They believed their payments could not be tracked. This couldn’t have been further from the truth. An untold story of how Bitcoin’s anonymity was shattered.
CONTENT WARNING: THE story told here includes references to suicide and child abuse, though the abuse is not graphically described.
EARLY ONE FALL morning in 2017, Chris Janczewski stood alone inside the doorway of a suburban home he had not been invited into.
Moments earlier, armed Homeland Security Investigations agents in ballistic vests had taken up positions around the tidy two-story brick house, banged on the front door, and when a member of the family living there opened it, swarmed inside. Janczewski, an Internal Revenue Service criminal investigator, followed quietly behind. Now he found himself in the entryway, in the eye of a storm of activity, watching the agents search the premises and seize electronic devices.
This story is excerpted from the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, available November 15, 2022, from Doubleday.
Buy this book at:
If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more.
They separated the family, putting the father, an assistant principal at the local high school and the target of their investigation, in one room; his wife in another; the two kids into a third. An agent switched on a TV and put on Mickey Mouse Clubhouse in an attempt to distract the children from the invasion of their home and the interrogation of their parents.
Janczewski had come along on this raid only as an observer, a visitor flown in from Washington, DC, to watch and advise the local Homeland Security team as it executed its warrant. But it had been Janczewski’s investigation that brought the agents here, to this average-looking house with its well-kept yard among all the average-looking houses they could have been searching, anywhere in America. He had led them there based on a strange, nascent form of evidence. Janczewski had followed the links of Bitcoin’s blockchain, pulling on that chain until it connected this ordinary home to an extraordinarily cruel place on the internet—and then connected that place to hundreds more men around the world. All complicit in the same massive network of unspeakable abuse. All now on Janczewski’s long list of targets.
Over the previous few years, Janczewski, his partner Tigran Gambaryan, and a small group of investigators at a growing roster of three-letter American agencies had used this newfound technique, tracing a cryptocurrency that once seemed untraceable, to crack one criminal case after another on an unprecedented, epic scale. But those methods had never led them to a case quite like this one, in which the fate of so many people, victims and perpetrators alike, seemed to hang on the findings of this novel form of forensics. That morning’s search in the suburb near Atlanta was the first moment when those stakes became real for Janczewski. It was, as he would later put it, “a proof of concept.”
From where Janczewski was positioned at the front of the house, he could hear the Homeland Security agents speaking to the father, who responded in a broken, resigned voice. In another room, he overheard the agents questioning the man’s wife; she was answering that, yes, she’d found certain images on her husband’s computer, but he’d told her he had downloaded them by accident when he was pirating music. And in the third room he could hear the two grade-school-age children—kids about as old as Janczewski’s own—watching TV. They asked for a snack, seemingly oblivious to the tragedy unfolding for their family.
Janczewski remembers the gravity of the moment hitting him: This was a high school administrator, a husband and a father of two. Whether he was guilty or innocent, the accusations this team of law enforcement agents were leveling against him—their mere presence in his home—would almost certainly ruin his life.
Janczewski thought again of the investigative method that had brought them there like a digital divining rod, revealing a hidden layer of illicit connections underlying the visible world. He hoped, not for the last time, that it hadn’t led him astray.
ON A SUMMER’S day in London a few months earlier, a South Africa-born tech entrepreneur named Jonathan Levin had walked into the unassuming brick headquarters of the UK’s National Crime Agency—Britain’s equivalent to the FBI—on the south bank of the Thames. A friendly agent led him to the building’s second floor and through the office kitchen, offering him a cup of tea. Levin accepted, as he always did on visits to the NCA, leaving the tea bag in.
The two men sat, cups in hand, at the agent’s desk in a collection of cubicles. Levin was there on a routine customer visit, to learn how the agent and his colleagues were using the software built by the company he’d cofounded. That company, Chainalysis, was the world’s first tech firm to focus solely on a task that a few years earlier might have sounded like an oxymoron: tracing cryptocurrency. The NCA was one of dozens of law enforcement agencies around the world that had learned to use Chainalysis’ software to turn the digital underworld’s preferred means of exchange into its Achilles’ heel.
When Bitcoin first appeared in 2008, one fundamental promise of the cryptocurrency was that it revealed only which coins reside at which Bitcoin addresses—long, unique strings of letters and numbers—without any identifying information about those coins’ owners. This layer of obfuscation created the impression among many early adherents that Bitcoin might be the fully anonymous internet cash long awaited by libertarian cypherpunks and crypto-anarchists: a new financial netherworld where digital briefcases full of unmarked bills could change hands across the globe in an instant.Satoshi Nakamoto, the mysterious inventor of Bitcoin, had gone so far as to write that “participants can be anonymous” in an early email describing the cryptocurrency. And thousands of users of dark-web black markets like Silk Road had embraced Bitcoin as their central payment mechanism. But the counterintuitive truth about Bitcoin, the one upon which Chainalysis had built its business, was this: Every Bitcoin payment is captured in its blockchain, a permanent, unchangeable, and entirely public record of every transaction in the Bitcoin network. The blockchain ensures that coins can’t be forged or spent more than once. But it does so by making everyone in the Bitcoin economy a witness to every transaction. Every criminal payment is, in some sense, a smoking gun in broad daylight.
Within a few years of Bitcoin’s arrival, academic security researchers—and then companies like Chainalysis—began to tear gaping holes in the masks separating Bitcoin users’ addresses and their real-world identities. They could follow bitcoins on the blockchain as they moved from address to address until they reached one that could be tied to a known identity. In some cases, an investigator could learn someone’s Bitcoin addresses by transacting with them, the way an undercover narcotics agent might conduct a buy-and-bust. In other cases, they could trace a target’s coins to an account at a cryptocurrency exchange where financial regulations required users to prove their identity. A quick subpoena to the exchange from one of Chainalysis’ customers in law enforcement was then enough to strip away any illusion of Bitcoin’s anonymity.
Chainalysis had combined these techniques for de-anonymizing Bitcoin users with methods that allowed it to “cluster” addresses, showing that anywhere from dozens to millions of addresses sometimes belonged to a single person or organization. When coins from two or more addresses were spent in a single transaction, for instance, it revealed that whoever created that “multi-input” transaction must have control of both spender addresses, allowing Chainalysis to lump them into a single identity. In other cases, Chainalysis and its users could follow a “peel chain”—a process analogous to tracking a single wad of cash as a user repeatedly pulled it out, peeled off a few bills, and put it back in a different pocket. In those peel chains, bitcoins would be moved out of one address as a fraction was paid to a recipient and then the remainder returned to the spender at a “change” address. Distinguishing those change addresses could allow an investigator to follow a sum of money as it hopped from one address to the next, charting its path through the noise of Bitcoin’s blockchain.
Thanks to tricks like these, Bitcoin had turned out to be practically the opposite of untraceable: a kind of honeypot for crypto criminals that had, for years, dutifully and unerasably recorded evidence of their dirty deals. By 2017, agencies like the FBI, the Drug Enforcement Agency, and the IRS’s Criminal Investigation division (or IRS-CI) had traced Bitcoin transactions to carry out one investigative coup after another, very often with the help of Chainalysis.
The cases had started small and then gained a furious momentum. Investigators had traced the transactions of two corrupt federal agents to show that, before the 2013 takedown of Silk Road, one had stolen bitcoins from that dark-web market and another had sold law enforcement intel to its creator, Ross Ulbricht. Next they tracked down half a billion dollars of bitcoins stolen from the Mt. Gox exchange and showed that the proceeds had been laundered by the Russian administrator of another crypto exchange, BTC-e, eventually locating the exchange’s servers in New Jersey. And finally, they followed bitcoin trails to nail down the identity of the founder of AlphaBay, a dark-web market that had grown to 10 times the size of Silk Road. (In fact, even as Levin was sitting in London talking to the NCA agent, a coalition of half a dozen law enforcement agencies was converging in Bangkok to arrest AlphaBay’s creator.)
Levin was, as always, on the lookout for Chainalysis’ next big investigation. After running through a few open cases with him, the NCA agent mentioned an ominous site on the dark web that had recently come onto the agency’s radar. It was called Welcome to Video.
He was taken aback by what he saw: An entire network of criminal payments, all intended to be secret, was laid bare before him.
The NCA had stumbled across the site in the midst of a horrific case involving an offender named Matthew Falder. An academic based in Manchester, England, Falder would pose as a female artist and solicit nude photos from strangers on the internet, then threaten to share those images with family or friends unless the victims recorded themselves carrying out increasingly demeaning and depraved acts. Ultimately he’d force his victims to commit self-harm and even sexually abuse others on camera. By the time he was arrested, he had targeted 50 people, at least three of whom had attempted suicide.
