WEBVTT 00:00:00.620 --> 00:00:04.549 JACK: Did I ever tell you the story about how Bitcoin sorta changed my life? 00:00:04.549 --> 00:00:07.350 Okay, it started in 2014. 00:00:07.350 --> 00:00:08.960 My friends were getting into Bitcoin. 00:00:08.960 --> 00:00:13.550 I saw them playing around with it and I wanted to learn about this, so I decided to buy one 00:00:13.550 --> 00:00:14.550 Bitcoin. 00:00:14.550 --> 00:00:17.230 [MUSIC] The price then was $600. 00:00:17.230 --> 00:00:21.950 I felt stupid spending that much money on it, but what fascinated me was the trading 00:00:21.950 --> 00:00:22.950 aspect. 00:00:22.950 --> 00:00:29.070 The Bitcoin market is open 24/7, 365, unlike the stock market, and I made a little PHP 00:00:29.070 --> 00:00:34.270 script that would trade Bitcoin after certain indicators were seen, swapping it back and 00:00:34.270 --> 00:00:36.879 forth between US dollars and Bitcoin. 00:00:36.879 --> 00:00:41.200 I thought with Bitcoin fluctuating wildly, maybe there was a way to spot some sort of 00:00:41.200 --> 00:00:45.600 indicator and jump in when it’s going up and jump out when it’s going down. 00:00:45.600 --> 00:00:48.050 But no, that did not work well. 00:00:48.050 --> 00:00:53.800 My bot would make some good trades, but with the fees and a few bad trades, it all went 00:00:53.800 --> 00:00:55.090 back to where I started. 00:00:55.090 --> 00:00:59.460 So, I turned off the bot and left it alone, still holding one Bitcoin. 00:00:59.460 --> 00:01:04.930 Well, fast-forward to 2017; I was just starting this podcast and I was feeling really burnt 00:01:04.930 --> 00:01:09.390 out at work and was ready to quit and just work on the show or something. 00:01:09.390 --> 00:01:11.700 But the show wasn’t making any money. 00:01:11.700 --> 00:01:17.960 I looked and I still had my one Bitcoin from years ago, but the price now was $18,000. 00:01:17.960 --> 00:01:21.619 So, I decided to sell that Bitcoin. 00:01:21.619 --> 00:01:22.619 It wasn’t easy, though. 00:01:22.619 --> 00:01:27.250 I had to spend weeks wrestling it out of an old wallet that I had that wasn’t very good, 00:01:27.250 --> 00:01:28.869 and get it over to an exchange. 00:01:28.869 --> 00:01:34.759 But I finally did sell it, and that gave me the freedom to quit my job and spend the next 00:01:34.759 --> 00:01:40.020 few months focusing exclusively on making Darknet Diaries. 00:01:40.020 --> 00:01:45.340 Just when that money was starting to run low is when I got my first sponsor, barely making 00:01:45.340 --> 00:01:46.420 it through the dip. 00:01:46.420 --> 00:01:52.350 So, I do have a special fondness for Bitcoin, and now you know if it wasn’t for Bitcoin, 00:01:52.350 --> 00:01:54.369 maybe this show wouldn’t be here. 00:01:54.369 --> 00:02:02.869 But I’m also well aware that there’s another side to Bitcoin, too, a dark side, which sometimes 00:02:02.869 --> 00:02:09.580 when you follow the money, can lead you to the darkest places on the internet. 00:02:09.580 --> 00:02:16.560 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:02:16.560 --> 00:02:21.810 I’m Jack Rhysider. 00:02:21.810 --> 00:02:25.990 This is Darknet Diaries. 00:02:25.990 --> 00:02:35.140 [INTRO MUSIC ENDS] 00:02:35.140 --> 00:02:41.280 JACK: For this episode, we’re talking once again with Andy Greenberg. 00:02:41.280 --> 00:02:42.910 ANDY: Do I sound okay? 00:02:42.910 --> 00:02:43.910 [BACKGROUND TALK] 00:02:43.910 --> 00:02:47.000 JACK: This is Andy’s third appearance on the show, but if you don’t remember, he’s 00:02:47.000 --> 00:02:50.750 the one who wrote the book Sandworm, which talks about Russia doing a cyber-attack on 00:02:50.750 --> 00:02:55.810 Ukraine using NotPetya and other things, and he’s also a senior writer at Wired. 