VG exposed the largest child sexual abuse forum.
It was run by the police.

In utmost secrecy, the world’s largest child sexual abuse forum was moved to the other side of the globe.
No one was supposed to know who was behind the website’s continued operation.
The story in brief
Read the rest below
January 24th, 2017
Brisbane – Australia

Both men stiffen as VG confronts them.

– Go ahead and publish what you know about us now, if you think it’s true, but be prepared for the consequences, says Jon.

Next to him in a Brisbane hamburger pub sits Paul.

VG has just told them what we’ve uncovered: that they run the world’s largest online forum for child sexual exploitation, “Childs Play”.

Jon, the Australian, turns pale. Paul, who is British, flushes crimson.

It is January 2017. At this point the two have been running the Childs Play website for three months. Under their supervision, thousands of members have shared photos and videos of children being sexually abused. A Norwegian member boasted of abusing children in his own family. Some members got together in person to commit abuse, which they filmed and shared on the forum.

«The dark web»

A part of the internet where traffic between you and the websites you visit is encrypted in such a way that it’s very difficult for others to identify you. This makes it a popular technology for persons who wish to stay clear of law enforcement, either out of fear of being censored or jailed.

The Onion Router
The most widely used dark web technology is The Onion Router – Tor – which has tens of thousands of web services. The network consists of an array of «nodes», or computers, that are configured as mediators between users and sites.

Messages are encapsulated
All communication within the network is encrypted. The Onion Router got its name because the encryption is layered, like an onion. When you want to send a message to another computer within the Tor network, this message is encapsulated a number of times.

The package is sent
Once wrapped, the package is sent from you to a chain of nodes. Each node decrypts one layer of the onion, which grants the node information about where the package will go next. Each node knows nothing about the package it receives, beyond which node it was received from, and which node it’s to be sent to next.

The layers are decrypted
The encrypted message is being sent to another node, then another. At each node, another layers of the package is decrypted, until the innermost message reaches the final recipient.

Message arrives
When the recipient gets the message, all layers of the package has been unwrapped. It’s next to impossible to know, based on traffic analysis, who’s sent the message – or who visits a Tor service.

It’s understandable that Jon and Paul look shocked. Finding them was thought to be impossible. The website they operate is on the so-called “dark web”. Encryption was supposed to keep the whereabouts of the server and the people behind it secret. VG has uncovered not only where but also from which computer the forum was run.

Jon and Paul’s cover is blown. They are not criminals. They work for the Australian police’s spearhead into the dark web: Task Force Argos. Jon Rouse heads the unit. Investigator Paul Griffiths has been in charge of numerous operations. VG can now reveal that Task Force Argos infiltrated the realm of child abusers inside the dark web for almost a year – and that the police unit itself shared photos of children being sexually abused.

Jon Rouse, detective inspector, and investigator Paul Griffiths (on the left).
Jon Rouse, detective inspector, and investigator Paul Griffiths (on the left). Photo: Tore Kristiansen, VG

How far should the police go in the service of good? How many wrongs should investigators be permitted to commit in pursuit of justice? The undercover operation in Australia, Operation Artemis, was part of a wide-ranging international police investigation.

Latest updates

VG has known about the operation since January and followed it closely, partly by monitoring traffic on the dark web and partly by obtaining information from police, judicial authorities and other sources around the world. When VG's computer expert, Einar Otto Stangvik, began investigating the website and its Nordic members in the autumn of 2016, we had no idea he would uncover a secret police operation.

Only now can we tell the story of how Task Force Argos, the U.S. Department of Homeland Security and the police in Canada and Europe worked to unmask the leaders of the world’s largest online community of child sexual abusers.

From the start, Operation Artemis had a clear objective: identifying victims and their abusers. But in doing so was it necessary for the police to run a child exploitation forum for nearly a year?

In the United States, a mother weeps when she hears that VG has found that pictures of her daughter being sexually abused were shared by members, while the police operated the site.

– My daughter should not be used as a bait. If they are using her images, then she should be paid or compensated for their use. It is not right for the police to promote these images, says the mother.

Pictures of children from several other countries were also shared during the same period.

The police deny they are responsible for what was shared on Childs Play while they ran it.

– We don’t create these sites. We do not want them to exist. When we do find them, we infiltrate and get as high as possible in the networks administrative structure to destroy it. But we will never create a forum for child sex offenders, says Jon Rouse.

So who built the forum that he and Griffiths operated?

We must visit two other countries. And two young men.

1990 – 2012
USA and Canada

The first young man , Benjamin Faulkner, grew up in North Bay, Ontario, a small Canadian city north of Lake Nipissing and the Great Lakes. His home was on the city’s outskirts, with a garage almost as big as the main house and a trampoline and an inflatable pool in the back garden. He taught swimming in his spare time and played the trumpet in a band, but spent a lot of time online.

Patrick Falte, the other man, grew up outside the country music capital of Nashville in the U.S. state of Tennessee. He lived with his parents in a gated community near a busy motorway interchange. In college, according to his father, he dreamed of going to work for the FBI to fight hackers.

Patrick Falte.
Patrick Falte. Photo: Private

Court documents VG has accessed, goes into how he, as a 12 year old, felt that he was different from his friends. His urges turned towards children, not other youths.

Years went by. The two studied what interested them most: IT security. The Canadian got a job in Toronto, the American in Nashville.

While the young Canadian unsuccessfully tried to find help to control the desires he felt, the American kept them shut inside. He was afraid any doctor, psychologist or counsellor he consulted would have to report him if he admitted being sexually attracted to children.

So he went online.

VG has discovered that both were active on the dark web in 2011, on the same website. Falte had become involved in the “Pedo Support Community” website, where he contributed technical programming.

On 30 October 2012, Faulkner visits that site and posts a message of introduction:

«A little about myself to establish credibility here: My name is CuriousVendetta, and I work as a JR forensics consultant and penetration tester for an IT security firm. On the side, I do what I can to cause general mischief on the internet with a few friends of mine».