On Falder’s computers, the NCA had found he was a registered user of Welcome to Video, a criminal enterprise that, by its sheer scale, put even Falder’s atrocities in the shade. This evidentiary lead had then wended its way from the NCA’s child exploitation investigations team to the computer crime team, including the cryptocurrency-focused agent at whose desk Levin now sat. Welcome to Video, it seemed, was among the rare sites that sold access to clips of child sexual abuse in exchange for bitcoin. It was clear at a glance that its library of images and videos was uncommonly large, and it was being accessed—and frequently refreshed with brand-new material—by a sprawling user base around the globe.
Sometimes known as “child pornography,” the class of imagery that was trafficked on Welcome to Video has increasingly come to be called “child sexual abuse material” by child advocates and law enforcement, so as to strip away any doubt that it involves acts of violence against kids. CSAM, as it is usually abbreviated, had for years represented a massive undercurrent of the dark web, the collection of thousands of websites protected by anonymity software like Tor and I2P. Those anonymity tools, used by millions of people around the world seeking to avoid online surveillance, had also come to serve as the shadow infrastructure for an abhorrent network of abuse, which very often foiled law enforcement’s attempts to identify CSAM sites’ visitors or administrators.
The NCA agent showed Levin a Bitcoin address that the agency had determined was part of Welcome to Video’s financial network. Levin suggested they load it in Chainalysis’ crypto-tracing software tool, known as Reactor. He set down his cup of tea, pulled his chair up to the agent’s laptop, and began charting out the site’s collection of addresses on the Bitcoin blockchain, representing the wallets where Welcome to Video had received payments from thousands of customers.
He was taken aback by what he saw: Many of this child abuse site’s users—and, by all appearances, its administrators—had done almost nothing to obscure their cryptocurrency trails. An entire network of criminal payments, all intended to be secret, was laid bare before him.
Over the years, Levin had watched as some dark-web operators wised up to certain of his firm’s crypto-tracing tricks. They would push their money through numerous intermediary addresses or “mixer” services designed to throw off investigators, or use the cryptocurrency Monero, designed to be far harder to track. But looking at the Welcome to Video cluster in the NCA office that day, Levin could immediately see that its users were far more naive. Many had simply purchased bitcoins from cryptocurrency exchanges and then sent them directly from their own wallets into Welcome to Video’s.
The contents of the website’s wallets, in turn, had been liquidated at just a few exchanges—Bithumb and Coinone in South Korea, Huobi in China—where they were converted back into traditional currency. Someone seemed to be continually using large, multi-input transactions to gather up the site’s funds and then cash them out. That made it easy work for Reactor to instantly and automatically cluster thousands of addresses, determining that they all belonged to a single service—which Levin could now label in the software as Welcome to Video. What’s more, Levin could see that the constellation of exchanges surrounding and connected to that cluster likely held the data necessary to identify a broad swath of the site’s anonymous users—not simply who was cashing out bitcoins from the site, but who was buying bitcoins to put into it. The blockchain links between Welcome to Video and its customers were some of the most clearly incriminating connections that Levin had ever witnessed.
These child sexual abuse consumers seemed to be wholly unprepared for the modern state of financial forensics on the blockchain. By the standards of the cat-and-mouse game Levin had played for years, Welcome to Video was like a hapless rodent that had never encountered a predator.
As he sat in front of the NCA agent’s laptop, it dawned on Levin, perhaps more clearly than ever before, that he was living in a “golden age” of cryptocurrency tracing—that blockchain investigators like those at Chainalysis had gained a significant lead over those they were targeting. “We’ve created something extremely powerful, and we’re a step ahead of these types of operators,” he remembers thinking. “You’ve got a heinous crime, a terrible thing happening in the world, and in an instant our technology has broken through and revealed in very clear logic who’s behind it.”
Seeing that someone was cashing out the majority of Welcome to Video’s revenues through the two exchanges in South Korea, Levin could already guess that the administrator was very likely located there. Many of the site’s users seemed to be paying the site directly from the addresses where they’d purchased the coins, on exchanges like Coinbase and Circle, based in the United States. Taking down this global child abuse network might only require getting another law enforcement agency in either the US or Korea involved, one that could demand identifying details from those exchanges. And Levin had just the agency in mind.
“I have some people who would be interested,” he told his NCA host.
But first, as he prepared to leave, Levin silently memorized the first five characters of the Welcome to Video address the agent had shown him. Chainalysis’ Reactor software included a feature that could autocomplete Bitcoin addresses based on their first few unique numbers or letters. Five would be enough—a single short password to unlock the living map of a global criminal conspiracy.PLAY/PAUSE BUTTON
IT WAS EVENING in Thailand when Levin spoke with Chris Janczewski and Tigran Gambaryan. That night in early July 2017, the two IRS Criminal Investigation special agents were sitting in Bangkok’s Suvarnabhumi Airport, stewing over the frustration of being sidelined from the biggest dark-web market takedown in history.
The IRS, by 2017, had come to possess some of the most adept cryptocurrency tracers in the US government. It was Gambaryan, in fact, who had traced the bitcoins of the two corrupt agents in the Silk Road investigations and then cracked the BTC-e money laundering case. Working with Levin, Gambaryan had even tracked down the AlphaBay server, locating it at a data center in Lithuania.
Yet when Gambaryan and Janczewski had come to Bangkok for the arrest of AlphaBay’s administrator, the French-Canadian Alexandre Cazes, they had been largely excluded from the inner circle of DEA and FBI agents who ran the operation. They hadn’t been invited to the scene of Cazes’ arrest, or even to the office where other agents and prosecutors watched a video livestream of the takedown.
For Gambaryan and Janczewski, the story was utterly typical. IRS-CI agents did shoe-leather detective work, carried guns, and made arrests, just like their FBI and DEA counterparts. But because of the IRS’s dowdy public image, they often found that fellow agents treated them like accountants. “Don’t audit me,” their peers from other law enforcement branches would joke when they were introduced in meetings. Most IRS-CI agents had heard the line enough times that it warranted an instant eye roll.
At loose ends in Bangkok, Gambaryan and Janczewski spent much of their time idly contemplating what their next case should be, browsing through Chainalysis’ blockchain-tracing software Reactor to brainstorm ideas. Dark-web markets like AlphaBay seemed to have been reduced to a shambles by the Thailand operation, and they’d take months or even years to recover. The agents considered taking on a dark-web gambling site. But illegal online casinos hardly seemed worth their attention.
On the day of their departure from Thailand, Gambaryan and Janczewski arrived at the airport only to find that their flight to DC was badly delayed. Stuck in the terminal with hours to kill, they sat half-awake and bored, literally staring at the wall. To pass the hours, Gambaryan decided to try calling Chainalysis’ Levin to discuss next cases. When Levin picked up the phone, he had news to share. He’d been looking into a website that didn’t fit among the IRS’s usual targets but that he hoped they’d be willing to check out: Welcome to Video.
Child sexual exploitation cases had traditionally been the focus of the FBI and Homeland Security Investigations, certainly not the IRS. In part, that was because child sexual abuse images and videos were most often shared without money changing hands, in what investigators described as a “baseball card trading” system—which put them outside the IRS’s domain. Welcome to Video was different. It had a money trail, and it seemed to be a very clear one.
Soon after they arrived back in DC, Gambaryan and Janczewski enlisted a technical analyst named Aaron Bice from a contract technology firm called Excygent, with whom they’d investigated the crypto exchange BTC-e. Together, they charted out Welcome to Video in Reactor and saw what Levin had recognized right away: how glaringly it presented itself as a target. Its entire financial anatomy was laid before them, thousands of clustered bitcoin addresses, many with barely concealed pay-ins and cash-outs at exchanges they knew they could squeeze for identifying information. It did indeed look, as Levin said, like “a slam dunk.” In short order, Janczewski brought the case to Zia Faruqui, a federal prosecutor, who was instantly sold on the idea of taking on Welcome to Video and formally opened an investigation.
Gambaryan, Janczewski, Bice, and Faruqui made an unlikely team to focus on busting a massive child exploitation network. Janczewski was a tall Midwestern agent with a square jaw, like a hybrid of Sam Rockwell and Chris Evans, who wore horn-rimmed glasses when looking at a computer screen. He’d been recruited to the DC computer crimes team from the IRS office in Indiana after proving his mettle in a grab bag of counterterrorism, drug trafficking, government corruption, and tax evasion cases. Bice was an expert in data analysis and was, as Janczewski described his computer skills, “part robot.” Faruqui was a seasoned assistant US attorney with a long history of national security and money laundering prosecutions. He had an almost manic focus and intensity, spoke in a comically rapid patter, and, it seemed to his colleagues, barely slept. And then there was Gambaryan, an agent with buzzed hair and a trim beard who by 2017 had made a name for himself as the IRS’s cryptocurrency whisperer and dark-web specialist. Faruqui called him “Bitcoin Jesus.”