00:02:55.810 --> 00:03:01.370 ANDY: I cover cyber security and hacking and surveillance and all of this stuff, and I’ve 00:03:01.370 --> 00:03:07.340 now written a new book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. 00:03:07.340 --> 00:03:10.260 JACK: Whoa, that sounds like a cool title; Tracers in the Dark. 00:03:10.260 --> 00:03:11.260 I love it. 00:03:11.260 --> 00:03:15.290 So, how did you get involved in this book or this story? 00:03:15.290 --> 00:03:16.950 What’s going on in there? 00:03:16.950 --> 00:03:21.820 ANDY: Yeah, well, more than a decade ago, actually, I was really interested in this 00:03:21.820 --> 00:03:28.470 group called the Cypherpunks that wanted to use encryption and anonymity tools enabled 00:03:28.470 --> 00:03:33.860 by encryption to take power away from governments and incorporations and give it to individuals. 00:03:33.860 --> 00:03:39.030 This is, you know, like – the Cypherpunks were these radical libertarians, most of them, 00:03:39.030 --> 00:03:47.659 anyway, and that movement gave rise to everything from VPNs to Tor to WikiLeaks, and I was kind 00:03:47.659 --> 00:03:52.239 of obsessed with this group and writing a book about them back in 2010 and 2011. 00:03:52.239 --> 00:03:56.940 In the spring of 2011, actually, is when I came across this – what seemed like this 00:03:56.940 --> 00:03:59.920 new Cypherpunk phenomenon, which was Bitcoin. 00:03:59.920 --> 00:04:04.910 JACK: Little did we know what kind of revolution Bitcoin would be in 2011. 00:04:04.910 --> 00:04:10.030 Bitcoin is digital currency, and before you start telling me that Bitcoin is a scam and 00:04:10.030 --> 00:04:16.290 has no value, the paper money you have in your wallet is just paper and has no real 00:04:16.290 --> 00:04:17.519 value, either. 00:04:17.519 --> 00:04:21.699 We all just try to convince each other that cash does have value, but we know deep down 00:04:21.699 --> 00:04:23.650 it’s just a piece of paper. 00:04:23.650 --> 00:04:24.880 It’s a lie. 00:04:24.880 --> 00:04:28.730 But besides that, cash is getting phased out for digital money. 00:04:28.730 --> 00:04:33.040 People use credit cards or even their phones to pay for everything now, which if you think 00:04:33.040 --> 00:04:38.440 about it, now money is basically just an entry in a database somewhere. 00:04:38.440 --> 00:04:43.410 That’s fine, because it makes sense to use digital money in our digital world. 00:04:43.410 --> 00:04:50.110 Yeah, I know Bitcoin has no real value, but just like cash, people go along with the lie 00:04:50.110 --> 00:04:52.090 that it does. 00:04:52.090 --> 00:04:57.639 Once enough people believe in it, then Bitcoin becomes valuable. 00:04:57.639 --> 00:05:03.690 Money is weird, but the thing about Bitcoin is that it’s an anonymous digital currency. 00:05:03.690 --> 00:05:06.120 Or, at least it used to be. 00:05:06.120 --> 00:05:09.730 Just like there’s no connection between the dollars in your wallet and your identity, 00:05:09.730 --> 00:05:12.370 there’s no name on a Bitcoin wallet. 00:05:12.370 --> 00:05:16.220 Well, that was true until governments started regulating exchanges. 00:05:16.220 --> 00:05:21.919 In order to buy or sell Bitcoin, you now need to show identification to the Bitcoin exchange, 00:05:21.919 --> 00:05:25.650 and if you keep your Bitcoin right there on the exchange, then yeah, there’s a direct 00:05:25.650 --> 00:05:29.380 connection between your wallet and your name. 00:05:29.380 --> 00:05:33.789 But that connection isn’t visible to just anyone; only the exchange has your identification 00:05:33.789 --> 00:05:35.970 and knows which wallet is yours. 