dark

The darkweb child sexual exploitation video site, “Welcome to Video”, first came onto Law Enforcement’s attention as a result of a case in the UK, where a geophysicist Matthew Falder was arrested. When the National Crime Agency was looking into his hard drive, they found he had been a member of “Welcome to Video” which at the time used theweb address mt3plrzdiyqf6jim .onion. Anyone visiting that website recently would have seen this banner instead:

Law enforcement actually got the website through a silly webmaster error. One of the webpages on the website linked some of its component files by the server’s IP address instead of its onion URL address. The IP address, 121.185.153.45, was a Korea Telecom address. They got the owner’s address details and were able to confirm his identity.

After establishing undercover addresses, searches on the website for some common child sexual exploitation searches, and received indications that there were THOUSANDS of matching videos. I don’t know that we should share the terms with our readers, but some search terms resulted in more than 7,000 or even 10,000 matching videos. Searches for videos involving children as young as four years old or even two years old yielded 4,000 matching videos each.

Anyone could view “thumbnails” on the site, but to download or view the related videos, you had to have Points. You could buy points for bitcoin, or you could “earn” points by uploading a unique video, or having a friend sign up and use your referral code.

On multiple occasions, including September 28, 2017 and February 23, 2018, federal agents made payments on the website, and within 48 hours, the money had been moved to another Bitcoin wallet. That wallet turned out to be a Coinbase wallet. When they asked Coinbase who paid for that Bitcoin account, it was Jong Woo Son. To be able to buy Coinbase from a bank account, Jong was required to provide KYC (Know Your Customer) information, so he provided and confirmed an email address and telephone number, both of which were found to belong to Jong.

That gave law enforcement enough to raid Jong’s residence, where they found the server in his bedroom, containing 8 TB of child sexual exploitation images, and log files indicating that MORE THAN A MILLION videos had been downloaded from the site. The raid was conducted by US IRS-CI, US HSI, UK NCA, and the South Korean National Police. By comparing the hashes of these videos to the collection at NCMEC (The National Center for Missing and Exploited Children), they found that 45% of these videos had never been seen before.

MANY of the users of the site were “creating” videos by abusing children they had access to. The United States has indicted Jong Woo Son, but he is already serving time for charges brought in South Korea. The indictment does provide a great deal of information about the case that helps us understand what happened:

(from the Jong Woo Son indictment)

We know from other sources that the “exchanger in the United States” is Coinbase (see below). Every time Welcome To Video presented an opportunity for payment to a visitor, it generated a new potential Bitcoin wallet address. Until someone makes a payment, however, it is more like a “potential” wallet. If the visitor wasn’t sure how to get Bitcoin, Jong’s website recommended that an easy way was to set up a Coinbase account!

By tracing other addresses that also moved small payments to the same wallet that the undercover payments were moved to, they were able to identify a “cluster” of 221 frequently used bitcoin addresses that had been used to receive payments that were then sent to the website owner, Jong Woo Son. Later, they asked Coinbase, and two other major Bitcoin Exchanges, to identify accounts that had sent payments to any of that pool of 221 bitcoin addresses. Why so many? To make sure which payment belongs to which user, when a user indicates they are about to make a payment, they are assigned a bitcoin address to use for their transaction. This is fairly common practice on darkweb markets. To avoid conflicts, Jong had many such addresses that would receive the payment from a specific user, probably created at transaction time. Jong would consolidate these bitcoin “wallets” by moving the funds to his primary account, from which he sometimes withdrew funds directly to his bank account. Because transacting against a bitcoin address creates new addresses, those at least 7,300 small payments were paid to different addresses controlled by Jong over time.