The team began to realize that, as simple as this “slam dunk” case had seemed, it was actually overwhelming in its complexity.
Yet none of the four had ever worked a child sexual exploitation case. They had no training in handling images and videos of child abuse, whose mere possession, in the hands of normal Americans, represented a felony. They had never even seen these sorts of radioactively disturbing materials, and they had no emotional or psychological preparation for the graphic nature of what they were about to be exposed to.
Still, when the two agents showed Faruqui what they saw in the blockchain, the prosecutor was undeterred by their collective inexperience in the realm of child exploitation. As an attorney who focused on money-laundering cases, he saw no reason why, with the evidence of criminal payments Janczewski and Gambaryan had handed him, they couldn’t approach Welcome to Video as, fundamentally, a financial investigation.
“We’re going to treat this case like we would any other,” he said. “We are going to investigate this by following the money.”
WHEN JANCZEWSKI AND Gambaryan first copied the unwieldy web address, mt3plrzdiyqf6jim.onion, into their Tor browsers, they were greeted by a bare-bones site with only the words “Welcome to video” and a login prompt, a minimalism Janczewski compared to the Google homepage. They each registered a username and password and entered.
Past that first greeting page, the site displayed a vast, seemingly endless collection of video titles and thumbnails, arrayed in squares of four stills per video, apparently chosen automatically from the files’ frames. Those small images were a catalog of horrors: scene after scene of children being sexually abused and raped.
The agents had steeled themselves to see these images, but they were still unprepared for the reality. Janczewski remembers the blank shock he felt at the parade of thumbnails alone, the way his brain almost refused to accept what it was seeing. He found that the site had a search page with the misspelled words “Serach videos” written at the top of it. Below the search field, it listed popular keywords users had entered. The most popular was an abbreviation for “one-year-old.” The second most popular was an abbreviation for “two-year-old.”
Janczewski at first thought he must have misunderstood. He had expected to see recordings of the sexual abuse of young teenagers, or perhaps preteens. But as he scrolled, he found, with mounting revulsion and sadness, that the site was heavily populated with videos of abuse of toddlers and even infants.
“This is a thing, really? No,” Janczewski says, numbly recounting his reactions as he first browsed the site. “Oh, there’s this many videos on here? No. This can’t be real.”
The two agents knew that, at some point, they would have to actually watch at least some of the advertised videos. But, mercifully, on their first visits to the site they couldn’t access them; to do so, they’d have to pay bitcoins to an address the site provided to each registered user, where they could purchase “points” that could then be traded for downloads. And since they weren’t undercover agents, they didn’t have the authorization to buy those points—nor were they particularly eager to.
At the bottom of several pages of the site was a copyright date: March 13, 2015. Welcome to Video had already been online for more than two years. Even at a glance, it was clear that it had grown into one of the biggest repositories of child sexual abuse videos that law enforcement had ever encountered.
“You cannot let a child be raped while you go and try to take down a server in South Korea.” Simply pulling the site offline couldn’t be their first priority.
As Janczewski and Gambaryan analyzed the site’s mechanics, they saw that users could obtain points not just by purchasing them but also by uploading videos. The more those videos were subsequently downloaded by other users, the more points they would earn. “Do not upload adult porn,” the upload page instructed, the last two words highlighted in red for emphasis. The page also warned that uploaded videos would be checked for uniqueness; only new material would be accepted—a feature that, to the agents, seemed expressly designed to encourage more abuse of children.
The element of the site that Gambaryan found most unnerving of all, though, was a chat page, where users could post comments and reactions. It was filled with posts in all languages, offering a hint at the international reach of the site’s network. Much of the discussion struck Gambaryan as chillingly banal—the kind of casual commentary one might find on an ordinary YouTube channel.
Gambaryan had hunted criminals of all stripes for years now, from small-time fraudsters to corrupt federal law enforcement colleagues to cybercriminal kingpins. He usually felt he could fundamentally understand his targets. Sometimes, he’d even felt sympathy for them. “I’ve known drug dealers who are probably better human beings than some white-collar tax evaders,” he mused. “I could relate to some of these criminals. Their motivation is just greed.”
But now he’d entered a world where people were committing atrocities that he didn’t understand, driven by motivations that were entirely inaccessible to him. After a childhood in war-torn Armenia and post-Soviet Russia and a career delving into the criminal underworld, he considered himself to be familiar with the worst that people were capable of. Now he felt he had been naive: His first look at Welcome to Video exposed and destroyed a hidden remnant of his idealism about humanity. “It killed a little bit of me,” Gambaryan says.
AS SOON AS they had seen firsthand what Welcome to Video truly represented, Gambaryan and Janczewski understood that the case warranted an urgency that went beyond that of even a normal dark-web investigation. Every day the site spent online, it enabled more child abuse.
Gambaryan and Janczewski knew their best leads still lay in the blockchain. Crucially, the site didn’t seem to have any mechanism for its customers to pull money out of their accounts. There was only an address to which they could pay for credits on the site; there didn’t even seem to be a moderator to ask for a refund. That meant that all the money they could see flowing out of the site—more than $300,000 worth of bitcoins at the time of the transactions—would almost certainly belong to the site’s administrators.
Gambaryan began reaching out to his contacts in the Bitcoin community, looking for staff at exchanges who might know executives at the two Korean exchanges, Bithumb and Coinone, into which most of Welcome to Video’s money had been cashed out, as well as one US exchange that had received a small fraction of the funds. He found that the mere mention of child exploitation seemed to evaporate the cryptocurrency industry’s usual resistance to government intervention. “As libertarian as you want to be,” Gambaryan says, “this is where everybody kind of drew the line.” Even before he sent a formal legal request or subpoena, staff at all three exchanges were ready to help. They promised to get him account details for the addresses he had pulled from Reactor as soon as they could.
Gambaryan couldn’t help it: Sitting in front of his computer screen in his DC cubicle, staring at the flaw he’d discovered, the agent started to laugh.
In the meantime, Gambaryan continued to investigate the Welcome to Video site itself. After registering an account on the site, he thought to try a certain basic check of its security—a long shot, he figured, but it wouldn’t cost anything. He right-clicked on the page and chose “View page source” from the resulting menu. This would give him a look at the site’s raw HTML before it was rendered by the Tor Browser into a graphical web page. Looking at a massive block of code, anyway, certainly beat staring at an infinite scroll of abject human depravity.
He spotted what he was looking for almost instantly: an IP address. In fact, to Gambaryan’s surprise, every thumbnail image on the site seemed to display, within the site’s HTML, the IP address of the server where it was physically hosted: 22.214.171.124. He copied those 11 digits into his computer’s command line and ran a basic traceroute function, following its path across the internet back to the location of that server.
Incredibly, the results showed that this computer wasn’t obscured by Tor’s anonymizing network at all; Gambaryan was looking at the actual, unprotected address of a Welcome to Video server. Confirming Levin’s initial hunch, the site was hosted on a residential connection of an internet service provider in South Korea, outside of Seoul.
Welcome to Video’s administrator seemed to have made a rookie mistake. The site itself was hosted on Tor, but the thumbnail images it assembled on its home-page appeared to be pulled from the same computer without routing the connection through Tor, perhaps in a misguided attempt to make the page load faster.
Gambaryan couldn’t help it: Sitting in front of his computer screen in his DC cubicle, staring at the revealed location of a website administrator whose arrest he could feel drawing closer, the agent started to laugh.
JANCZEWSKI WAS AT a firing range in Maryland, waiting his turn in a marksmanship exercise, when he got an email from the American cryptocurrency exchange his team had subpoenaed. It contained identifying information on the suspected Welcome to Video administrator who had cashed out the site’s earnings there.
The email’s attachments showed a middle-aged Korean man with an address outside of Seoul—exactly corroborating the IP address Gambaryan had found. The documents even included a photo of the man holding up his ID, apparently to prove his identity to the American exchange.
For a moment, Janczewski felt as though he were looking at Welcome to Video’s administrator face-to-face. But he remembers thinking that something was off: The man in the picture had noticeably dirty hands, with soil under his fingernails. He looked more like a farm worker than the hands-on-keyboard type he’d expected to be running a site on the dark web.
Over the next days, as the other exchanges fulfilled their subpoenas, the answer began to come into focus. One Korean exchange and then the other sent Gambaryan documents on the men who controlled Welcome to Video’s cash-out addresses. They named not just that one middle-aged man but also a much younger male, 21 years old, named Son Jong-woo. The two men listed the same address and shared the same family name. Were they father and son?
The agents believed they were closing in on the site’s administrators. But they had come to understand that merely taking down the site or arresting its admins would hardly serve the interests of justice. The constellation of Bitcoin addresses that Welcome to Video had generated on the blockchain laid out a vast, bustling nexus of both consumers and—far more importantly—producers of child sexual abuse materials.