00:05:35.970 --> 00:05:41.800 But exchanges in the US have to abide by US law, and that allows law enforcement to issue 00:05:41.800 --> 00:05:47.660 subpoenas to exchanges to get details about who owns a particular wallet. 00:05:47.660 --> 00:05:52.949 This kinda put a fence around the whole cryptocurrency ecosystem, which enabled law enforcement to 00:05:52.949 --> 00:05:55.200 investigate cases much more effectively. 00:05:55.200 --> 00:06:00.500 But on top of that, researchers were also figuring out ways to follow Bitcoin trails 00:06:00.500 --> 00:06:04.509 and put together a picture of what certain Bitcoin wallets were doing. 00:06:04.509 --> 00:06:09.470 By 2020, Andy began to realize how Bitcoin can be traced, and started looking at how 00:06:09.470 --> 00:06:13.630 law enforcement was using cryptocurrency tracing in criminal investigations. 00:06:13.630 --> 00:06:19.810 ANDY: It became clear that not only was Bitcoin very traceable, but the cryptocurrency tracing 00:06:19.810 --> 00:06:25.470 had actually been used as this incredibly powerful law enforcement investigative technique 00:06:25.470 --> 00:06:31.849 in that this small group of detectives, who then become the subject of my book, had gone 00:06:31.849 --> 00:06:39.539 on this spree of cyber-criminal busts, tracing cryptocurrency to take down one massive criminal 00:06:39.539 --> 00:06:42.230 operation online after another. 00:06:42.230 --> 00:06:50.000 JACK: So, you’re following the Bitcoin and you’re unraveling cyber crime. 00:06:50.000 --> 00:06:53.830 I mean, this is true stories from the dark side of the internet. 00:06:53.830 --> 00:06:55.229 How dark are we getting, here? 00:06:55.229 --> 00:06:57.669 ANDY: Yeah, I mean, this gets really dark. 00:06:57.669 --> 00:07:03.330 This is about as dark as any dark web story I’ve ever covered as a reporter. 00:07:03.330 --> 00:07:07.259 JACK: [MUSIC] Yeah, I really should underline this. 00:07:07.259 --> 00:07:11.879 This is the darkest episode I’ve ever done. 00:07:11.879 --> 00:07:17.479 This is one of those stories that I knew I’d have to cover at some point, but never really 00:07:17.479 --> 00:07:22.550 wanted to because it’s just awful to put my head into this story and to think about 00:07:22.550 --> 00:07:23.550 it. 00:07:23.550 --> 00:07:27.139 We’re going to be talking about child abuse here, and some of what we say is gonna be 00:07:27.139 --> 00:07:29.310 a real punch to the gut when you hear it. 00:07:29.310 --> 00:07:34.620 We’re not gonna graphically describe any child abuse here, but I want you to be fair 00:07:34.620 --> 00:07:39.970 warned; this episode is rated R, and listener discretion is highly advised. 00:07:39.970 --> 00:07:44.970 Okay, so let’s get into it. 00:07:44.970 --> 00:07:46.470 What is Welcome to Video? 00:07:46.470 --> 00:07:54.540 ANDY: Welcome to Video was a dark web market, basically, for child sexual abuse videos. 00:07:54.540 --> 00:07:58.470 We used to call this stuff child pornography, but I think now it’s much better to call 00:07:58.470 --> 00:08:05.090 it child sexual abuse materials or child exploitation videos, because it’s really sexual violence 00:08:05.090 --> 00:08:06.500 being done to kids. 00:08:06.500 --> 00:08:11.729 JACK: To access the videos on Welcome to Video, you had two options; either pay for access, 00:08:11.729 --> 00:08:16.570 and the only way to pay is using Bitcoin, or upload some videos yourself. 