Brisbane – Australia
Both men stiffen as VG confronts them.
– Go ahead and publish what you know about us now, if you think it’s true, but be prepared for the consequences, says Jon.
Next to him in a Brisbane hamburger pub sits Paul.
VG has just told them what we’ve uncovered: that they run the world’s largest online forum for child sexual exploitation, “Childs Play”.
Jon, the Australian, turns pale. Paul, who is British, flushes crimson.
It is January 2017. At this point the two have been running the Childs Play website for three months. Under their supervision, thousands of members have shared photos and videos of children being sexually abused. A Norwegian member boasted of abusing children in his own family. Some members got together in person to commit abuse, which they filmed and shared on the forum.
«The dark web»
A part of the internet where traffic between you and the websites you visit is encrypted in such a way that it’s very difficult for others to identify you. This makes it a popular technology for persons who wish to stay clear of law enforcement, either out of fear of being censored or jailed.
The Onion RouterThe most widely used dark web technology is The Onion Router – Tor – which has tens of thousands of web services. The network consists of an array of «nodes», or computers, that are configured as mediators between users and sites.
Messages are encapsulatedAll communication within the network is encrypted. The Onion Router got its name because the encryption is layered, like an onion. When you want to send a message to another computer within the Tor network, this message is encapsulated a number of times.
The package is sentOnce wrapped, the package is sent from you to a chain of nodes. Each node decrypts one layer of the onion, which grants the node information about where the package will go next. Each node knows nothing about the package it receives, beyond which node it was received from, and which node it’s to be sent to next.
It’s understandable that Jon and Paul look shocked. Finding them was thought to be impossible. The website they operate is on the so-called “dark web”. Encryption was supposed to keep the whereabouts of the server and the people behind it secret. VG has uncovered not only where but also from which computer the forum was run.
Jon and Paul’s cover is blown. They are not criminals. They work for the Australian police’s spearhead into the dark web: Task Force Argos. Jon Rouse heads the unit. Investigator Paul Griffiths has been in charge of numerous operations. VG can now reveal that Task Force Argos infiltrated the realm of child abusers inside the dark web for almost a year – and that the police unit itself shared photos of children being sexually abused.
How far should the police go in the service of good? How many wrongs should investigators be permitted to commit in pursuit of justice? The undercover operation in Australia, Operation Artemis, was part of a wide-ranging international police investigation.
We’re still following up on this story. Here are some of the latest articles:
VG has known about the operation since January and followed it closely, partly by monitoring traffic on the dark web and partly by obtaining information from police, judicial authorities and other sources around the world. When VG's computer expert, Einar Otto Stangvik, began investigating the website and its Nordic members in the autumn of 2016, we had no idea he would uncover a secret police operation.
Only now can we tell the story of how Task Force Argos, the U.S. Department of Homeland Security and the police in Canada and Europe worked to unmask the leaders of the world’s largest online community of child sexual abusers.
From the start, Operation Artemis had a clear objective: identifying victims and their abusers. But in doing so was it necessary for the police to run a child exploitation forum for nearly a year?
In the United States, a mother weeps when she hears that VG has found that pictures of her daughter being sexually abused were shared by members, while the police operated the site.
– My daughter should not be used as a bait. If they are using her images, then she should be paid or compensated for their use. It is not right for the police to promote these images, says the mother.
Pictures of children from several other countries were also shared during the same period.
The police deny they are responsible for what was shared on Childs Play while they ran it.
– We don’t create these sites. We do not want them to exist. When we do find them, we infiltrate and get as high as possible in the networks administrative structure to destroy it. But we will never create a forum for child sex offenders, says Jon Rouse.
So who built the forum that he and Griffiths operated?
We must visit two other countries. And two young men.
USA and Canada
The first young man , Benjamin Faulkner, grew up in North Bay, Ontario, a small Canadian city north of Lake Nipissing and the Great Lakes. His home was on the city’s outskirts, with a garage almost as big as the main house and a trampoline and an inflatable pool in the back garden. He taught swimming in his spare time and played the trumpet in a band, but spent a lot of time online.
Patrick Falte, the other man, grew up outside the country music capital of Nashville in the U.S. state of Tennessee. He lived with his parents in a gated community near a busy motorway interchange. In college, according to his father, he dreamed of going to work for the FBI to fight hackers.
Court documents VG has accessed, goes into how he, as a 12 year old, felt that he was different from his friends. His urges turned towards children, not other youths.