By this point, Faruqui had brought on a team of other prosecutors to help, including Lindsay Suttenberg, an assistant US attorney with expertise in child exploitation cases. She pointed out that even taking the site offline shouldn’t necessarily be their first priority. “You cannot let a child be raped while you go and try to take down a server in South Korea,” as Faruqui summed up her argument.
The team began to realize that, as simple as this “slam dunk” case had seemed at first, after the easy identification of the site’s admins, it was actually overwhelming in its complexity. They would need to follow the money not to just one or two web administrators in Korea, but also from that central point to hundreds of potential suspects—both active abusers and their complicit audience of enablers—around the entire globe.
Gambaryan’s right-click discovery of the site’s IP address and the quick cooperation from crypto exchanges had been lucky breaks. The real work still lay ahead.PLAY/PAUSE BUTTON
JUST TWO WEEKS after Levin passed along his tip, the team of IRS-CI agents and prosecutors knew almost exactly where Welcome to Video was hosted. But they also knew they’d need help to go further. They had neither connections to the Korean National Police Agency—which had a reputation for formality and impenetrable bureaucracy—nor the resources to arrest what could be hundreds of the site’s users, an operation that would require far more personnel than the IRS could muster.
Faruqui suggested they bring Homeland Security Investigations in on the case, partnering with a certain field office across the country, in Colorado Springs. He’d chosen that agency and its far-flung outpost because of a specific agent there whom he’d worked with in the past, an investigator named Thomas Tamsi. Faruqui and Tamsi had together unraveled a North Korean arms trading operation a year earlier, one that had sought to smuggle weapon components through South Korea and China. In the course of that investigation, they’d flown to Seoul to meet with the Korean National Police, where, after some introductions by an HSI liaison there, they spent an evening with Korean officers drinking and singing karaoke.
Others on the team couldn’t stand to hear Suttenberg describe the videos. “They would ask me to stop talking, to put it in writing,” she remembers, “and then they’d tell me that was even worse.”
At a particularly memorable point in the night, the Korean agents had been ribbing the US team for their alleged hot-dog-and-hamburger diets. One agent mentioned sannakji, a kind of small octopus that some Koreans eat not merely raw but alive and writhing. Tamsi had gamely responded that he’d try it.
A few minutes later, a couple of the Korean agents had brought to the table a fist-sized, living octopus wrapped around a chopstick. Tamsi put the entire squirming cephalopod in his mouth, chewed, and swallowed, even as its tentacles wriggled between his lips and black ink dripped from his face onto the table. “It was absolutely horrible,” Tamsi says.
The Koreans found this hilarious. Tamsi gained near-legendary status within certain circles of the Korean National Police, where he was thereafter referred to as “Octopus Guy.”
Like most of their group, Tamsi had no experience in child exploitation cases. He had never even worked on a cryptocurrency investigation. But Faruqui insisted that to make inroads in Korea, they needed Octopus Guy.
NOT LONG AFTERWARD, Tamsi and a fellow HSI agent authorized for undercover operations flew to Washington, DC. They rented a conference room in a hotel, and as Janczewski watched, the undercover agent logged on to Welcome to Video, paid a sum of bitcoins, and began downloading gigabytes of videos.
The strange choice of location—a hotel rather than a government office—was designed to better mask the agent’s identity, in case Welcome to Video could somehow track its users despite Tor’s protection, and also so that, when it came time to prosecute, the DC attorney’s office would be given jurisdiction. (The HSI agent did, at least, use a Wi-Fi hot spot for his downloading, to avoid siphoning the web’s most toxic content over the hotel’s network.)
As soon as the undercover agent’s work was complete, they shared the files with Janczewski, who, along with Lindsay Suttenberg, would spend the following weeks watching the videos, cataloging any clues they could find to the identities of the people involved while also saturating their minds with enough images of child abuse to fill anyone’s nightmares for the rest of their lives.
Suttenberg’s years as a child exploitation prosecutor had left her somewhat desensitized; she would find that other attorneys on the team couldn’t stand to even hear her describe the contents of the videos, much less watch them. “They would ask me to stop talking, to put it in writing,” she remembers, “and then they’d tell me that was even worse.”
Janczewski, as lead agent on the case, was tasked with putting together an affidavit that would be used in whatever charging document they might eventually bring to court. That meant watching dozens of videos, looking for ones that would represent the most egregious material on the site, and then writing technical descriptions of them for a jury or judge. He compares the experience to a scene from A Clockwork Orange: an unending montage from which he constantly wanted to avert his gaze but was required not to.
He says watching those videos altered him, though in ways he could only describe in the abstract—ways even he’s not sure he fully understands. “There’s no going back,” Janczewski says, vaguely. “Once you know what you know, you can’t unknow it. And everything that you see in the future comes in through that prism of what you now know.”
IN THE FIRST weeks of fall 2017, the team investigating the Welcome to Video network began the painstaking process of tracing every possible user of the site on the blockchain and sending out hundreds of legal requests to exchanges around the world. To help analyze every tendril of Welcome to Video’s cluster of Bitcoin addresses in Reactor, they brought on a Chainalysis staffer named Aron Akbiyikian, an Armenian-American former police officer from Fresno whom Gambaryan knew from childhood and had recommended to Levin.
Akbiyikian’s job was to perform what he called a “cluster audit”—squeezing every possible investigative clue out of the site’s cryptocurrency trails. That meant manually tracing payments back from one prior address to another, until he found the exchange where a Welcome to Video customer had bought their bitcoins—and the identifying information that the exchange likely possessed. Plenty of Welcome to Video’s users had made his job easy. “It was a beautiful clustering in Reactor,” Akbiyikian says. “It was just so clear.” In some cases, he would trace back chains of payments through several hops before the money arrived at an exchange. But for hundreds of users, he says, he could see wallet addresses receive money from exchanges and then put the funds directly into Welcome to Video’s cluster, transactions that had created, as Akbiyikian put it, “leads as clean as you could want.”
As responses from exchanges with those users’ identity information began to pour in, the team started the process of assembling more complete profiles of their targets. They began to collect the names, faces, and photos of hundreds of men—they were almost all men—from all walks of life, everywhere in the world. Their descriptions crossed boundaries of race, age, class, and nationality. All these individuals seemed to have in common was their gender and their financial connection to a worldwide, hidden haven of child abuse.
By this time, the team felt they’d pinned down the site’s Korean administrator with confidence. They’d gotten a search warrant for Son Jong-woo’s Gmail accounts and many of his exchange records, and they could see that he alone seemed to be receiving the cashed-out proceeds from the site—not his father, who increasingly seemed to the investigators like an unwitting participant, a man whose son had hijacked his identity to create crypto-currency accounts. In Son Jong-woo’s emails, they found photos of the younger man for the first time—selfies he’d taken to show friends where he’d chipped a tooth in a car accident, for instance. He was a thin, unremarkable-looking young Korean man with wide-set eyes and a Beatles-esque mop-top of black hair.
* For several reasons, we’ve chosen not to identify the defendants in the Welcome to Video case by name, with the exception of the site’s administrator. In some instances, at the time of this writing, a defendant’s case had not been fully adjudicated. In other cases, we left out names at the request of prosecutors, to avoid providing information that might inadvertently identify victims. We applied the same standard to the rest, to avoid singling out some offenders while others went unnamed.
But as their portrait of this administrator took shape, so too did the profiles of the hundreds of other men who had used the site.* A few immediately stuck out to the investigative team: One suspect, to the dismay of Thomas Tamsi and his Homeland Security colleagues, was an HSI agent in Texas. Another, they saw with a different sort of dread, was the assistant principal of a high school in Georgia. The school administrator had posted videos of himself on social media singing duets, karaoke-style, with teenage girls from his school. The videos might otherwise have been seen as innocent. But given what they knew about the man’s Bitcoin payments, agents who had more experience with child exploitation warned Janczewski that they might reflect a form of grooming.
These were men in privileged positions of power, with potential access to victims. The investigators could immediately see that, as they suspected, they would need to arrest some of Welcome to Video’s users as quickly as possible, even before they could arrange the takedown of the site. Child exploitation experts had cautioned them that some offenders had systems in place to warn others if law enforcement had arrested or compromised them—code words or dead man’s switches that sent out alerts if they were absent from their computer for a certain period of time. Still, the Welcome to Video investigation team felt they had little choice but to move quickly and take that risk.
Another suspect, around the same time, came onto their radar for a different reason: He lived in Washington, DC. The man’s home, in fact, was just down the street from the US attorneys’ office, near the capital’s Gallery Place neighborhood. He happened to live in the very same apartment building that one of the prosecutors had only recently moved out of.
That location, they realized, might be useful to them. Janczewski and Gambaryan could easily search the man’s home and his computers as a test case. If that proved the man was a Welcome to Video customer, they would be able to charge the entire case in DC’s judicial district, overcoming a key legal hurdle.