In later messages, he tells of his job as a swimming instructor:

«At the pool is where I am free, and where I can generate my fantasies. I have more girls in my 'fan club' than I can even count».

North Bay is a small city. Some parents pick up on Faulkner’s proclivities and tell him to stay away from their kids. But no police complaint is filed.

June 18th, 2013
North Bay – Canada
Benjamin Faulkner.
Benjamin Faulkner. Photo: Private

June 18th, 2013 was a hot day in North Bay. This far north on the American continent it can be scorching when the sun is out, and cold when it isn’t.

His siblings were in shorts. The young man who would later go by the name WarHead was wearing black jeans and a long-sleeved shirt. The family was celebrating. Everyone in the picture is smiling.

It seems Faulkner at that time was not active on Pedo Support or other paedophile sites.

But that would soon change.

During the fall of 2015 he visited a new website, «Giftbox Exchange». While logged on he received a message from the administrator:

«Hi, I haven’t seen you for a while. I’m the boss around here.».

It was CrazyMonk, from Pedo Support - the American, Falte.

That’s how their acquaintance began.

The Canadian Faulkner quickly became part of the Giftbox leadership team, but he wanted to be more than just a team member.

He wanted to lead – alone.

April 15th, 2016
A place on the dark web
Photo: Krister Sørbø, VG

On Friday, 15 April 2016, the web site “Childs Play” saw the light of day on the dark web. A lone administrator was in charge of the site, with an entourage of moderators. The administrator called himself WarHead.

No one realized that it was Faulkner, known elsewhere on the web as CuriousVendetta.

«With the security scares brought about recently [...] and the general lack of good forums anymore, I decided to bring Childs Play to the community. The goal of Childs Play is to provide a simple free access forum to the community, while simultaneously allowing a safe and secure place to talk and just be ourselves».

WarHead received an overwhelming response. Suggestions poured in with ways to make the website better and safer for members. One was to have a subsection featuring the torture of children.

The Canadian became an expert in living with multiple identities. In the physical world he was the lifeguard, band member, computer geek, big brother. Online, he was king of his tribe.

In January 2017, VG published its first report about Childs Play, a website that had quickly arisen to become one of the biggest online child abuse sites.

The largest child sexual abuse forums
These are the largest child sexual abuse forums on the dark web, based on known number of total profiles registered. The numbers are likely to contain duplicates.

Childs Play

Authority: Argos, Australia

Closed: September 2017

Law enforcement operated for 11 months

Part of Operasjon Artemis

Playpen

Authority: FBI, USA

Closed: February 2015

Law enforcement operated for two weeks

Elysium

Authority: BKA, Tyskland

Closed: June 2017

Law enforcement had access a few days

Over 1 000 000

profiles

181 475

92 218

47 769

45 818

The Giftbox Exchange

The Love Zone

Authority: European country

Closed: November 2016

Law enforcement operated roughly one month

Related to Operasjon Artemis

Authority: Argos, Australia

Closed: December 2014

Law enforcement operated for six months

There are presently at least three other large forums on the dark web, dedicated to the spreading of child abuse material

Childs Play

Authority: Argos, Australia

Closed: September 2017

Law enforcement operated for 11 months

Over 1 000 000

profiles

Elysium

Authority: BKA, Tyskland

Closed: June 2017

Law enforcement had access a few days

The Giftbox

Exchange

Authority: European country

Closed: November 2016

Law enforcement operated roughly one month

45 818

92 218

181 475

Operasjon Artemis

The Love Zone

47 769

Authority: Argos, Australia

Closed: December 2014

Law enforcement operated for six months

Playpen

Authority: FBI, USA

Closed: February 2015

Law enforcement operated for two weeks

There are presently at least three other large forums on the dark web, dedicated to the spreading of child abuse material

Childs Play

1 052 826

profiles

The Giftbox

Exchange

Elysium

Playpen

45 818

92 218

181 475

profiles

Operasjon Artemis

The Love

Zone

47 769

Childs Play

Authority: Argos, Australia
Closed: September 2017
Law enforcement operated for 11 months

Giftbox Exchange

Authority: European country
Closed: November 2016
Law enforcement operated roughly one month

Playpen

Authority: FBI, USA
Closed: February 2015
Law enforcement operated for two weeks

The Love Zone

Authority: Argos, Australia
Closed: December 2014
Law enforcement operated for six months

Elysium

Authority: BKA, Tyskland
Closed: June 2017
Law enforcement had access a few days

There are presently at least three other large forums on the dark web, dedicated to the spreading of child abuse material
Vis detaljer

In 2015 and 2016, under the guise of CrazyMonk and WarHead, Falte and Faulkner consolidated their leadership of the two largest networks for sexual predators and paedophiles.

At its peak, Giftbox had 45,000 users, while Childs Play at the end had surpassed 1,052,000 user registrations.

According to Task Force Argos, the number of actual people was far smaller, probably in the tens of thousands. Roughly 100 of them were known as “producers”, sexual predators who film children being raped and share the videos in online forums.

All this caught the attention of investigators worldwide. In Brisbane, Paul Griffiths read everything the two men had written about themselves. He sighed: two computer security specialists.

«We’ll never figure out who these guys are,» he told colleagues.

That didn’t stop him, though.

WarHead and CrazyMonk knew their place atop the dark hierarchy of child abusers was vulnerable.

In private exchanges with other members of the forum, Faulkner wrote that he knew what fate awaited him. Much later, in an email to VG, he expresses similar stoicism.

– You can’t exist within these communities without knowing that you are under heavy scrutiny by law enforcement. The higher you get in the communities, the more you know that you are being watched. We took a great many steps to counteract these measures, which worked for the most part, he writes.

January 4th, 2017
Oslo – Norge
Einar Otto Stangvik.
Einar Otto Stangvik. Photo: Krister Sørbø, VG

VG’s computer expert, Einar Otto Stangvik, was also monitoring Faulkner’s dark website. Using a computer system he programmed in the autumn of 2016, he was able to download, index and analyse all public messages posted on Childs Play.