Years went by. The two studied what interested them most: IT security. The Canadian got a job in Toronto, the American in Nashville.
While the young Canadian unsuccessfully tried to find help to control the desires he felt, the American kept them shut inside. He was afraid any doctor, psychologist or counsellor he consulted would have to report him if he admitted being sexually attracted to children.
So he went online.
VG has discovered that both were active on the dark web in 2011, on the same website. Falte had become involved in the “Pedo Support Community” website, where he contributed technical programming.
On 30 October 2012, Faulkner visits that site and posts a message of introduction:
«A little about myself to establish credibility here: My name is CuriousVendetta, and I work as a JR forensics consultant and penetration tester for an IT security firm. On the side, I do what I can to cause general mischief on the internet with a few friends of mine».
In later messages, he tells of his job as a swimming instructor:
«At the pool is where I am free, and where I can generate my fantasies. I have more girls in my 'fan club' than I can even count».
North Bay is a small city. Some parents pick up on Faulkner’s proclivities and tell him to stay away from their kids. But no police complaint is filed.
North Bay – Canada
June 18th, 2013 was a hot day in North Bay. This far north on the American continent it can be scorching when the sun is out, and cold when it isn’t.
His siblings were in shorts. The young man who would later go by the name WarHead was wearing black jeans and a long-sleeved shirt. The family was celebrating. Everyone in the picture is smiling.
It seems Faulkner at that time was not active on Pedo Support or other paedophile sites.
But that would soon change.
During the fall of 2015 he visited a new website, «Giftbox Exchange». While logged on he received a message from the administrator:
«Hi, I haven’t seen you for a while. I’m the boss around here.».
It was CrazyMonk, from Pedo Support - the American, Falte.
That’s how their acquaintance began.
The Canadian Faulkner quickly became part of the Giftbox leadership team, but he wanted to be more than just a team member.
He wanted to lead – alone.
A place on the dark web
On Friday, 15 April 2016, the web site “Childs Play” saw the light of day on the dark web. A lone administrator was in charge of the site, with an entourage of moderators. The administrator called himself WarHead.
No one realized that it was Faulkner, known elsewhere on the web as CuriousVendetta.
«With the security scares brought about recently [...] and the general lack of good forums anymore, I decided to bring Childs Play to the community. The goal of Childs Play is to provide a simple free access forum to the community, while simultaneously allowing a safe and secure place to talk and just be ourselves».
WarHead received an overwhelming response. Suggestions poured in with ways to make the website better and safer for members. One was to have a subsection featuring the torture of children.
The Canadian became an expert in living with multiple identities. In the physical world he was the lifeguard, band member, computer geek, big brother. Online, he was king of his tribe.
In January 2017, VG published its first report about Childs Play, a website that had quickly arisen to become one of the biggest online child abuse sites.
In 2015 and 2016, under the guise of CrazyMonk and WarHead, Falte and Faulkner consolidated their leadership of the two largest networks for sexual predators and paedophiles.
At its peak, Giftbox had 45,000 users, while Childs Play at the end had surpassed 1,052,000 user registrations.
According to Task Force Argos, the number of actual people was far smaller, probably in the tens of thousands. Roughly 100 of them were known as “producers”, sexual predators who film children being raped and share the videos in online forums.
All this caught the attention of investigators worldwide. In Brisbane, Paul Griffiths read everything the two men had written about themselves. He sighed: two computer security specialists.
«We’ll never figure out who these guys are,» he told colleagues.
That didn’t stop him, though.
WarHead and CrazyMonk knew their place atop the dark hierarchy of child abusers was vulnerable.
In private exchanges with other members of the forum, Faulkner wrote that he knew what fate awaited him. Much later, in an email to VG, he expresses similar stoicism.
– You can’t exist within these communities without knowing that you are under heavy scrutiny by law enforcement. The higher you get in the communities, the more you know that you are being watched. We took a great many steps to counteract these measures, which worked for the most part, he writes.
Oslo – Norge
VG’s computer expert, Einar Otto Stangvik, was also monitoring Faulkner’s dark website. Using a computer system he programmed in the autumn of 2016, he was able to download, index and analyse all public messages posted on Childs Play.
As Christmas approached, Stangvik tried a variety of methods to see if it was possible to identify the men in the forum.
Indeed it was. Several members were identified: Norwegians, Swedes and a Dane.
But the website itself, and the two people behind it, seemed untraceable.