As they dug deeper, though, they found that the man was a former congressional staffer and held a high-level job at a prestigious environmental organization. Would arresting or searching the home of a target with that sort of profile cause him to make a public outcry, sinking their case?
Just as they trained their sights on this suspect in their midst, however, they found that he had gone strangely quiet on social media. Someone on the team had the idea to pull his travel records. They found that he had flown to the Philippines and was about to fly back to DC via Detroit.
There were suitcases still not fully unpacked from the trip. The man had ordered a pizza the night before, and part of it remained uneaten on the table.
This discovery led the agents and prosecutors to two thoughts: First, the Philippines was a notorious destination for sex tourism, often of the kind that preyed on children—the HSI office in Manila constantly had its hands full with child exploitation cases. Second, when the man flew back to the US, Customs and Border Protection could legally detain him and demand access to his devices to search for evidence—a bizarre and controversial carve-out in Americans’ constitutional protections that, in this case, might come in handy.
Would their DC-based suspect sound the alarm and tear the lid off their investigation, just as it was getting started?
“Yes, this all had the potential to blow up our case,” Janczewski says. “But we had to act.”
IN LATE OCTOBER, Customs and Border Protection at the Detroit Metropolitan Airport stopped a man disembarking from a plane from the Philippines on his way back to Washington, DC, asking him to step aside and taking him into a secondary screening room. Despite his vehement protests, the border agents insisted on taking his computer and phone before allowing him to leave.
A few days later, on October 25, the prosecutor who had lived in the same DC apartment block as the suspect saw an email from her old building’s management; she’d remained on the distribution list despite having moved out. The email noted that the parking garage ramp in an alley at the back of the tower would be closed that morning. An unnamed resident, it explained, had landed there after jumping to their death from the balcony of their apartment.
The prosecutor put two and two together. The jumper was their Welcome to Video “test case.” Janczewski and Gambaryan immediately drove to the apartment tower and confirmed with management: The very first target of their investigation had just killed himself.
Later that day the two IRS-CI agents returned to the scene of the man’s death with a search warrant. They rode the elevator up to the 11th floor with the building’s manager, who was deeply puzzled as to why the IRS was involved, but wordlessly unlocked the door for them. Inside they found an upscale, moderately messy apartment with high ceilings. There were suitcases still not fully unpacked from a trip. The man had ordered a pizza the night before, and part of it remained uneaten on the table.
Janczewski remembers feeling the somber stillness of the man’s empty home as he imagined the desperate choice he had faced the night before. Looking down 11 floors from the balcony, the agent could see the spot in the alleyway below where the pavement had recently been hosed off.
DC’s metropolitan police offered to show the agents a security cam video of the man falling to his death. They politely declined. The Customs and Border Protection office in Detroit, meanwhile, confirmed that they had searched the computer seized from the man at the airport—some of its storage was encrypted, but other parts were not—and found child exploitation videos, along with surreptitiously recorded videos of adult sex. Their decision to target the man had served its purpose: Their test case had come back positive.
The prosecutors in DC paused their work briefly to meet and acknowledge the surreal shock of the man’s death—their investigation of a site hosted halfway around the world had already led someone to kill themselves, just blocks away. “It was just a reminder of how serious what we were investigating was,” Faruqui says. Still, the group agreed: They couldn’t let the suicide distract them from their work.
“We’ve got to focus on the victims here,” Faruqui remembers them telling each other. “That provides clarity.”
Janczewski says he would have much preferred that the man be arrested and charged. But he had, by this point, been forced to watch hour after hour of child sexual abuse videos. He had put aside his emotions early on in the case, and he had few sympathies to spare for an apparent customer of those materials.
If he felt anything, he admits, it was relief, given the time that the suicide had saved him: They still had hundreds more Welcome to Video customers to pursue.
NEXT ON THEIR list was the high school assistant principal. Just days later, Janczewski flew down to Georgia and joined a tactical team of HSI agents as they carried out their search. For the first time, he came face-to-face with an alleged Welcome to Video client in his own home.
In spite of his stoicism, this second test case affected Janczewski more than the DC target had. The tidy, well-kept brick two-story house. The parents questioned in separate rooms. The kids the same age as Janczewski’s own, watching Mickey Mouse Clubhouse. As he stood in the entryway of that house outside of Atlanta, the full toll of the investigation hit him—the fact that every name on their list was a person with human connections and, in many cases, a family. That even accusing suspects of such an unforgivable crime had an irreversible impact on their lives—that it was “a scarlet letter for someone that just cannot be undone,” as he put it.
Janczewski and the HSI agents stayed at the home long enough to search it, to question the man, and to seize his devices for analysis. In addition to the evidence of the man’s payments for material on Welcome to Video, Faruqui says that the man also admitted to “inappropriately touching” students at his school. The man would later be charged with sexual assault of minors—though he would plead not guilty.
For Janczewski, at least, any last doubts he had felt after his first confrontation with a suspect based on cryptocurrency tracing alone were dispelled in a matter of hours. “At the end of the day, I felt more confident,” he says. “We were correct.” The blockchain had not lied.
THE TEAM WAS steadily working their way through their short list of high-priority Welcome to Video targets and test cases. But in December 2017, they came upon a different sort of lead—one that would scramble their priorities yet again.
As they followed Welcome to Video’s financial trails, investigators had been careful to record the full contents of the site’s chat page, where users were still posting a steady stream of comments against a backdrop of spam and trolling typical of any anonymous web forum. The site seemed to be entirely unmoderated: There was not so much as an admin email or help contact visible anywhere. But Janczewski began to notice repeated messages from one account that seemed to offer the closest thing the site had to that missing help-desk contact: “Contact the admins,” the messages read, “if you want assistance in fixing error.” It included an address on Torbox, a privacy-focused Tor-based email service.
Was this an actual moderator on the site? Or even the administrator himself—the owner of the site, who they now believed to be Son Jong-woo?
As Janczewski tried to decipher who was behind those messages, he checked the username before the “@” in the Torbox address, a unique-looking string of six characters, to see if it matched a user on Welcome to Video. Sure enough, he found that someone with that same handle had uploaded more than a hundred videos.
On the wall, Janczewski noticed a poster he’d seen in the videos. He momentarily felt as though he’d fallen through his own computer screen into the set of a horror film.
Excygent’s Aaron Bice had the idea to run this Torbox email address against a database seized from BTC-e during IRS-CI’s probe of the crypto exchange, to search for clues in its treasure trove of criminal underworld user data. Bice found a match: One account on BTC-e had been registered with an email address that included that same unique string of six characters. It wasn’t the Torbox email address, but one from a different privacy-focused email service called Sigaint.
Janczewski knew that Torbox and Sigaint, both dark-web services themselves, wouldn’t respond to legal requests for their users’ information. But the BTC-e data included IP addresses for 10 past logins on the exchange by the same user. In nine out of 10, the IP address was obscured with a VPN or Tor. But in one single visit to BTC-e, the user had slipped up: They had left their actual home IP address exposed. “That opened the whole door,” says Janczewski.
A traceroute showed that the IP address led to a residential internet connection—not in Korea this time, but in Texas. Was there a second Welcome to Video admin, this one based in the US? Janczewski and Bice continued pulling the thread with increasing urgency, subpoenaing the user’s account information from their internet service provider.
It was a Friday morning in early December, and Janczewski was drinking coffee at his desk in the IRS-CI office when he got back the results of that subpoena. He opened the email to find a name and a home address. The man was an American in his thirties who lived in a town outside of San Antonio—an unlikely collaborator for a 21-year-old Korean managing a child exploitation site from 15 time zones away. But the man’s employment, when Janczewski looked it up, was even more jarring: He was another Department of Homeland Security staffer—this time a Border Patrol agent.
Janczewski quickly began to assemble public information about the agent from his social media accounts. He first found a Facebook page for the man’s wife, and later an account for the man himself, with his name written backwards to obscure it. Bice dug up his Amazon page, too, where he seemed to have left reviews on hundreds of products and put others on a “wish list”—including external storage devices that could hold terabytes of videos, hidden cameras, and other cameras designed to be snaked through small spaces, like holes drilled in a wall.
Finally, with a creeping sense of dread, Janczewski saw that the Border Patrol agent’s wife had a young daughter—and that he had created a crowdfunding page on GoFundMe to raise money to legally adopt the girl as his stepdaughter. “Fuck,” Janczewski thought to himself. “Did he upload videos of the daughter?”
Janczewski looked back at Welcome to Video and saw that some of the thumbnails of the videos uploaded by the person with this username showed the sexual assault of a young girl about the daughter’s age. He realized he now had a duty to separate this Border Patrol agent from his victim as swiftly as possible.
For the next 10 days, Janczewski barely left his desk. He’d drive home, eat dinner quickly with his family in their small Arlington, Virginia, townhouse, then drive back to the office to work late, often calling Bice and Faruqui well into the night.