00:08:16.570 --> 00:08:20.389 That’s child sexual abuse material, or CSAM. 00:08:20.389 --> 00:08:25.930 Now, you hope that when a site like this launches, the police immediately swarm it and take it 00:08:25.930 --> 00:08:26.930 down, right? 00:08:26.930 --> 00:08:27.970 Well, that didn’t happen. 00:08:27.970 --> 00:08:32.880 It launched and people started using the site, and it actually had hundreds of users in the 00:08:32.880 --> 00:08:34.039 early days. 00:08:34.039 --> 00:08:39.149 But even with this many users, the police and law enforcement had no idea this site 00:08:39.149 --> 00:08:42.150 even existed, much less investigating it. 00:08:42.150 --> 00:08:47.190 ANDY: The first agency that I’m aware of that was looking at Welcome to Video was the 00:08:47.190 --> 00:08:50.510 NCA, the National Crime Agency, in the UK. 00:08:50.510 --> 00:08:57.700 They came upon it through – and just to throw us right into the deep end of this darkness, 00:08:57.700 --> 00:09:04.750 with a really terrible case of this guy named Matthew Falder who was this Cambridge academic 00:09:04.750 --> 00:09:09.370 who lived this – also this very evil, secret life. 00:09:09.370 --> 00:09:12.520 I mean, if it’s fair to say that anything is evil, I guess this would be. 00:09:12.520 --> 00:09:20.670 [MUSIC] He would pretend to be a female artist and ask people for nudes online and then would 00:09:20.670 --> 00:09:28.870 use those nudes to blackmail them into providing more nudes and abusing other people and self-harm. 00:09:28.870 --> 00:09:33.800 JACK: Oh, I hear about this all the time. 00:09:33.800 --> 00:09:38.580 About once a month, a listener of mine, usually a guy, tells me this story that they found 00:09:38.580 --> 00:09:43.450 a woman online, started chatting up with her, and it seemed to be going in a romantic direction. 00:09:43.450 --> 00:09:46.600 The woman asked for a nude photo of him. 00:09:46.600 --> 00:09:51.370 So, the guy sends one, and immediately the person tries to extort the guy, saying they’ll 00:09:51.370 --> 00:09:56.440 send this to all his friends unless he pays, maybe something like $500, but it varies based 00:09:56.440 --> 00:09:58.930 on how much they think they can get out of the guy. 00:09:58.930 --> 00:10:03.500 Two tips for any listeners who find themselves in this situation; first, don’t send nudes 00:10:03.500 --> 00:10:05.370 to people online like that. 00:10:05.370 --> 00:10:09.120 Second, if you get in this trouble, it’s a legal matter. 00:10:09.120 --> 00:10:10.120 Contact the police. 00:10:10.120 --> 00:10:11.120 You’re being extorted. 00:10:11.120 --> 00:10:14.500 It’s not something a podcaster like me can help you with. 00:10:14.500 --> 00:10:20.210 ANDY: This guy, Matthew Falder, had done this to no fewer than fifty people. 00:10:20.210 --> 00:10:22.080 At least three of them had attempted suicide. 00:10:22.080 --> 00:10:29.060 I’m sorry to throw us right into the really most horrific parts of this story, but that’s 00:10:29.060 --> 00:10:32.370 where this goes. 00:10:32.370 --> 00:10:40.029 The NCA had actually identified Falder and charged him, and on his computer they found 00:10:40.029 --> 00:10:44.399 that he was a customer of Welcome to Video, [MUSIC] this site that they had never seen 00:10:44.399 --> 00:10:51.910 before, but immediately looked to them like a kind of massive repository of child sexual 00:10:51.910 --> 00:10:53.320 abuse materials. 00:10:53.320 --> 00:10:58.389 But like with every dark web market, it was protected by the Tor anonymity software. 00:10:58.389 --> 00:11:00.850 There was no obvious way to take it down. 00:11:00.850 --> 00:11:01.850 JACK: Right. 