As Christmas approached, Stangvik tried a variety of methods to see if it was possible to identify the men in the forum.

Indeed it was. Several members were identified: Norwegians, Swedes and a Dane.

But the website itself, and the two people behind it, seemed untraceable.

On the evening of 4 January 2017, Stangvik tried a new tactic. Instead of analysing the text on the forum itself, he peeked under the hood at the “engine” running the website – its software.

He found weaknesses. If asked the right question, the server could reveal its own IP address.

The right question was asked, and the server replied. It was located in Sydney and owned by the Digital Pacific web-hosting company.

Such information may seem mundane, but it was a sensational discovery.

Few others had ever managed to track the location of a major hidden service on the dark web. It took Stangvik just a few hours to do the near impossible.

January 23rd, 2017
Sydney – Australia
Andrew Koloadin.
Andrew Koloadin. Photo: Tore Kristiansen, VG

It’s Monday, January 23rd, and VG is in Sydney visiting the offices of web host Digital Pacific. The company’s founder, Andrew Koloadin, listens carefully to what VG has to say. One of his servers is hosting Childs Play. VG wants to know who runs the website. We want to find the people behind it.

– I’m as interested as you in clearing this up. We won’t turn off the server and we won’t do anything to compromise your work, Koloadin says.

As a provider of web-hosting services, he is not legally responsible for what is stored on the servers he leases out. That responsibility lies with the individual lessee. But Koloadin wants to do what he can to make the site disappear, and for WarHead to be caught.

A few keystrokes later, we have an answer: the server is leased by Task Force Argos in Brisbane.

Taken aback, Koloadin runs his hand through his hair.

– Storing material like this on our servers completely violates our terms. I wish the police had talked with us about this, but I understand why they didn’t. It’s a secret operation.

How do you feel about police storing sexual abuse material on your servers?

– The abusers are smart and know to set up different systems to avoid the police. So the police have to be just as smart, as they obviously are here. But I don’t like them doing it behind our backs.

January 24th, 2017
Brisbane – Australia
Brisbane.
Brisbane. Photo: Tore Kristiansen, VG

The next day in Brisbane. We have contacted Task Force Argos. They have agreed to talk with us. They don’t know about what yet. Ten minutes ago, the two investigators walked down the street from their headquarters, ties flapping in the wind.

– We have a very good working relationship with the Norwegian and Swedish Police. Let's talk and eat at the same time. Today is really busy, says Jonathan Rouse, head of the unit.

Jon Rouse.
Jon Rouse. Photo: Tore Kristiansen, VG

We know you are the ones running the site. We know you've been running it for months, VG’s journalist says, once inside.

Rouse goes rigid on his barstool and stares back.

– So from the outset, I'm not going to tell you anything as this is an on-going operation.

The music continues to play, but the mood has changed.

– We have one goal and that is to stop the sexual abuse of children. We will do whatever we can within our legislative authority to achieve that. So what is it that you want?

– We want to know what you’re doing, VG’s journalist continues.

Rouse gives us a hard look:

– I want to know what you know and I want to know how you found out, maybe we are the administrators of a server. But I will not talk.

– I will not talk about ongoing operations. You are a journalist and will write a story. We are police officers and want to prevent children from being raped. So we have different goals with our work.

Rouse suggests that VG must have done something illegal to uncover the operation.

– Under Australian law, what you’ve done is the same as hacking. The police are allowed to hack to reveal criminal activity, but not you. So you have to be aware that what you have done can potentially have consequences.

Later, the police officers will decide to answer questions from VG.

How Stangvik exposed Childs Play

IP addresses and physical server locations are inherently difficult to find on the Tor network. So how did VG’s computer expert get the forum to disclose this information?

1. Profile picture upload
The forum allowed users to upload a profile picture. This picture could also be fetched from a user-supplied URL.

2. The leak
This is where the information leak occurs. Configured for optimal security, the forum’s software and/or server would fetch the remote profile picture via Tor. Childs Play did not – all traffic to external sites originated from the server’s real IP.

3. The IP address is exposed
By telling the forum to fetch a picture from a server Stangvik controlled, he could see in his server logs that the originating IP was with a hosting provider in Sydney – Digital Pacific. Stangvik went on to confirm that outgoing DNS requests originated from the same provider, and that the forum’s software also loaded images included in forum post previews from the same IP.

4. A proxy, VPN or Tor Exit?
The next question was whether the IP belonged to a Tor Exit Node, a VPN or a proxy server. An IP can hide just about anything. How could he confirm that this was the forum’s location, rather than just a node in a chain of redirects? Stangvik applied three improvised techniques:

5. Timing between the servers
He rented a virtual server with Digital Pacific – the same place as where the suspected IP was located. He then updated the profile picture URL to point to this server. Upon receiving an incoming profile picture request, Stangvik’s server would respond with a redirect to another URL on the same virtual server. Repeating this redirection process several time, Stangvik was able to isolate and measure the roundtrip-time between the two servers. The measurements yielded very low times, consistent with a forum server in close vicinity of his rented server.

6. Measuring intermediate nodes
Stangvik also paid attention to so-called «Time To Live» values on the incoming data packets. These provide some insight into how many intermediate parties are involved from the sender to the recipient. In this case, the values indicated that there were at most one intermediate – a typical result if the servers were located in the same room.

7. Measuring packet size
The final test started to get advanced: Measuring MTU (Maximum Transmission Unit) and packet fragmentation.

Each packet in a computer network has a maximum transmission size, based on which intermediates it passes through. Each encapsulating technology, such as VPNs, can result in the total packet size increasing beyond the maximum size, and local networks usually have larger maximum sizes than the “tubes” found on the internet. If the maximum size is surpassed, the packet will be broken into multiple fragments.

By crafting long profile picture URLs, and setting specific packet flags, in the redirects returned by his custom web server software, he could see that the MTU was consistent with that of high-speed local area network traffic, and also ruled out VPN configurations.

