law enforcement might “consider investment in specialized blockchain analysis services that can make Monero tracing possible,” as well as calling for instant exchangers to build safeguards that prevent their abuse by CSAM sellers.

The study suggests a form of complex and messy natural selection playing out in the internet’s exploitation economy. The sellers of child abuse images and videos who once naively believed that simply using cryptocurrency would protect them from law enforcement are disappearing. They’re being replaced by a new generation of surviving CSAM sellers who are far more careful in cryptocurrency transactions. But in an ecosystem where cryptocurrency tracers like Chainalysis remain the natural apex predators, even those more resilient members of the digital child abuse industry may not be as safe as they think.