“You are rarely in a situation where your time is zero-sum,” Faruqui says. “Every moment we were not working on that case, a little girl could be getting raped.”
Janczewski asked their undercover HSI agent to download the videos that had been uploaded by the Texas agent, and he began the grueling process of watching them one by one. A few videos in, he spotted something that jolted the pattern-matching subroutines of his brain: At one point in the recording, the girl in the video had a red flannel shirt tied around her waist. He looked back at a photo of the girl posted to the GoFundMe page and saw it: She was wearing the same red flannel.
Was this Border Patrol agent an admin on Welcome to Video? A moderator? It hardly mattered. Janczewski now believed he had found the identity of an active child rapist who lived with his victim and had been recording and sharing his crimes with thousands of other users. The Texas man had earned a place at the very top of their target list.
TWO WEEKS BEFORE Christmas, on the 10th day after he’d identified the Border Patrol agent, Janczewski flew to southern Texas, along with HSI’s Thomas Tamsi and his team’s child-exploitation-focused prosecutor, Lindsay Suttenberg. On a cool, dry evening about a hundred miles from the Mexican border, Tamsi and a group of Texas State Police officers tailed their target as he drove home from work and pulled him over. Together with a group of FBI agents, they took the man to a nearby hotel for questioning.
The team’s initial list of high-priority suspects was finally checked off. They could move on to their primary target: Son Jong-woo.
Meanwhile Janczewski and a group of local Homeland Security investigators entered the man’s house and began to search for evidence. The two-story home was run-down and messy, Janczewski remembers—with the exception of the man’s well-organized home office on the second floor, where they found his computer. Down the hall from that office he came to the girl’s bedroom and immediately recognized it as the scene where the videos uploaded by the man had been filmed. On the wall he noticed a poster he’d seen in the recordings and momentarily felt as though he’d fallen through the screen of his own computer into the set of a horror film.
The IRS agent and prosecutor had brought with them an FBI interviewer with child exploitation experience, who separated the girl from the agents searching her home and took her to a safer location. The girl eventually detailed to the interviewer the abuse she’d endured.
Shortly after the search of the Border Patrol agent’s home, Janczewski arrived at the hotel room where other agents were questioning their suspect. He saw, for the first time, the target of his last week-and-a-half’s obsession. The man was tall and burly, still in his uniform, with thinning hair. He initially refused to talk about any physical abuse he might have committed, Janczewski says, but he eventually confessed to possessing, sharing, and—finally—making child sexual abuse videos.
Janczewski was struck by the dispassionate, almost clinical way the man described his actions. He gave his interrogators the password to his home computer, and an agent still at the house began pulling evidence from the machine and sending it to Janczewski. It included detailed spreadsheets of every child sexual exploitation video the man had both amassed on his hard drives and, by all appearances, filmed in his own home.
Another spreadsheet from the man’s computer contained a long list of other Welcome to Video users’ login credentials. Under questioning, the man explained his scheme: He would pose as an administrator in messages he posted to the site’s chat page, then ask users who took the bait to send him their usernames and passwords, which he’d use to log in to their accounts and access their videos.
The Border Patrol agent had never been a Welcome to Video administrator or moderator at all, only a particularly devious visitor to the site, willing to scam his fellow users to support his own appetites.
After an intense 10 days, they’d identified and arrested another alleged child abuser, even rescued his victim. But as he flew back to DC, Janczewski knew that Welcome to Video’s vastly larger network of abuse remained very much intact. And until they took the site itself down, it would continue to serve its videos—including the very ones the Border Patrol agent had uploaded from his Texas home office—to an anonymous throng of consumers just like him.PLAY/PAUSE BUTTON
IN EARLY JANUARY of 2018, the DC investigators got word from Thomas Tamsi that he and the team had arrested the other federal law enforcement customer of Welcome to Video, the HSI agent who’d shown up early in their blockchain tracing and subpoenas. Though seemingly unconnected to the Border Patrol agent case, this second agent had been based in Texas, too, less than an hour away from the home of the man they had just raided.
Aside from that grim coincidence, the news of the HSI agent’s arrest also meant that the DC team’s initial list of high-priority suspects was finally checked off. They could move on to their primary target, Son Jong-woo—and the Welcome to Video server under his control.
By February, that Korea-focused operation was coming together. Before the Texas arrests, Janczewski, Gambaryan, Faruqui, and Tamsi had flown to Seoul to meet the Korean National Police Agency. At a dinner set up by the local HSI attaché, the director of the KNPA himself told Tamsi—whose octopus-eating reputation preceded him—that the Americans would have the help of his “best team.” Soon they had Son Jong-woo under constant surveillance as he came and went from his home, an apartment two and a half hours south of Seoul in the province of South Chungcheong.
Now, in the depths of winter on the Korean peninsula, just a week after Korea had hosted the Olympics in Pyeongchang, the American agents arrived in Seoul again. Gambaryan had to stay behind for a badly timed conference where the agency’s director had volunteered him to speak. But Janczewski and Faruqui brought with them Aaron Bice and Youli Lee, a Korean-American computer crime prosecutor on their team. By this point, too, a growing international force had assembled around the case. The UK’s National Crime Agency, which had launched its own investigation into Welcome to Video just after Levin’s London visit, sent two agents to Seoul, and the German Federal Police also joined the coalition. It turned out the Germans had been pursuing the site’s administrators independently, even before they’d learned about the IRS’s investigation, but they’d never been able to secure the cooperation of the Korean National Police.
At one point Faruqui remembers a German official asking him, as they stood in the cold outside the Seoul hotel where they were staying, how the Americans had gotten the Koreans on board so quickly. “Oh, Octopus Guy,” Faruqui had explained. “You don’t have Octopus Guy. We have Octopus Guy.”
FOR THEIR FIRST days in Seoul, the takedown team met repeatedly in the Korean National Police offices to talk through their plans. Their tracing of the IP address, based on Gambaryan’s fortuitous right-click, seemed to show that the site’s server was located, bizarrely, not in any web-hosting firm’s data center but in Son Jong-woo’s own apartment—the evidentiary hub of a massive child sexual abuse video network, sitting right in his home. That made things simple: They would arrest him, tear his site offline, and use that evidence to convict him. The team made a plan to grab him in his apartment early on a Monday morning.
Then, on the Friday before, Janczewski got a cold. He spent much of the weekend with prosecutor Youli Lee, dazedly wandering between markets and stores in Seoul trying to pronounce gaseubgi, the Korean word for humidifier. On Sunday evening, he took a dose of what he hoped was a Korean equivalent of Nyquil—he couldn’t read the label—with the intention of getting some sleep and recovering in time to be at full strength for the arrest.
That’s when the KNPA alerted the team that the plan had changed: Son had unexpectedly driven into Seoul for the weekend. Now the team following his whereabouts believed he had begun a late-night drive back to his home south of the city.
If the police could drive down to Son’s home that night and stake it out, perhaps they could be there when he returned, ready to arrest him at his door. That way he couldn’t destroy evidence or—another looming concern after the death of their Washington, DC, target—commit suicide. “We had to scramble,” Janczewski says.
That evening, Faruqui insisted the group put their hands in for a “Go team!” cheer in their hotel lobby. Then he and Lee went up to their rooms to go to bed. Janczewski—sick, half asleep from cold medication, and clutching a pillow from his hotel room—walked out into the pouring rain and got in a car with the HSI liaison to start the long night-drive south. The HSI agent had begged Janczewski to take the wheel of another car in the caravan, instead of an elderly Korean man on his team who was, the agent said, a notoriously bad driver. But Janczewski insisted he was far too medicated to navigate the dark, wet highways of a country 7,000 miles from his home.
A few hours later, the team arrived in the parking lot of Son’s apartment—a 10-story tower with a few small buildings on one side and a vast, empty rural landscape on the other—to begin their long stakeout in the rain. It was well past midnight when they saw Son’s car finally pull into the parking garage of the complex.
A group of Korean agents had been waiting there for him. One particularly imposing officer, whom the HSI agents referred to as “Smiley”—because he never smiled—led a team of plainclothes police, sidling into the elevator next to Son as he got inside. The agents silently rode the elevator up to Son’s floor with him and stepped out when he did. They arrested him, without resistance, just as he reached his front door.
There were more than 250,000 videos on the server—more content by volume than in any child sexual abuse materials case in history.
Throughout that arrest and the hours-long search of Son’s apartment that followed, Janczewski and the other foreigners remained stuck in their cars in the rain-drenched parking lot. Only the National Police had authorization to lay hands on Son or enter his home. When the Korean officers had the young Welcome to Video admin handcuffed, they asked him if he’d consent to letting Janczewski or any of the Americans come in as well. Son, unsurprisingly, said no. So Janczewski was limited to a tour via FaceTime of the small and unremarkable apartment that Son shared with his divorced father, the man with the soiled hands in the first photo they’d examined, as the Korean agents scoured it for evidence and seized his devices.
