"Welcome to Video" raid leads to 337 arrests due to Bitcoin Exchanges that use strong KYC

The darkweb child sexual exploitation video site, “Welcome to Video”, first came onto Law Enforcement’s attention as a result of a case in the UK, where a geophysicist Matthew Falder was arrested.  When the National Crime Agency was looking into his hard drive, they found he had been a member of “Welcome to Video” which at the time used the dark web address mt3plrzdiyqf6jim .onion.  Anyone visiting that website recently would have seen this banner instead:

Law enforcement actually got the website through a silly webmaster error.  One of the webpages on the website linked some of its component files by the server’s IP address instead of its onion URL address.  The IP address, 121.185.153.45, was a Korea Telecom address.  They got the owner’s address details and were able to confirm his identity.

After establishing undercover addresses, searches on the website for some common child sexual exploitation searches, and received indications that there were THOUSANDS of matching videos.  I don’t know that we should share the terms with our readers, but some search terms resulted in more than 7,000 or even 10,000 matching videos.  Searches for videos involving children as young as four years old or even two years old yielded 4,000 matching videos each.

 Anyone could view “thumbnails” on the site, but to download or view the related videos, you had to have Points.  You could buy points for bitcoin, or you could “earn” points by uploading a unique video, or having a friend sign up and use your referral code.

 On multiple occasions, including September 28, 2017 and February 23, 2018, federal agents made payments on the website, and within 48 hours, the money had been moved to another Bitcoin wallet.  That wallet turned out to be a Coinbase wallet.  When they asked Coinbase who paid for that Bitcoin account, it was Jong Woo Son. To be able to buy Coinbase from a bank account, Jong was required to provide KYC (Know Your Customer) information, so he provided and confirmed an email address and telephone number, both of which were found to belong to Jong.

That gave law enforcement enough to raid Jong’s residence, where they found the server in his bedroom, containing 8 TB of child sexual exploitation images, and log files indicating that MORE THAN A MILLION videos had been downloaded from the site.  The raid was conducted by US IRS-CI, US HSI, UK NCA, and the South Korean National Police.  By comparing the hashes of these videos to the collection at NCMEC (The National Center for Missing and Exploited Children), they found that 45% of these videos had never been seen before.

MANY of the users of the site were “creating” videos by abusing children they had access to. The United States has indicted Jong Woo Son, but he is already serving time for charges brought in South Korea.  The indictment does provide a great deal of information about the case that helps us understand what happened:

(from the Jong Woo Son indictment)

We know from other sources that the “exchanger in the United States” is Coinbase (see below).  Every time Welcome To Video presented an opportunity for payment to a visitor, it generated a new potential Bitcoin wallet address.  Until someone makes a payment, however, it is more like a “potential” wallet.  If the visitor wasn’t sure how to get Bitcoin, Jong’s website recommended that an easy way was to set up a Coinbase account!
By tracing other addresses that also moved small payments to the same wallet that the undercover payments were moved to, they were able to identify a “cluster” of 221 frequently used bitcoin addresses that had been used to receive payments that were then sent to the website owner, Jong Woo Son.  Later, they asked Coinbase, and two other major Bitcoin Exchanges, to identify accounts that had sent payments to any of that pool of 221 bitcoin addresses.  Why so many?  To make sure which payment belongs to which user, when a user indicates they are about to make a payment, they are assigned a bitcoin address to use for their transaction.  This is fairly common practice on darkweb markets. To avoid conflicts, Jong had many such addresses that would receive the payment from a specific user, probably created at transaction time. Jong would consolidate these bitcoin “wallets” by moving the funds to his primary account, from which he sometimes withdrew funds directly to his bank account. Because transacting against a bitcoin address creates new addresses, those at least 7,300 small payments were paid to different addresses controlled by Jong over time.

This was really spelled out in detail as the prosecutor, and then the FBI agent, tried to explain bitcoin to the judge in the Gratowski case.   That was the Texas case involving former HSI Agent Richard Nikolai Gratowski.  Same thing.  He used his own USAA Credit card to pay Coinbase to buy his bitcoin.  I have the 100 page transcript of his court hearing, which was fascinating to read.  He was sentenced to 70 months (and has already appealed to the 5th circuit.)  Most of the court documents referred to “Bitcoin Exchange 1” — but the transcript names Coinbase 84 times!  I think they deserve a lot of the credit for making this case possible through their strict KYC implementation!