October 2016
The forum is moved

In October 2016, WarHead’s abuse website was moved to the server in Sydney. That was six months after he set it up.

How did it happen?

In May 2016 Griffiths, the Australian police investigator, received a message from the police in a European country: they had arrested a person who turned out to be one of the moderators of the Giftbox Exchange – the website that Falte, the American, operated. Would Task Force Argos be interested in taking over the European moderator’s account and go undercover as him?

The task force was interested. It is one of the few police units in the world adept at imitating sexual predators on the dark web using false identities.

Paul Griffiths.
Paul Griffiths. Photo: Tore Kristiansen, VG

Operation Artemis begins. Griffiths and Task Force Argos had a clear goal: take over the site. Let it rot from within while task force members monitor all communication between participants. Identify perpetrators and victims. Make arrests.

– Once you have control of the site, you can do whatever you want. Then you can move it wherever you want in the world. That’s how the internet works, says Griffiths.

The man whose identity Task Force Argos had assumed was just a moderator. Unlike the owner, CrazyMonk, the moderator had no power to move or alter the website. So for now the task force could only observe.

In recent decades Task Force Argos has collaborated with a number of police entities to combat sexual abuse of children. Several times a year, investigators from a variety of countries meet to review operations and investigations. At other times they are a just a phone call away. They know they can trust each other and get assistance, often from the other side of the world.

When another country’s investigators found the IP address of the Giftbox Exchange, they sent it to Argos.

The police contacted the hosting provider housing Giftbox. At that time, they could have seized control of the server and all its data on visitors. But that would have driven the top people underground, and that’s who the police were after. They chose to do nothing other than monitor the site through a backdoor in the server.

While Argos was looking for a way to take over Giftbox, Childs Play appeared on the dark web. Evidence analysed by the police, including messages written by WarHead and CuriousVendetta, suggested that they were from the same country.

Maybe even the same person.

– A great deal of solid intelligence indicated that one of the Giftbox leaders also ran Childs Play. We assumed there was a link between the two sites, says Griffiths.

Follow the money! For other criminal networks, following the money is a key to tracking down the leaders.

But in child abuse networks, there is much less money in circulation. The images themselves are the currency. All the same, it costs money to have a website hosted on a server. In this case, payment was rendered in Bitcoin, a virtual currency.

Homeland Security Investigations, an investigative arm of the U.S. Department of Homeland Security, began searching for whoever was behind the payment. It was easier than expected. In short, the person nicknamed CrazyMonk had registered that particular Bitcoin wallet to his personal email address.

The address pointed to a 27-year-old Tennessean who had lived all his life at home with his parents in a house half an hour from Nashville:

Patrick Falte.

CuriousVendetta was harder to find. Of Giftbox’s two leaders, he was the technical expert. However, in the summer of 2016, he hits a snag with some program code. He tries to fix the code, but it doesn’t work and he ends up seeking help online.

He takes a screenshot of the code, uploads it to a web forum for programmers and asks for advice.

It’s a mistake that leads to his downfall.

On the open web, Google sees all. When a Homeland Security investigator saw that Giftbox had a technical problem, he thought: If I had this problem, I would ask for help online. Using search engines, investigators found what they believed was CuriousVendetta’s question. The screenshot of the code – a seemingly innocent image of text – was stored on a Russian server used almost exclusively for sexual abuse pictures.

It had to be him.

The man who posted the question was in his mid-20s and from North Bay, Ontario:

Benjamin Faulkner.

The effort to close in on the two men began. How could police arrest them before they could destroy evidence? Quietly, the lives of the two men were examined. Would it be possible to install a camera in their homes or workplaces? Could the police break in and install keyloggers on the men’s computers to monitor their every keystroke?

All ideas were rejected. If the men felt even a hint of suspicion, they could quickly delete the site and all its data about themselves and tens of thousands of members. The suspects had to be apprehended before they could alert others.

During the investigation, the police made a noteworthy find: Falte and Faulkner knew each other. Not just online. Also in real life.

– We knew they had a habit of meeting up. We just didn’t know why. WarHead had been in the United States four or five times earlier, and we assumed that he and CrazyMonk met all those times. They probably met for the first time in 2015, says Griffiths.

The investigators decided to watch and wait.

– At some time or another, WarHead is going to cross the border into the United States. When they meet, we’ll grab them, Griffiths recalls the investigators deciding.

That was in July 2016. August came and went. Faulkner and Falte travelled nowhere.

September ebbed out, and still nothing.

VG, too, decided to wait. In January 2017 we discovered that the server in Sydney concealed a major new operation led by Task Force Argos, in cooperation with several other countries.

Only now, more than nine months later, have we chosen to publish.

– After the meeting with Griffiths and Rouse, we understood that the journalists had discovered an ongoing police operation. Although it was stunning news and obviously of public interest, we decided to hold off publishing what we knew. The situation was unclear. We needed more information before deciding what could be published. In a worst-case scenario, VG could have damaged the investigation and endangered innocent people, says VG Editor-in-Chief Gard Steiro.

September 30th, 2016
Alarms go off

On Friday, September 30th, 2016, alerts went off in Boston, Toronto and Brisbane.

Faulkner had crossed the border from Canada into the United States.

Until the day before, he had been highly active on Childs Play. It was the last time the forum would hear from him for a long time. The clock on his computer read 11:46 p.m. when he logged in as WarHead and wrote a short thank-you note to a member who had posted a film showing an assault on a 10-year-old girl:

«Thank you for her! I didn't realize you had more of her up, how did this go under my radar?!».

Then he left. He drove from the apartment at the edge of Toronto, across the national border into the state of New York, then south to northern Virginia.

As WarHead crossed the border into the United States, the U.S. Customs and Border Protection sent a report to Homeland Security Investigations. From there, word passed to Canada and Australia: Faulkner has crossed the border.

In Australia, Griffith got the message on Friday afternoon, local time. The next few days were critical. Would the operation succeed?