On the evening of 4 January 2017, Stangvik tried a new tactic. Instead of analysing the text on the forum itself, he peeked under the hood at the “engine” running the website – its software.
He found weaknesses. If asked the right question, the server could reveal its own IP address.
The right question was asked, and the server replied. It was located in Sydney and owned by the Digital Pacific web-hosting company.
Such information may seem mundane, but it was a sensational discovery.
Few others had ever managed to track the location of a major hidden service on the dark web. It took Stangvik just a few hours to do the near impossible.
Sydney – Australia
It’s Monday, January 23rd, and VG is in Sydney visiting the offices of web host Digital Pacific. The company’s founder, Andrew Koloadin, listens carefully to what VG has to say. One of his servers is hosting Childs Play. VG wants to know who runs the website. We want to find the people behind it.
– I’m as interested as you in clearing this up. We won’t turn off the server and we won’t do anything to compromise your work, Koloadin says.
As a provider of web-hosting services, he is not legally responsible for what is stored on the servers he leases out. That responsibility lies with the individual lessee. But Koloadin wants to do what he can to make the site disappear, and for WarHead to be caught.
A few keystrokes later, we have an answer: the server is leased by Task Force Argos in Brisbane.
Taken aback, Koloadin runs his hand through his hair.
– Storing material like this on our servers completely violates our terms. I wish the police had talked with us about this, but I understand why they didn’t. It’s a secret operation.
– How do you feel about police storing sexual abuse material on your servers?
– The abusers are smart and know to set up different systems to avoid the police. So the police have to be just as smart, as they obviously are here. But I don’t like them doing it behind our backs.
Brisbane – Australia
The next day in Brisbane. We have contacted Task Force Argos. They have agreed to talk with us. They don’t know about what yet. Ten minutes ago, the two investigators walked down the street from their headquarters, ties flapping in the wind.
– We have a very good working relationship with the Norwegian and Swedish Police. Let's talk and eat at the same time. Today is really busy, says Jonathan Rouse, head of the unit.
– We know you are the ones running the site. We know you've been running it for months, VG’s journalist says, once inside.
Rouse goes rigid on his barstool and stares back.
– So from the outset, I'm not going to tell you anything as this is an on-going operation.
The music continues to play, but the mood has changed.
– We have one goal and that is to stop the sexual abuse of children. We will do whatever we can within our legislative authority to achieve that. So what is it that you want?
– We want to know what you’re doing, VG’s journalist continues.
Rouse gives us a hard look:
– I want to know what you know and I want to know how you found out, maybe we are the administrators of a server. But I will not talk.
– I will not talk about ongoing operations. You are a journalist and will write a story. We are police officers and want to prevent children from being raped. So we have different goals with our work.
Rouse suggests that VG must have done something illegal to uncover the operation.
– Under Australian law, what you’ve done is the same as hacking. The police are allowed to hack to reveal criminal activity, but not you. So you have to be aware that what you have done can potentially have consequences.
Later, the police officers will decide to answer questions from VG.
How Stangvik exposed Childs Play
IP addresses and physical server locations are inherently difficult to find on the Tor network. So how did VG’s computer expert get the forum to disclose this information?
1. Profile picture uploadThe forum allowed users to upload a profile picture. This picture could also be fetched from a user-supplied URL.
3. The IP address is exposedBy telling the forum to fetch a picture from a server Stangvik controlled, he could see in his server logs that the originating IP was with a hosting provider in Sydney – Digital Pacific. Stangvik went on to confirm that outgoing DNS requests originated from the same provider, and that the forum’s software also loaded images included in forum post previews from the same IP.
Each packet in a computer network has a maximum transmission size, based on which intermediates it passes through. Each encapsulating technology, such as VPNs, can result in the total packet size increasing beyond the maximum size, and local networks usually have larger maximum sizes than the “tubes” found on the internet. If the maximum size is surpassed, the packet will be broken into multiple fragments.
By crafting long profile picture URLs, and setting specific packet flags, in the redirects returned by his custom web server software, he could see that the MTU was consistent with that of high-speed local area network traffic, and also ruled out VPN configurations.
The forum is moved
In October 2016, WarHead’s abuse website was moved to the server in Sydney. That was six months after he set it up.
How did it happen?
In May 2016 Griffiths, the Australian police investigator, received a message from the police in a European country: they had arrested a person who turned out to be one of the moderators of the Giftbox Exchange – the website that Falte, the American, operated. Would Task Force Argos be interested in taking over the European moderator’s account and go undercover as him?