Subpoenas asking for “who has been sending money to these 221 bitcoin wallets?” is where they got their hitlist of 337 site users who were arrested.  They including pedophiles residing in Alabama, Arkansas, California, Connecticut, Florida, Georgia, Kansas, Louisiana, Maryland, Massachusetts, Nebraska, New Jersey, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, Virginia, Washington State and Washington, D.C. as well as the United Kingdom, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia.  MOST of those users were identified because of the strict “Know Your Customer” rules that reputable bitcoin exchanges are now requiring of their customers. 

As a result of all of the investigations so far, at least 23 underage children were rescued in the US, UK, and Spain!

In ALL of the US cases I pulled court records for, that was the process.  Find a username on the seized server, prove that they had transacted bitcoin from a KYC-friendly exchange, such as Coinbase, then subpoena the bitcoin exchange to see who owned the account.  Coinbase and other reputable Bitcoin Exchanges, requires “strong Know Your Customer” as a means of reducing fraudulent or criminal behavior.  For Coinbase, that includes a drivers license scan, and a response to both an email and an SMS message to confirm that they know your real email and real telephone number.  For the accounts found, they could then check the Korean server to see which user had made a payment at that time and date, and how much activity they had on the server.  Then law enforcement would either confront the pedophile or conduct a search warrant to get confirmation of the evidence from the customer.  Priority was placed on anyone who seemed to be CREATING the content, or who had previous related charges.

Michael Ezeagbor was found to have used the identity “mikeexp1” on the site.  He had earned points by uploading 10 videos, and had downloaded 42 videos.  He paid 0.1 BTC on Jan 29, 2016 (which at the time was only $38.)  The Bitcoin exchange he used provided his DOB, SSN, address, and a Yahoo email account.  He had bought the bitcoin on the exchange using his A+ FCU account.

Eric Wagner paid 0.06 BTC on November 5, 2016 (about $43 at the time).  He had downloaded 40 videos and uploaded 84 videos.  His bitcoin exchange revealed his email was “wagnered@comcast.net” and he was using a DFCU debit card which matched the name, address, and SSN on file with the bitcoin exchange.

Brian James LaPrath was identified in the same way.  Because he had NOT uploaded, choosing just to pay, and had downloaded very little, he was allowed to plea to money laundering, although he is doing probation with sex offender style limitations in place.

The most troubling case I reviewed was that of Nicholas Stengel who had PREVIOUSLY been arrested for possession of child pornography and had served 41 months, followed by 36 months supervised release.  His supervised release included all of the above, and more.  He relapsed during that time, refusing to take his court ordered polygraph, and was charged with using a computer in violation of his parole to seek child pornography and with public masturbation.  In his first case he was charged with possessing 79,335 images and 230 videos.  When an HSI Cybercrime Special Agent hit his door with a warrant, Stengel’s wife stalled the agents at the door while Stengel got into his bathtub with a knife and slit his own wrists and throat!  He was given emergency medical care, but now found to possess 805,457 images and 6,884 videos!

Stengel attempts suicide during his search warrant

Several others who were charged with PRODUCING child sexual exploitation imagery to upload to the site were listed in The Daily Mail’s story on the case:

Paul Casey Whipple, 35, of Hondo, Texas, a U.S. Border Patrol Agent, was arrested in the Western District of Texas, on charges of sexual exploitation of children/minors, production, distribution, and possession of child pornography. Whipple remains in custody awaiting trial in San Antonio

Michael Lawson, 36, of Midland, Georgia, was arrested in the Middle District of Georgia on charges of attempted sexual exploitation of children and possession of child pornography. He was sentenced to serve 121 months in prison followed by 10 years of supervised release following his plea to a superseding information charging him with one count of receipt of child pornography

Nader Hamdi Ahmed, 29 of Jersey City, New Jersey, was arrested in the District of New Jersey, for sexual exploitation or other abuse of children. Ahmed pleaded guilty to an information charging him with one count of distribution of child pornography. He is scheduled to be sentenced Oct. 1, 2019

Jeffrey Lee Harris, 32, of Pickens, South Carolina, pleaded guilty in the District of South Carolina for producing, distributing, and possessing child pornography

Nikolas Bennion Bradshaw, 24, of Bountiful, Utah, was arrested in the State of Utah, and charged with five counts of sexual exploitation of a minor, and was sentenced to time served with 91 days in jail followed by probation;


*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner, UAB. Read the original post at: http://garwarner.blogspot.com/2019/10/welcome-to-video-raid-leads-to-337.html