Homeland Security Investigations checked the location of CrazyMonk’s car. Several weeks earlier, investigators had put a tracking device on it. Since then the car had barely left the Nashville area. Suddenly it was on the move.

CrazyMonk was 200 kilometres from home, heading north-east.

For months, Homeland Security Investigations, Argos and Toronto had been waiting for this.

The two men were going to meet.

October 1st, 2016
Manassas – USA

Saturday. The men checked into a hotel in Virginia. In the evening, they went to a house and stayed late. Court documents reviewed by VG describe Homeland Security agents watching both cars at the house late Saturday night.

Sunday morning the two left the hotel, each carrying a bag, and stayed at another house.

At 6:30 a.m. on Monday they awoke as armed U.S. police broke down the entrance door.

Faulkner was far from home. Had he been captured in Canada, the punishment would be far milder. Now? Pressed into a corner by the agents ransacking the house, he was given a clear choice: Tell us everything and you might get out of prison before you die.

Within minutes, he spilled it all: usernames, passwords and encryption keys.

– He could hardly wait to talk,” says Griffiths. “On the web, they sound tough and talk about how they’re ready if the cops come, and about how they have taken every possible measure to keep us from accessing the material. But when a police officer kicked the door off its hinges, pointed a weapon at him and ordered him to lie on the floor, it became clear to this Canadian that he was a long way from home.

Griffiths gives a quick chuckle.

In Australia, the clock was ticking towards 9 p.m. Everything Homeland Security got out of Faulkner and Falte was sent straight to Argos, which immediately tested the passwords. Were they correct? Messages flew between the United States and Australia. Should the numbers be typed in as letters or digits? Had they cracked the website?

What happened next would have major consequences.

Amidst all the other information Faulkner coughed up while still sitting in bed during the police raid were the passwords for Childs Play.

In one swoop, Homeland Security had arrested the ringleaders and administrators of not just one but two of the biggest child exploitation sites on the dark web.

Everything the two men had with them was studied in detail: memory cards, computers, passwords, usernames, keys. The police knew time was short.

If WarHead and CrazyMonk were absent for too long from the sites they ran, paranoid members would flee and the police work would have been in vain.

Among the messages sent to Australia that morning, one was special. It said the agents had found images of a small child being abused.

The pictures had been taken Saturday evening.

Then came a follow-up: «Did everyone get the previous message?».

Griffiths sat at home alone, working with the passwords, when he saw the message.

– What could I say? There was no one to say it to. I just had to keep working, he says.

Police found 30 pictures and three videos. They showed a four-year-old girl and what she had been subjected to in the house that Faulkner and Falte visited. In one of the pictures, Faulkner’s hand was identified.

The drive from Nashville takes more than 10 hours. That would have given Falte ample time to reflect on what he was heading to do.

He drove across the Smoky Mountains, through lush forests where the trees were aflame with autumn colours. He kept driving. Did he ever stop to consider whether it was right to rape a four-year-old girl? Regardless, he pressed on towards the house in Virginia.

As did Faulkner, all the way from Toronto.

On the dark web, they divided between them a kingdom of like-minded people who admired them and strove to curry their favour.

The supplicants included a man with access to the four-year-old girl. According to a police report, it was he who filmed the assaults. The pictures showed that at least one of the three men raped the girl that Saturday in September 2016.

September 9th, 2017
American prison

The phone line crackles as the man who provided the four-year-old girl to Faulkner and Falte talks to VG from the prison, where he has been for almost a year.

Imprisoned man.
Imprisoned man.

– There isn’t much privacy here in the prison, so there’s not much I can say on the phone, he says, and continues:

– I’m not going to lie. It was I who contacted CrazyMonk first.

VG has data showing that this man had visited several of the biggest child abuse websites. He had posted abuse pictures and asked other members for help in finding more.

For him, getting to talk to CrazyMonk, the head of the website, was a big deal. A famous man. To make contact, he showed Falte pictures of the child. That’s how it started.

A few weeks later, Falte arrived at his home. Under questioning, according to court documents, Falte said that during his first visit in 2015 he raped the child “until the minor complained”.

That was the first of a five visits to the small house in Virginia. Just after New Year’s Falte came back, this time with Faulkner.

In interviews with VG, the police say they don’t know why WarHead and CrazyMonk decided to meet, though they had a lot of information about the men.

After the police found the server where the site was stored, in July, they monitored all communications, including private messages between the administrators. The police kept tabs on where they travelled in Virginia, where they spent nights, and which houses they visited.

No one suspected a child was about to be raped.

– But we definitely wondered why they wanted to meet. That question hung over our heads, says Rouse, in Australia.

– Some of these men wanted so desperately something beyond just the confirmation they get online. They want to meet people like themselves, if only for a beer, says Griffiths.

Why weren’t they arrested before the assault occurred?

– We had no idea that was going to happen. They never mentioned anything about it in the messages we saw about meeting, says Griffiths.

The man who filmed the abuse of the child confirms that was the case. The plans to meet were made in an encrypted chat program, he tells VG.

Police had access to these chats only after obtaining all the passwords from CrazyMonk and WarHead.

Faulkner and Falte say the same in an email to VG from prison in the United States.

– We made sure specifically not to talk about specifics anywhere other than Tox [encrypted chat], and burner phones with dummy burner phone numbers, they write.

They were surprised at how much the agents managed to find during the search.

– I was completely confident that they had very little on both of us in terms of evidence that they could use in court, writes Faulkner.

– Our machines were fully encrypted, we ran everything in Virtual Machines (VMs), all our removable media was free of anything implicating. They did not know anything about what was going on in Virginia.

ANNONSE

In a purely investigative sense, the arrests were a success. Task Force Argos assumed control of all of Faulkner and Falte’s usernames and passwords.

Task Force Argos became WarHead, but nobody outside the team knew.

Griffiths and his colleagues worked frenetically to learn all about Faulkner’s online persona so as to assume his identity without anyone catching on.

