Walking Metamorphosis: ATII warns for the importance of keeping CSAM and Human Trafficking monitors trendy



Photo by Josh Sorenson from Pexels

Written by Carolina Christofoletti


A recent Notice published by the U.S. Treasury Financial Crimes Enforcement Network (FinCEN) calls global attention to the fact that Covid-19 has seen a non-negligible increase in the funding, production, and sharing of Child Sexual Abuse Materials (CSAM). The Anti-Human Trafficking Intelligence Initiative (ATII) has chosen to work this data in a more filtered fashion.


According to ATII’s CSAM specialists, the production of CSAM material is data that is worth analyzing together with the self-generated CSAM statistics and the sharing of CSAM, a second data, which also should be analyzed together with the time spent by CSAM criminals in dedicated forums. But unfortunately, the funding of CSAM remains, yet, a poorly examined data point.


Especially in relation to commercial CSAM forums operating in the Dark Web, the highest problem that financial institutions have is that the know-your-client (KYC) premise is non-applicable. Not because it is not a valid parameter anymore, but because criminals do not let themselves be put on any list anymore. The Dread Pirate Roberts, who under the real ID of Ross Ulbrich, who managed of one of the most famous Dark Web Drug Markets, used to work in an antiquarian bookshop before launching himself as Silk Road’s administrator.


Very probably, the dangerous criminal which operates during the night in horror-film-like CSAM forums, looks under the daylight, like an innocent citizen gaining his everyday bread by administrating some legal online server in a small corporation. And who will say that his $25 restaurant bill was paid for by 5-hours access to a CSAM forum, and not by a cybersecurity consultation job that one is doing with someone else across the ocean? It should be expected that the Financial Institutions working this very data have their red-flags monitors properly calibrated with the new CSAM trends.


In a recent paper published one of our ATII CSAM specialists, Carolina Christofoletti, suggests that the financial crisis caused by the Covid-19 might have impacted the size of the commercial CSAM market, pushing it indeed forward.


Notwithstanding, this effect seems, according to her, not to have been caused by a bored and criminal state of spirit, not because criminals simply decided to change their risk perceptions and finally profit from CSAM files out of nothing. Some CSAM criminals saw a solution in commercial CSAM production and sharing content for their own economic crisis – exacerbated, indeed, by Covid-19 (“Stay home, but make money”: The underground market explanation that Dark Web CSAM forums give for the CSAM rise during the pandemic“, by Carolina Christofoletti, September 16th 2021, via LinkedIn).


ATII joins the FinCEN’s call of attention to Online Sexual Exploitation Crimes, raising now – through its specialized Cryptocurrency (ATCC), CSAM and Human Trafficking Teams – awareness for a very particular panorama found within CSAM and Human Trafficking- related data: The Hidden, not necessarily non-crypto, Wallets.


Photo by Alesia Kozik from Pexels

Where the Hidden Crypto-Wallets are


The great and most modern challenge now presented in front of all financial stakeholders working as a gatekeeper for CSAM and Human Trafficking data and which are, for that very reason, the very places where the red flag bell must ring, is a very particular, new, and not so obvious trend: The Hidden Wallets.


That is, those wallets that, though non-crypto currency-based, are being shared through a private, cryptography-protected channel to serve the very purpose of feeding those commercial criminal markets. Most of the time, those wallets are only disclosed during a CSAM forum Membership Application submission or, nor rarely, only in direct contact with criminals themselves – who are, under certain circumstances, willing to disclose this data in private.


In simple words, this means that the fight against CSAM and Human Trafficking is not one that Law Enforcement Agencies can fight alone. Targeted intelligence – as provided by ATII’s constant research efforts – needs to work together with Law Enforcement to understand the question of “where are the hidden wallets?”.


Specialized Intelligence Analytics reveals, as a very important piece for all CSAM and Human Trafficking stakeholders in this scenario, that criminals have a piece of data that they hold secretly closed while waiting for other criminals to understand the public code and contact them in private. The chance is very high that this data is compromising information, especially when Researchers start to dig deeper into those “requirements of access”.