00:11:01.850 --> 00:11:05.660 Welcome to Video was on the darknet using the Tor network. 00:11:05.660 --> 00:11:13.310 Here, things are anonymous by design, both users and the websites, or so it seems. 00:11:13.310 --> 00:11:17.760 On the regular internet when you see a URL, you can look up who owns that URL or do a 00:11:17.760 --> 00:11:21.899 trace route on the website’s IP and see where that server is hosted in the world, 00:11:21.899 --> 00:11:24.540 or at least what ISP is providing them internet. 00:11:24.540 --> 00:11:29.060 But on the Tor network, on the dark web, all that is hidden. 00:11:29.060 --> 00:11:34.360 For instance, when you want to make a website on Tor, you first generate the private key 00:11:34.360 --> 00:11:38.730 which will then give you a public address, and that public address is your URL. 00:11:38.730 --> 00:11:41.220 If you have the private key, you own the site. 00:11:41.220 --> 00:11:42.820 If not, it’s not yours. 00:11:42.820 --> 00:11:46.920 There’s no way to look up who the owner is or see where it’s hosted. 00:11:46.920 --> 00:11:47.930 Everything is hidden. 00:11:47.930 --> 00:11:55.120 ANDY: So, the NCA could see this horrific website, but they couldn’t figure out any 00:11:55.120 --> 00:11:59.160 clear way to locate its administrator or take it down. 00:11:59.160 --> 00:12:02.600 That’s the whole idea, really, of the dark web. 00:12:02.600 --> 00:12:11.500 Sadly, there is so much – every child exploitation-focused agent that I’ve ever talked to seems like 00:12:11.500 --> 00:12:13.930 they’re overwhelmed with cases, tragically. 00:12:13.930 --> 00:12:19.210 JACK: So, without a clear lead and with a lot of other work to do, this got pushed to 00:12:19.210 --> 00:12:22.860 the side until Jonathan Levin showed up. 00:12:22.860 --> 00:12:27.630 [MUSIC] This guy started a company called Chainalysis, which is a mashup of the words 00:12:27.630 --> 00:12:29.380 ‘blockchain’ and ‘analysis’. 00:12:29.380 --> 00:12:34.570 See, every Bitcoin transaction that happens is public for everyone to see, and that’s 00:12:34.570 --> 00:12:35.730 what the blockchain is. 00:12:35.730 --> 00:12:41.320 It’s a public ledger which shows every single transaction since the dawn of Bitcoin. 00:12:41.320 --> 00:12:46.190 Chainalysis was sort of like archaeologists digging through the blockchain, examining 00:12:46.190 --> 00:12:50.480 the data, and doing things like making a profile of certain Bitcoin wallets and discovering 00:12:50.480 --> 00:12:56.220 ways to trace the money, but then also learning that Bitcoin might not be so anonymous after 00:12:56.220 --> 00:12:57.220 all. 00:12:57.220 --> 00:13:02.750 I mean, consider this scenario; say you gave some Bitcoin to your buddy to borrow and he 00:13:02.750 --> 00:13:04.649 promises to pay you back in one week. 00:13:04.649 --> 00:13:08.620 But three weeks go by and he didn’t pay you back, so you ask him about it and he says 00:13:08.620 --> 00:13:09.730 oh, I don’t have it. 00:13:09.730 --> 00:13:13.180 Well, you could just look at the blockchain to see what’s going on. 00:13:13.180 --> 00:13:18.470 So, you look to see where you sent this money to, which is presumably his wallet, right? 00:13:18.470 --> 00:13:23.000 You see that not only did he borrow money from you, but four other people sent him the 00:13:23.000 --> 00:13:24.519 same amount. 