That took longer than some Childs Play members liked. Previously, WarHead had been a frequent presence on the site, often posting messages several times a day. Now he was silent.

«Did anybody hear from WarHead within the last 7 days? I'm waiting for a pm from him. Nothing happens.»
, a nervous member wrote, using an abbreviation for “personal message”.

«Strange, her disappearing and this forum going slower and slower......,», wrote another. Like most forum members, he used the pronoun “she”, though the vast majority were men.

Something had to be done. If the forum did not hear from WarHead soon, members would sense he’d been arrested. They might then begin deleting their own tracks. That must not be allowed to happen.

Online crime has no borders. That’s a problem, but in this case Argos and its partners turned it to their advantage.

It is VG’s understanding that when WarHead surrendered access to Childs Play and Giftbox each forum was stored on servers in separate European countries. Police, lawyers and the suspects themselves refuse to say which.

Police in Australia and the European country saw obvious benefits to having the Australian police, rather than a European force, running the site.

Australian laws give the police unusually broad powers to monitor suspicious activities online.

– During a so-called “controlled operation” we get permission from a judge to act in ways that normally would have been considered illegal. We are given the right to commit certain criminal actions and we are exempted from prosecution because we are investigating specific crimes, explains Griffiths.

At a meeting this spring in The Hague of the some of the world’s leading investigators of internet-related abuse, Griffiths told of a case in which he hacked into someone’s account on a web forum.

– I looked around the room and knew that none of the other investigators had permission to do the same. Technically, it wasn’t difficult. But legally they would not have been allowed, says Griffiths.

He thinks that’s a problem.

– It means they lose the opportunity to identify some of the worst offenders on the internet, he says.

– If they had the options we have, I’m sure they would catch people they can’t get today. But it must be done properly, within a given framework. For it to work you have to have certain abilities and controls in place. I feel we have that.

With permission from the European police partner, Task Force Argos logged on to the server, took over the “Childs Play” site, copied it and moved it to a server in Sydney, as VG discovered in January.

Experts consulted by VG say the transfer was comparable to the way the United States once flew terrorism suspects to countries with lax human rights records for questioning.

Jon Wessel-Aas
Jon Wessel-Aas Photo: Gorm Kallestad / NTB scanpix

– The logic seems to be the same in this case, says Jon Wessel-Aas, a Norwegian lawyer and specialist in privacy and human rights.

– It is worrying if the police “outsource” investigations to a country where police have freer rein, at least if it’s done intentionally and systematically. But the legal picture is unclear.

Cross-border investigations are demanding, both legally and ethically.

– In the absence of sound regulations, the police in countries with the fewest legal protections can end up with responsibility for an investigation, Wessel-Aas says.

October 6th, 2016
«Warhead» is back

On Thursday, October 6th, 2016,

Four days after the arrest, “WarHead” was back on Childs Play:

«Phew, what a month that was!. A month of my life that I won’t get back. Although technically most of the really screwed up shit happened in October, not September, hence my late foray into this month»

Then he reprimanded his subordinates: «Sorry again about the late arrival but I did ask the Staff team to step in and cover for me in my enforced absences.»

He, WarHead, was no longer Faulkner, but Paul Griffiths of Task Force Argos.

Thus began the undercover phase of Operation Artemis.

Within four days of the Canadian’s arrest, Griffith had examined every message WarHead had written. He studied WarHead’s writing style, including the typographical errors he was prone to. He knew the snippets of background history he had revealed online.

He did this during the day. Nights were spent in telephone conferences with colleagues in Europe and the United States.

It was inevitably 2 a.m. in Brisbane when everyone else was available to talk.

Going undercover online takes more than grammar and personal history. To write like WarHead, Griffiths had to be WarHead. It was a mental effort that he and his task force colleagues disliked.

– When you’re trying to be someone who has written a lot online, who a lot of people know and whose way of writing and expression they recognize, you can’t just show up and use a completely different vocabulary. You have to study the punctuation he uses, as well as the smileys and other characters.

Not even that guarantees success.

You need to understand how he feels. It’s destructive. Really difficult. I have been working in this field for 22 years. Seeing pictures has no effect on me anymore. But to sit online and talk like one of these guys ... Every time I’ve done it, I feel like I have to take a shower afterwards.

Paul Griffiths.
Paul Griffiths. Photo: Tore Kristiansen / VG

Griffiths – friends call him «Griff» – is considered a leading expert on identifying victims and perpetrators based on images.

He has been identifying victims of abuse for 22 years. If one person has abused another, and it was filmed, he most probably has seen it.

– My main motivation is to identify the children and get them out of their horrible situation. That’s how I manage to work with it.

– I also have a touch of Asperger’s. At least, that’s what my wife says. She says I have no empathy, says Griffiths with a short laugh.

– That makes it easier to stay in the job.

It also helps that he has a photographic memory, remembering everything as pictures. Even when sifting through millions of pictures, he knows which ones he has seen before, including where and when.

– We have good databases, but I generally find things faster than them.

Five years ago he saw a picture. It was a picture of a naked man. Griffiths knew immediately that he had identified one of the internet’s most ruthless and notorious abusers: Falko.

The man in the photo had a feature that Griff recognized from child exploitation films that Falko had shared online. No one had managed to identify him or the victims, because he was careful never to show his face during the abuses he committed.

But “Griff” recognized a mark on the man’s penis.

That led to Falko’s arrest and lengthy prison term in Kazakhstan. Now he is on the run, after a spectacular escape that involved throwing himself out of a courtroom window and breaking both legs, then escaping from the hospital. But it was “Griff” who found him.

«We are, I can assure you, as safe as we have always been, and I hope we will always continue to be so,»

Griffiths wrote in the guise of WarHead.

Members believed him.

For nearly a year, Task Force Argos would harvest information about the members on the website.