The Korean agent showing Janczewski around eventually pointed the phone’s camera at a desktop computer on the floor of Son’s bedroom, a cheap-looking tower-style PC with its case open on one side. The computer’s guts revealed the hard drives that Son seemed to have added, one by one, as each drive had filled up with terabytes of child exploitation videos.
This was the Welcome to Video server.
“I was expecting some kind of glowing, ominous thing,” Janczewski remembers, “and it was just this dumpy computer. It was just so strange. This dumpy computer, that had caused so much havoc around the world, was sitting on this kid’s floor.”
ON THE RETURN trip, Janczewski learned exactly why the HSI liaison had wanted him to drive the other car. The elderly HSI staffer behind the wheel of the other vehicle in their caravan was somehow so disoriented after a sleepless night that he turned the wrong way down a highway exit ramp, narrowly avoiding a high-speed collision and terrifying his passenger, Aaron Bice.
After barely averting that disaster, as the sun began to rise and the rain let up, the group pulled over at a truck stop along the highway to have a breakfast of gas-station instant ramen. Janczewski, still sick and utterly exhausted, was struck by how anticlimactic it all seemed. His team had located and extricated both the administrator and the machine at the epicenter of the malevolent global network they were investigating. He had been anticipating this moment for more than six months. But he felt no elation.
There were no high fives, no celebrations. The agents got back in their cars to continue the long drive back to Seoul.
THE NEXT DAY, after finally getting some sleep, Janczewski began to see past the dreariness of the previous night’s operation to understand just how lucky they had been. He learned from the forensic analysts who had examined Son Jong-woo’s computers that Son hadn’t encrypted his server. Everything was there: all of Welcome to Video’s content, its user database, and the wallets that had handled all of its Bitcoin transactions.
The scale of the video collection, now that they could see it in its entirety, was staggering. There were more than 250,000 videos on the server, more content by volume than in any child sexual abuse materials case in history. When they later shared the collection with the National Center for Missing and Exploited Children (NCMEC), which helps to catalog, identify, and take down CSAM materials across the internet, NCMEC found that it had never seen 45 percent of the videos before. Welcome to Video’s uniqueness check and incentive system for fresh content appeared to have served its purpose, motivating countless new cases of recorded child abuse.
The real prize for the investigators, however, was the site’s user information. The Korean National Police gave the US team a copy of Welcome to Video’s databases, and they got to work in a US Embassy building in Seoul, reconstructing those data collections on their own machine. Meanwhile, to avoid tipping off the site’s users to the takedown, they quickly set up a look-alike Welcome to Video homepage on their own server, using the private key pulled from the real server to take over its dark-web address. When users visited the site, it now displayed only a message that it was under construction and would be back soon with “upgrades,” complete with typos to mimic Son’s shoddy English spelling.
Bice spent two days with his head down, rebuilding the site’s user data in a form they could easily query—with Janczewski and Faruqui standing behind him, pestering him to see if the system was ready yet. When Bice was finished, the US team had a full directory of the site’s pseudonymous users, listed by their Welcome to Video usernames. They could now link every Bitcoin payment they had initially mapped out on the blockchain with those usernames and look up exactly what content each of those users had uploaded or downloaded.
By the time the Americans were ready to go home at the end of February, they had integrated the de-anonymized identities from their cryptocurrency exchange subpoenas into a searchable database. It mapped out the entire Welcome to Video network, complete with users’ real-world names, photos, and—for those who had paid into the site—the record of those payments and the exact child abuse videos those customers had bought access to. “You could see the whole picture,” Janczewski says. “It was like a dictionary, thesaurus, and Wikipedia all put together.”
They had, arrayed before them, the fully revealed structure of Welcome to Video’s global child exploitation ring—hundreds of exquisitely detailed profiles of consumers, collectors, sharers, producers, and hands-on abusers alike. Now the final phase of the case could begin.
OVER THE WEEKS that followed, Thomas Tamsi’s team in Colorado began sending their Welcome to Video dossiers to HSI agents, local police, and foreign police agencies around the world. These “targeting packages” included descriptions of the suspects, the record of their transactions, any other evidence they’d assembled about them, and—given that they were being sent out to law enforcement agents who had in some cases never been involved in a cryptocurrency-related investigation—short primers on how Bitcoin and its blockchain worked.
There would be no coordinated, global takedown, no attempt to create shock and awe with simultaneous arrests. The case’s defendants were far too distributed and international for that kind of synchronized operation. Instead, searches, arrests, and interviews began to roll out across the globe—prioritized by those they’d learned might be active abusers, then uploaders, and finally downloaders. Slowly, as Welcome to Video’s users were confronted, one by one, the DC team began to hear back about the results of their work—with harrowing, sometimes gratifying, often tragic outcomes.
If not for cryptocurrency, and the years-long trap set by its purported untraceability, most of the 337 pedophiles arrested in the case—and their rescued victims—likely never would have been found.
A Kansas IT worker—whose arrest they’d prioritized when they found that his wife ran an at-home daycare for infants and toddlers—had deleted all of his child abuse videos from his computer before the agents arrived. Prosecutors say he later confessed when remnants of the files in the computer’s storage matched their records from the Welcome to Video server.
When the agents came for a twentysomething man in New York, his father blocked the door of their apartment, thinking at first that it was a break-in. But when agents explained what their warrant was for, he turned on his son and let them in. The son, it later turned out, had sexually assaulted the daughter of a family friend and surreptitiously recorded another young girl through her webcam, according to prosecutors.
A repeat offender in Washington, DC, tried to commit suicide when the HSI team entered his home; he hid in his bathroom and slit his own throat. One of the arresting agents happened to have training as an Army medic. He managed to slow the bleeding and keep the man alive. They later found 450,000 hours of child abuse videos on his computers—including recordings of the girl in Texas that had been uploaded by the Border Patrol agent.
As months passed, the stories continued to pile up, a mix of the sordid, sad, and appalling. An elderly man in his seventies who had uploaded more than 80 child abuse videos. A man in his early twenties with traumatic brain damage, whose medication had heightened his sexual appetites and reduced his impulse control, and who was deemed to have the same level of cognitive development as the preteens whose abuse he’d watched. A New Jersey man whose communications, when they were revealed through a search warrant, seemed to show his negotiations to purchase a child for his own sexual exploitation.
Thomas Tamsi, as the lead HSI agent on the case, coordinated more Welcome to Video arrests than anyone else—more than 50, by his count—and was present for enough of them that they became a blur in which only the most jarring moments remain distinct in his mind. The mostly nude defendant he found in a basement. The suspect who told him he had been involved in the Boy Scouts and that “children had always been attracted” to him. Parents of victims who vehemently denied that a family friend could have done the things Tamsi described, and whose faces then went white as he slid printouts of redacted screenshots across the table.
The cases spanned the globe, well beyond the US. Dozens of Welcome to Video users were arrested in the Czech Republic, Spain, Brazil, Ireland, France, and Canada. In England, where the entire case had started with an agent’s tip to Levin, the country’s National Crime Agency arrested one 26-year-old who had allegedly abused two children—one of whom they found naked on a bed in his home—and uploaded more than 6,000 files to the site. In another international case, a Hungarian ambassador to Peru who downloaded content from Welcome to Video was found to have more than 19,000 CSAM images on his computer. He was quietly removed from his South American post, taken to Hungary, and charged; he pleaded guilty.
For the DC team, many of the international cases fell into a kind of black hole: One Saudi Arabian Welcome to Video user returned to his home country and was captured by that country’s own law enforcement. Faruqui and Janzewski say they never heard what happened to the man; he was left to the Saudis’ own justice system, which sentences some sex criminals to the Sharia-based punishments of whipping or even beheading. When agents searched the car of a Chinese national living near Seattle with a job at Amazon, they found a teddy bear, along with a map of playgrounds in the area, despite the man having no children of his own. The man subsequently fled to China and, as far as prosecutors know, was never located again.
In each of the hundreds of intelligence packets that the team sent out, Chris Janczewski’s contact was listed as the number to call with any questions. Janczewski found himself explaining the blockchain and its central role in the case again and again, to HSI agents and local police officers around the US and the world, many of whom had never even heard of Bitcoin or the dark web. “You get this lead sent to you that says, ‘Here’s this website and this funny internet money,’” Janczewski says, imagining how those on the receiving end of the intelligence packets must have seen it, “and now you need to go arrest this guy because some nerd accountant says so.”
In total, Janczewski traveled to six countries and spoke to more than 50 different people to help explain the case, often multiple times each—including one US prosecutor and agent team with whom he had more than 20 conversations. (“Some were a little more high maintenance, respectfully, than others,” he says.) Bice, who oversaw the reconstructed server data, says he spoke to even more agents and officers—well over a hundred, by his count.