00:13:24.519 --> 00:13:27.580 Maybe those are your friends or his friends that he borrowed from. 00:13:27.580 --> 00:13:31.630 Then you look to see how much Bitcoin is in his wallet right now, and there’s none. 00:13:31.630 --> 00:13:33.580 So, where did it go? 00:13:33.580 --> 00:13:36.350 Well, the blockchain tells all. 00:13:36.350 --> 00:13:41.949 You might look and see that all the money went to some well-known online casino’s 00:13:41.949 --> 00:13:44.269 wallet. Oof. 00:13:44.269 --> 00:13:48.360 This is the kind of investigation you can do on the blockchain, but it takes a certain 00:13:48.360 --> 00:13:52.980 skill and the right kind of eyes to be able to see how things move around and what’s 00:13:52.980 --> 00:13:54.350 going on. 00:13:54.350 --> 00:13:58.870 This is what Chainalysis started doing, watching the blockchain, trying to figure out what 00:13:58.870 --> 00:14:00.210 was going on there. 00:14:00.210 --> 00:14:06.839 They soon realized that law enforcement was also very interested in the activity of certain 00:14:06.839 --> 00:14:07.839 wallets. 00:14:07.839 --> 00:14:11.899 So, Chainalysis started working with law enforcement to find ways of getting information about 00:14:11.899 --> 00:14:13.930 certain Bitcoin wallets. 00:14:13.930 --> 00:14:17.529 In fact, they made a tool to make it even easier, called Reactor. 00:14:17.529 --> 00:14:22.079 If you put a Bitcoin address into Reactor, it’ll show you a map of all the wallets 00:14:22.079 --> 00:14:24.149 that that wallet has interacted with. 00:14:24.149 --> 00:14:28.389 It’ll then start to cluster those wallets into groups of common interests. 00:14:28.389 --> 00:14:30.600 It’ll detect certain laundering techniques. 00:14:30.600 --> 00:14:33.529 It’ll show where the Bitcoin started and where it ended up. 00:14:33.529 --> 00:14:37.520 For instance, Reactor software will show that a person bought some Bitcoin at Coinbase, 00:14:37.520 --> 00:14:41.980 then transferred it to another wallet, and then they cashed out at Binance, which isn’t 00:14:41.980 --> 00:14:46.380 quite rocket science to figure this out on your own, but Chainalysis makes investigating 00:14:46.380 --> 00:14:48.250 the blockchain a lot easier. 00:14:48.250 --> 00:14:54.050 So, law enforcement around the world was purchasing and using this tool to help them in criminal 00:14:54.050 --> 00:14:55.050 investigations. 00:14:55.050 --> 00:15:01.500 ANDY: Jonathan Levin was a co-founder of the company, and around July of 2017, he was just 00:15:01.500 --> 00:15:08.190 visiting an agent at the NCA, just a customer check-in, and the agent told him about this 00:15:08.190 --> 00:15:10.660 new site that had just come onto their radar. 00:15:10.660 --> 00:15:17.860 They did have some of the cryptocurrency addresses of Welcome to Video that they’d pulled from 00:15:17.860 --> 00:15:20.450 Matthew Falder’s computer, I believe. 00:15:20.450 --> 00:15:26.410 So, Jonathan Levin suggested that they just put one of those addresses into Reactor, this 00:15:26.410 --> 00:15:28.990 cryptocurrency tracing tool that Chainalysis sells. 00:15:28.990 --> 00:15:33.200 JACK: So they gathered around a cubicle and the agent gave Levin’s Bitcoin address from 00:15:33.200 --> 00:15:37.529 Falder’s computer, which showed that he purchased access to Welcome to Video. 00:15:37.529 --> 00:15:42.880 Levin put the address into Reactor, [MUSIC] and an explosion of nodes and lines were appearing 00:15:42.880 --> 00:15:46.930 all over the screen, showing quite immediately the size of the operation. 00:15:46.930 --> 00:15:52.651 The concept is simple; when Falder became a paying member of Welcome to Video, the wallet 00:15:52.651 --> 00:15:57.370 that he sent money to must be the owner of the site, right? 00:15:57.370 --> 00:16:02.750 If that’s the case, then what other wallets also sent money to the owner of Welcome to 00:16:02.750 --> 00:16:04.080 Video? 