Having complete control of the site meant they could see everything that went on there. By reading private messages, deleted messages and email addresses and passwords they could build a profile of the members. They could also add bits of code to the program that controlled the site, enabling them to find members’ IP addresses. They tried a variety of techniques to identify Childs Play members, but decline to discuss them with VG.

– If this was war, do you think the general would let you into central command? We do not want to tell these people how we work, and I really hope you don’t either. You won’t get our operating methods, says Rouse.

– We’re trying to do something that has never been done before. So in a way you write your own – I won’t say ‘rules’ – but you write your own script. We use techniques that have never been applied before, and we don’t always know how to prepare ourselves for the results, adds Griffiths.

As a sort of anthropologist of the dark, Griffiths learned the culture of this online community of exploiters: what should not be posted on the main site (torture videos); what could be shared in a small, trusted group (torture videos); who among the members were popular and in favour and who were not.

Accessing private messages between members turned up a surprise for Griffiths. Several of them knew the police were now running the site.

– A substantial number knew exactly what had happened. They had exposed us as police and saw through the smokescreen we had put up around WarHead. They knew it was us, but didn’t tell anyone. Those who exposed us talked to each other but didn’t warn anyone else.

Griffiths tried to write as few posts as possible, but there was one that the Australian police could not escape: WarHead’s monthly status update.

The understanding between WarHead and forum members was that a missing a status update would signal that the site had been taken over by others. That is why the messages were so important, and had to be written in the same style as always,

Under Faulkner’s rules, each status update had to end with a sexual assault picture.

– The assumption was the police couldn’t share such images, making it impossible for us to run the site, says Griffiths, who is originally British.

– In Britain, we couldn’t have done this. But when you’ve worked in this field a long time it becomes obvious what needs to be done and why. Doing this gives us a chance to identify those who commit new assaults. Most of them have probably already seen the photos we share.

On January 3rd, 2017, Task Force Argos published WarHead’s monthly update. In it, they wrote about the work WarHead had been doing on the forum, ostensibly to make it more secure for members.

The message was concluded with:

«I hope that some of you were able to give a special present to the little ones in your lives, and spend some time with them. It’s a great time of year to snuggle up near a fire, and make some memories.»

He ended the update message, as required, with two child abuse images.

Could this message be seen as encouraging sexual abuse? VG ask.

– Well, there’s no ... I mean, you know, says Griffiths.

– Things can be read between the lines, but that doesn’t necessarily mean we’re encouraging anything. We may have talked about sexual abuse in a number of different forums and platforms, but we would never encourage abuse.

– Sharing any such image is an abuse of that child. However, it is something we can justify as being for the greater good and to prevent ongoing abuse of children.

How do you think the children in the pictures feel about your sharing pictures of them?

He pauses for a second.

– I hope they understand that we are trying to catch as many offenders as possible.

Carissa Byrne Hessick.
Carissa Byrne Hessick. Photo: Einar Otto Stangvik, VG

Carissa Byrne Hessick, a professor of law at the University of North Carolina, questions Griffith’s argument. She is one of the world’s leading legal experts on investigating such abuse.

– It sounds like the police tell one story about how damaging the images are when others share them, and another story when the police share them.

– That’s a kind of hypocrisy I really don’t like. But this sheds light on the argument that any and all sharing of such an image is abuse. If the police say they’re only sharing images that have been shared before, it means the police do not think all sharing is harmful, says Hessick.

She expresses concern upon learning that the police themselves did share child sexual abuse images.

– I don’t necessarily think it’s wrong for them to commit criminal acts during undercover operations. My concern is not about them breaking the law. My concern is whether we get enough information about the balance in what they do.

– If the site is used to facilitate the actual abuse of children and the police continue to run it, I question their ability to strike a balance, she adds.

Griffiths claims they do seek balance:

– There is definitely a balance between what we want to achieve and how we go about it, he says.

– Eventually we get to the point where it isn’t worth running the forum any more. But as long as we’re identifying victims, producers and abusers, we will keep running it.

He tells of a previous operation in which investigators ran “The Love Zone” website for just a few months. Griffiths claims they identified more than 80 children.

– You can ask them if our running the forum was worth it, he says.

Isn’t there a risk that people downloading such images will develop into abusers?

– Abusers are abusers. People who have a desire to abuse children will abuse children no matter what, Rouse says.

September 1st, 2017
New York

On September 1st, VG makes contact with a woman in New York. Images of abuses against her daughter have been shared thousands of times – and now on Childs Play as well, under administration by Task Force Argos.

She starts to cry, then pulls herself together.

They might argue in the long term it will be beneficial to my daughter because it will help them capture other pedophiles. But just sending her image to one offender can turn into it being in the hands of hundreds or thousands of others, hurting her more, not helping her, says the mother.

Her lawyer, James Marsh, takes a more positive view of the police using such images. He represents numerous children who feature in the most widely shared exploitation images.

– Several of my clients would have welcomed police use of their images in the battle to track down abusers. They know how skilled these men are at hiding and understand what it takes to catch them, Marsh says.

He nevertheless understands the mother’s reaction. The pictures of her daughter had been less extensively distributed than many others, so each new share carried more significance.

– I agree with her that the police should compensate the victims, but not with money. If victims could be consulted along the way, it would give them a sense of control. Control is exactly what they were deprived of during the assaults, says Marsh.

Help us finance investigative journalism: VG+ subscription

Several participants in Operation Artemis refused to be interviewed or identified, including the investigator who monitored the Scandinavian sub-forum as well as other European partners in the operation.

Homeland Security Investigations agents declined interviews as well, saying that the legal cases against WarHead and CrazyMonk were still in progress.

– There is a lot we can’t say about this operation, especially not what our partners did, says Rouse.

Some of his own Australian investigators disapproved of VG being given information.

– Several of my international colleagues know you are here and talking with us today. They are not very happy about what your colleague did to expose us. We have done a lot of good work together and I want it to continue. So you can’t use my name, says one of them.

He is, however, willing to talk about his work an undercover agent.