Because criminals are not willing to disclose compromising information without coherent proof of truth, generic intelligence alone is not sufficient anymore. This fight needs meaningful, coherent, targeted intelligence – one that is able to break the data across the so-called indicators. You cannot investigate a Surface Web drug market as you would investigate a Dark Web CSAM forum, and you cannot investigate neither Dark Web forums nor Drug Markets in 2021 the same way you were doing in 2020. We are dealing with very volatile criminality, and the monitors must accompany the criminal’s moves.


Maybe the reason why CSAM and Human Traffickers do not publish their Bitcoin and Monero wallets in Dark Web CSAM forum’s public pages anymore is that they also fear the safety-guarantee given by the crypto brokers (called by the FinCen note as “third-party payment processors”), another trend analyzed by one of our CSAM Researchers.


While financial institutions blind themselves to the cryptocurrency side of the problem, CSAM criminals may be trading criminal files using credit cards. Indeed, some crypto wallets are published in CSAM forums, but, because they are published, we might expect them being also the hardest data point to break. The individuals and not the collective wallets (crypto wallets or not) are targeted as being the future of CSAM and Human Trafficking Compliance.


Photo by pixabay from Pexels

CSAM-related CVC is growing, so what?


According to FinCEN Notice, Convertible Virtual Currency (CVC) has seen a growth in payment transactions on CSAM websites. One of our CSAM Researchers contributes this data as the “Membership Fees”, which financial institutions are now analyzing and which, because they lead to a so-obvious correlation, CSAM criminals refrain in utilizing (Cryptocurrency in the Dark Web CSAM world: Why CSAM criminals refuse to deal with Bitcoin, Monero and Others”. By Carolina Christofoletti, September 14th, 2021, via LinkedIn). The reason why this finding seems to fit in perfect harmony with the findings related to third-party processors is that sometimes those are the very instructions provided, on the CSAM websites, to criminals willing to send new membership requests.


Tracing the Membership Fees is yet a crucial target but, indeed, CSAM stakeholders must not forget that it is not only of Membership Fees that CSAM forums are made of. Dark Web non-commercial CSAM forums are full of “scalpers”, which will add a parallel sense of confusion to this data by “dropping” the known red flag by moving this trade outside the crypto trail and back to credit cards.


On Dark Web CSAM forums, the payment processing problem seems to have already moved somewhere else. Yes, some commercial CSAM forums still display Bitcoin Wallets and others on their front pages – because whoever runs it is not a “script kiddie”, as hackers call it. These wallets are usually blended inside a diligently worked data chaos. It takes Dark Web time, intelligence, and experience to raise an administrator for a criminal forum, and this is also the degree of difficulty one should also expect from the CSAM Dark Web forum administrator’s crypto wallet.


Because it takes time, experience, intelligence, and last but not least courage, to display a Bitcoin Wallet in the front door of a CSAM forum – it means that the less tech-savvy CSAM criminals must operate through parallel, underground roads. The main profile of a Dark Web CSAM torture forum does not speak English – as observed by another one of our CSAM Researchers, Matt Richardson. Imagine, if he can configure a launderable Bitcoin Wallet, then (s)he is still considered an important target.


In the cryptocurrency scenario, stakeholders must be very careful not to be blinded by the traceability light. Criminals also set their honeypots. They keep Financial Institutions occupied, almost exclusively, with known criminal wallets by leading them astray. Sometimes a payment made to another state and without a clear link between two Surface Web personalities should be equally suspicious but isn’t flagged. On the other hand, using ATII’s unique investigation tools, a CSAM investigation using the same information would link the data points together and go even further and link to social media pages with children photos posted together with human-trafficking emojis.


Because cybercriminals are getting more and more sophisticated, stakeholders need to be constantly aware of keeping their Compliance Teams and analytic tools updated according to the best state of new data. CSAM and Human Trafficking criminals organize themselves rapidly, and so must the Law Enforcement Support side.The more effective Law Enforcement Agencies, Big Tech, Financial Institutions and Intelligence Initiatives such as ATII cooperate, the greater the chances that all of them will be surfing, timely, in the new data wave.


Grouping, worldwide, the best Human Trafficking and CSAM specialists in a multi-language scenario, ATII hopes to keep providing its best intelligence efforts to fight CSAM and Human Trafficking with trending, updated, and duly analyzed data. Follow the money and fight slavery… but follow it in a meaningful fashion.


Think about it.