The task force was interested. It is one of the few police units in the world adept at imitating sexual predators on the dark web using false identities.
Operation Artemis begins. Griffiths and Task Force Argos had a clear goal: take over the site. Let it rot from within while task force members monitor all communication between participants. Identify perpetrators and victims. Make arrests.
– Once you have control of the site, you can do whatever you want. Then you can move it wherever you want in the world. That’s how the internet works, says Griffiths.
The man whose identity Task Force Argos had assumed was just a moderator. Unlike the owner, CrazyMonk, the moderator had no power to move or alter the website. So for now the task force could only observe.
In recent decades Task Force Argos has collaborated with a number of police entities to combat sexual abuse of children. Several times a year, investigators from a variety of countries meet to review operations and investigations. At other times they are a just a phone call away. They know they can trust each other and get assistance, often from the other side of the world.
When another country’s investigators found the IP address of the Giftbox Exchange, they sent it to Argos.
The police contacted the hosting provider housing Giftbox. At that time, they could have seized control of the server and all its data on visitors. But that would have driven the top people underground, and that’s who the police were after. They chose to do nothing other than monitor the site through a backdoor in the server.
While Argos was looking for a way to take over Giftbox, Childs Play appeared on the dark web. Evidence analysed by the police, including messages written by WarHead and CuriousVendetta, suggested that they were from the same country.
Maybe even the same person.
– A great deal of solid intelligence indicated that one of the Giftbox leaders also ran Childs Play. We assumed there was a link between the two sites, says Griffiths.
Follow the money! For other criminal networks, following the money is a key to tracking down the leaders.
But in child abuse networks, there is much less money in circulation. The images themselves are the currency. All the same, it costs money to have a website hosted on a server. In this case, payment was rendered in Bitcoin, a virtual currency.
Homeland Security Investigations, an investigative arm of the U.S. Department of Homeland Security, began searching for whoever was behind the payment. It was easier than expected. In short, the person nicknamed CrazyMonk had registered that particular Bitcoin wallet to his personal email address.
The address pointed to a 27-year-old Tennessean who had lived all his life at home with his parents in a house half an hour from Nashville:
CuriousVendetta was harder to find. Of Giftbox’s two leaders, he was the technical expert. However, in the summer of 2016, he hits a snag with some program code. He tries to fix the code, but it doesn’t work and he ends up seeking help online.
He takes a screenshot of the code, uploads it to a web forum for programmers and asks for advice.
It’s a mistake that leads to his downfall.
On the open web, Google sees all. When a Homeland Security investigator saw that Giftbox had a technical problem, he thought: If I had this problem, I would ask for help online. Using search engines, investigators found what they believed was CuriousVendetta’s question. The screenshot of the code – a seemingly innocent image of text – was stored on a Russian server used almost exclusively for sexual abuse pictures.
It had to be him.
The man who posted the question was in his mid-20s and from North Bay, Ontario:
The effort to close in on the two men began. How could police arrest them before they could destroy evidence? Quietly, the lives of the two men were examined. Would it be possible to install a camera in their homes or workplaces? Could the police break in and install keyloggers on the men’s computers to monitor their every keystroke?
All ideas were rejected. If the men felt even a hint of suspicion, they could quickly delete the site and all its data about themselves and tens of thousands of members. The suspects had to be apprehended before they could alert others.
During the investigation, the police made a noteworthy find: Falte and Faulkner knew each other. Not just online. Also in real life.
– We knew they had a habit of meeting up. We just didn’t know why. WarHead had been in the United States four or five times earlier, and we assumed that he and CrazyMonk met all those times. They probably met for the first time in 2015, says Griffiths.
The investigators decided to watch and wait.
– At some time or another, WarHead is going to cross the border into the United States. When they meet, we’ll grab them, Griffiths recalls the investigators deciding.
That was in July 2016. August came and went. Faulkner and Falte travelled nowhere.
September ebbed out, and still nothing.
VG, too, decided to wait. In January 2017 we discovered that the server in Sydney concealed a major new operation led by Task Force Argos, in cooperation with several other countries.
Only now, more than nine months later, have we chosen to publish.
– After the meeting with Griffiths and Rouse, we understood that the journalists had discovered an ongoing police operation. Although it was stunning news and obviously of public interest, we decided to hold off publishing what we knew. The situation was unclear. We needed more information before deciding what could be published. In a worst-case scenario, VG could have damaged the investigation and endangered innocent people, says VG Editor-in-Chief Gard Steiro.