–Anyone who says they haven’t cried in this job is lying. You give a part of yourself the job, and that part becomes a friend of those you’re investigating. When we were done with one of our recent operations, it felt like I had locked up all my friends.

Apart from Griffiths, this was the agent who most often went undercover as WarHead. All the website’s members followed every word he wrote. Successfully imitating an abuser online has its challenges.

– It’s as if you force yourself to have a split personality, and you download this other person into a part of your brain and hand over that part of your brain to him. It’s hard.

Childs Play statistics

Number of posts per day

Accumulating number of posts with pictures*

* Each post can contain multiple images / videos

Activity on Childs Play was high during the time the police ran it.

In January, when VG first wrote about Childs Play, the site had 427,000 registered accounts. Through September of this year, more than a million accounts had been registered.

On 25 October 2016, two weeks after Argos took over the site, an unidentified user created a discussion thread featuring images of an eight-year-old girl being raped.

By August of this year, the post had been viewed 770,617 times – all while the police were running the website.

September 13th, 2017
Childs Play shuts down

Wednesday, September 13th: After running the site for 11 months, Task Force Argos finally shuts down Childs Play without fanfare.

In a few keystrokes, the forum vanishes from the dark web.

If you managed to find the old web address, you would simply be informed there is nothing there. Childs Play is gone.

Now the work of sending cases to police around the world is underway. A dozen countries are already involved in the investigation of the site’s members. Griffiths has a list of between 60 and 90 people from around the world who are his main targets.

Another country’s police are believed to have a list of nearly 900 people they think should be arrested. Some have been already, with more to come.

Canadian police say they have identified and saved “a dozen” children and referred some 100 cases to other countries. Task Force Argos The Argos Task Force itself declined to provide numbers to VG.

– The media tends to use such figures as “weapons” against us and our colleagues around the world, and we don’t want that, Griffiths tells VG.

Also uncertain is the total number of children identified and rescued.

Professor Hessick wonders about the missing numbers.

–If they conduct investigation without even checking if the people have been arrested, it’s hard for Argos to argue that such police operations are necessary. I worry the police apparently think they don’t need to justify an operation like this, she says.

The FBI ran a similar operation in 2015, and the numbers weren’t released for two years. According to the FBI, 870 people were arrested or convicted as a result of the operation, and 259 children were rescued or identified.

In the pursuit of child abusers, the police seem to have found a highly effective method: don’t leave the market to the predators. Run the sites themselves.

– Our job is to make sure we play at the same level as the abusers. If we don’t, they will always be one step ahead, says Jon Rouse.

September 15th, 2017
Richmond, Virginia

On Friday, September 15th, two 27-year-old men faced a judge in a Richmond, Virginia, courtroom. The prosecutor had demanded a sentence of 50 years in prison. The defendants’ own lawyers said 30 years would be more appropriate.

The judge didn’t agree with either side, and sentenced both 27-year-olds to life in prison.

Neither will ever be released. Not because they, as CrazyMonk and WarHead, had run the internet’s largest abuse forums, but because as Benjamin Faulkner and Patrick Falte they had raped a four-year-old girl.

In Tennessee, prosecutors are preparing to try the men accused of running «The GiftBox Exchange».

In an email to VG from prison, Falte and Faulkner say they will fight their case in court.

– We would love to talk more about GBE, CPlay, and some other sites, but we cannot get into that until after the Tennessee trail. Saying all that, we may have been involved at every level, for years, starting from the basic user to moderating, administrating, owning and creating, several sites, chatrooms, and services, Falte and Faulkner write, using initials for Giftbox Exchange and Childs Play.

They later add that they will appeal the life sentence ruled in Virginia.

Their lawyers have not answered VG’s inquiries.

There will probably never be a trial focused on Childs Play, the site that Task Force Argos ran for almost a year. Faulkner has been sentenced in any case to spend the rest of his life in prison.

Plaza-mysteriet
Hvorfor har ingen etterlyst den unge, elegante kvinnen som ble funnet død på Oslo Plaza? Etter 22 år er graven åpnet.
Makt­spillet om nød­sentralene
Her spiser de kake under åpningen av den nye operasjonssentralen i Oslo. Men bak den idylliske fasaden har det i flere år rast en rå maktkamp.
Fosterhjems­kongen
Tyske Peer Salström-Leyhs (63) stiftelser har fått nærmere en halv milliard for å drive fosterhjem i Norge. Etter få år sitter de igjen med store overskudd — samtidig som millioner er ført ut av landet.
Ambassadøren
Mens Stig Traavik var Norges høyeste representant i Indonesia innledet han hemmelige forhold til tre lokale kvinner. Én av dem mottok 1,4 millioner bistands­kroner til organisasjonen sin fra den norske ambassaden.
SKUP-prisen 2016
Tvangsloggene
VG har gjennomgått og digitalisert innholdet i over 2500 beltelegginger fra tvangsprotokollene. Dette materialet gir et innblikk i hvordan mekaniske tvangsmidler brukes og begrunnes ved norske sykehus.
SKUP-diplom 2016
Millionærer på bistand
VG kan dokumentere at oppdrag for verdens fattigste har blitt god business for eiertrioen bak International Law and Policy Institute (ILPI).
Årets nyhetsdekning
Treholt-bløffen
Privatetterforsker, journalist og forfatter Geir Selvik Malthe-Sørenssen (50) har de siste fem årene beskyldt politiet for bevisjuks og forfalskninger i Treholt-saken. Nå avsløres han selv for juks.
Årets digitale historie
SKUP-diplom 2016
Utpresserne
Et lydopptak kunne legge advokatkarrieren til Amir Mirmotahari i grus. Noen tjente store penger på det. Dette er jakten på de ukjente pengeutpresserne.
Årets digitale historie
SKUP-diplom 2016
Advokaten og torpedoen
Forsvarsadvokat Amir Mirmotahari ba torpedoen kidnappe og dope ned et voldtektsoffer. Målet var å holde henne unna rettssalen – slik at klienten hans gikk fri.