Ultimately, from the beginning of the case through the year and a half that followed the server seizure, global law enforcement would arrest no fewer than 337 people for their involvement with Welcome to Video. They also removed 23 children from sexually exploitative situations.
Those 337 arrests still represented only a small fraction of Welcome to Video’s total registered users. When the US team examined their copy of the server data in Korea, they had found thousands of accounts on the site. But the vast majority of them had never paid any bitcoins into the site’s wallets. With no money to follow, the investigators’ trail usually went cold.
If not for cryptocurrency, in other words, and the years-long trap set by its purported untraceability, the majority of the 337 pedophiles arrested in the Welcome to Video case—and their rescued victims—likely never would have been found.PLAY/PAUSE BUTTON
THE IRS AND the US attorneys’ office in DC had taken an unprecedented approach, treating a massive child sexual abuse materials case as a financial investigation, and it had succeeded. Amidst all their detective work, it had been Bitcoin’s blockchain that served as their true lodestar, leading them through a landmark case. Without crypto tracing, Faruqui argues, they would never have managed to map out and identify so many of the site’s users.
“That was the only path through this darkness,” he says. “The darker the darknet gets, the way that you shine the light is following the money.”
Throwing money-laundering investigators into the deep end of the internet’s CSAM cesspool, however, had taken its toll. Almost every member of the team had children of their own, and almost all of them say they became far more protective of those children as a result of their work, to the degree that their trust in the people around their family has been significantly damaged.
Janczewski, who after the case moved from DC to Grand Rapids, Michigan, won’t let his children ride their bikes to school on their own, as he himself did as a child. Even seemingly innocent interactions—like another friendly parent who offers to watch his kids at the other end of a swimming pool—now trigger red alerts in his mind. Youli Lee says she won’t allow her 9- and 12-year-old children to go into public bathrooms by themselves. Nor will she allow them to play at a friend’s house unless the friend’s parents have top-secret security clearances—an admittedly arbitrary rule, but one she says ensures the parents have at least had a background check.
Faruqui says the 15 or so videos he watched as part of the investigation remain “indelibly seared” into his brain and have permanently heightened his sense of the dangers the world presents to his children. He and his wife argue, he says, about his overprotective tendencies. “You always see the worst of humanity, and so you’ve lost perspective,” he quotes his wife telling him. “And I say, ‘You lack perspective, because you don’t know what’s out there.’”
Gambaryan’s wife Yuki says the Welcome to Video case was the only time her hard-shelled, Soviet-born husband ever discussed a case with her and confessed that it had gotten to him—that he was struggling with it emotionally. Gambaryan says that it was, in particular, the sheer breadth of the cross-section of society that participated in the site’s abuse that still haunts him.
“I saw that everybody’s capable of this: doctors, principals, law enforcement,” he reflected. “Whatever you want to call it, evil, or whatever it is: It’s in everybody—or it can be in anybody.”
IN EARLY JULY of 2020, Son Jong-woo walked out of a Seoul penitentiary wearing a black long-sleeve T-shirt and carrying a green plastic bag of his belongings. He had spent, due to Korea’s lenient laws on child sexual abuse, just 18 months in prison.
US prosecutors, including Faruqui, had argued that he should be extradited to the United States to face charges in the American justice system, but Korea had denied their request. Welcome to Video’s convicted creator and administrator was free.
The DC-based team that worked the Welcome to Video case remains deeply dissatisfied with Son’s mystifyingly light sentence for running, by some measures, the biggest child sexual abuse materials website in history. But Janczewski says he’s comforted by the outcry in Korean society over the case. The country’s social media exploded in anger over Son’s quick release. More than 400,000 people signed a petition to prevent the judge in the case from being considered for a seat on the country’s supreme court. One Korean lawmaker put forward a bill to allow appeals to extradition judgments, and the country’s National Assembly introduced new legislation to strengthen punishments for sexual abuse online and downloading child sexual abuse materials.
In the US, meanwhile, the ripple effects of the case continued for years. Janczewski, Bice, and Suttenberg say that they still get calls from law enforcement officials following the leads they assembled. On the computer of the DC investigators’ very first test case—the former congressional staffer who committed suicide—they found evidence in a cryptocurrency exchange account that he’d also paid into a different source of dark-web sexual materials. They followed those payments to a site called Dark Scandals, which turned out to be a smaller but equally disturbing dark-web repository of sexual abuse recordings.
Janczewski, Gambaryan, and the same group of prosecutors pursued that Dark Scandals case in parallel with the tail end of the Welcome to Video investigation,
similarly following blockchain leads to trace the site’s cash-outs. With the help of the Dutch national police, they arrested the site’s alleged administrator in the Netherlands, a man named Michael Rahim Mohammad, who went by the online handle “Mr. Dark.” He faces criminal charges in the US, and his case is ongoing.
From the perspective of Welcome to Video’s money-laundering-focused agents and prosecutors, perhaps the most interesting of the ripple effects of the case stemmed from the fate of the HSI agent they had arrested in Texas, just before their trip to carry out the site takedown in Korea. The Texan man had taken a rare approach to his legal defense: He’d pleaded guilty to possession of child sexual abuse materials, but he also appealed his conviction. He argued that his case should be thrown out because IRS agents had identified him by tracking his Bitcoin payments—without a warrant—which he claimed violated his Fourth Amendment right to privacy and represented an unconstitutional “search.”
A panel of appellate judges considered the argument—and rejected it. In a nine-page opinion, they explained their ruling, setting down a precedent that spelled out in glaring terms exactly how far from private they determined Bitcoin’s transactions to be.
“Every Bitcoin user has access to the public Bitcoin blockchain and can see every Bitcoin address and its respective transfers. Due to this publicity, it is possible to determine the identities of Bitcoin address owners by analyzing the blockchain,” the ruling read. “There is no intrusion into a constitutionally protected area because there is no constitutional privacy interest in the information on the blockchain.”
A search only requires a warrant, the American judicial system has long held, if that search enters into a domain where the defendant has a “reasonable expectation of privacy.” The judges’ ruling argued that no such expectation should have existed here: The HSI agent wasn’t caught in the Welcome to Video dragnet because IRS agents had violated his privacy. He was caught, the judges concluded, because he had mistakenly believed his Bitcoin transactions to have ever been private in the first place.
CHRIS JANCZEWSKI SAYS the full impact of the Welcome to Video case didn’t hit him until the day in October 2019 when it was finally announced in public and a seizure notice was posted to the site’s home-page. That morning, Janczewski received an unexpected call from the IRS commissioner himself, Charles Rettig.
Rettig told Janczewski that the case was “this generation’s Al Capone”—perhaps the highest compliment that can be bestowed within IRS-CI, where the story of Capone’s takedown for tax evasion holds almost mythical status.
That same day, the Justice Department held a press conference to announce the investigation’s results. US attorney Jessie Liu gave a speech to a crowd of reporters about what the case represented—how following the money had allowed agents to score a victory against “one of the worst forms of evil imaginable.”
Chainalysis’ Jonathan Levin sat in the audience. Afterward, an IRS official named Greg Monahan, who had supervised Gambaryan and Janczewski, came over to thank Levin for his role in the case. It had all started, after all, with Levin’s tip to two bored IRS agents in the Bangkok airport. Monahan told Levin that it was the most important investigation of his career, that he could now retire knowing he had worked on something truly worthwhile.
Levin shook the IRS-CI supervisor’s hand. Neither he nor Monahan could know, at that time, of the cases still to come: that IRS-CI and Chainalysis would together go on to disrupt North Korean hackers, terrorism financing campaigns, and two of the largest bitcoin-laundering services in the world. Or that they would track down close to 70,000 bitcoins stolen from the Silk Road and another 120,000 stolen from the exchange Bitfinex, totaling to a value of more than $7.5 billion at today’s exchange rates, the largest financial seizures—crypto or otherwise—in the Department of Justice’s history.
But as he answered Monahan, Levin thought again of the blockchain’s bounty of evidence: the countless cases left to crack, the millions of cryptocurrency transactions eternally preserved in amber, and the golden age of criminal forensics it presented to any investigator ready to excavate them.
“There’s so much more to do,” Levin said. “We’re just getting started.”
If you or someone you know needs help, call 1-800-273-8255 for free, 24-hour support from the National Suicide Prevention Lifeline. You can also text HOME to 741-741 for the Crisis Text Line. Outside the US, visit the International Association for Suicide Prevention for crisis centers around the world.
This story is excerpted from the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, available November 15, 2022, from Doubleday.
This article appears in the May 2022 issue. Subscribe now.
Let us know what you think about this article. Submit a letter to the editor at firstname.lastname@example.org.
Via this site