00:16:04.080 --> 00:16:09.570 The graph in front of them showed hundreds of wallets sending money to this site. 00:16:09.570 --> 00:16:12.610 ANDY: Levin and this NCA agent were both kind of shocked. 00:16:12.610 --> 00:16:17.500 They could see the entire cluster of all of Welcome to Video’s addresses, at least kind 00:16:17.500 --> 00:16:19.910 of a sketch of them. 00:16:19.910 --> 00:16:24.480 This was just an initial analysis of that whole payment network. 00:16:24.480 --> 00:16:31.839 They could see people buying Bitcoins in cryptocurrency exchanges including in the US, paying them 00:16:31.839 --> 00:16:35.690 sometimes directly into Welcome to Video’s addresses, or sometimes through a few hubs 00:16:35.690 --> 00:16:39.949 on different addresses on the blockchain, but you could still follow the money. 00:16:39.949 --> 00:16:45.970 Then just as importantly, they could see flows of money coming out of Welcome to Video and 00:16:45.970 --> 00:16:52.040 going into just a few cryptocurrency exchanges; two in Korea and one in China. 00:16:52.040 --> 00:16:57.949 JACK: It seemed that many users of the site took no steps at obfuscating or hiding their 00:16:57.949 --> 00:17:02.279 Bitcoin trail, and perhaps not even the site owner, because the owner’s wallet seemed 00:17:02.279 --> 00:17:05.310 to be sending Bitcoin to an exchange to cash out, too. 00:17:05.310 --> 00:17:09.939 While nobody’s names are actually on any of these Bitcoin wallets, all the users bought 00:17:09.939 --> 00:17:14.140 Bitcoin from an exchange, and they had to give their driver’s license to the exchange 00:17:14.140 --> 00:17:16.640 to get money into their wallets to begin with. 00:17:16.640 --> 00:17:22.790 ANDY: All of that meant that if they could follow those trails on the blockchain and 00:17:22.790 --> 00:17:28.560 get a law enforcement agency involved that would send subpoenas to them, then they would 00:17:28.560 --> 00:17:32.570 probably be able to start immediately getting identifying information on these people, because 00:17:32.570 --> 00:17:34.120 that is how this works. 00:17:34.120 --> 00:17:40.210 It’s very difficult to cash out your cryptocurrency for traditional money or buy cryptocurrency 00:17:40.210 --> 00:17:44.730 with that traditional money without giving your identity to one of these exchanges. 00:17:44.730 --> 00:17:48.549 JACK: This is a lot of work, though, creating hundreds of subpoenas. 00:17:48.549 --> 00:17:50.260 That’s a lot of paperwork. 00:17:50.260 --> 00:17:54.410 Then once you have those people’s names, is that enough evidence to arrest someone 00:17:54.410 --> 00:18:00.150 simply because their Bitcoin wallet interacted with the owner of a CSAM site? 00:18:00.150 --> 00:18:04.650 Whoever was going to take this case on was going to be in for quite a ride. 00:18:04.650 --> 00:18:12.240 ANDY: While Jonathan Levin was in the UK on that visit in London with the NCA, these two 00:18:12.240 --> 00:18:17.760 IRS agents, Tigran Gambaryan and Chris Janczewski, were in Bangkok. 00:18:17.760 --> 00:18:25.450 They were kind of supposed to be part of the takedown of AlphaBay, this massive crime market 00:18:25.450 --> 00:18:30.820 for mostly drugs, but also hacking tools and stolen data. 00:18:30.820 --> 00:18:35.020 That’s another story that I tell in the book, how cryptocurrency tracing helped to 00:18:35.020 --> 00:18:40.020 confirm the identity of the administrator of AlphaBay and take down this guy in Bangkok. 00:18:40.020 --> 00:18:47.030 Tigran and Chris, these two IRS investigators, after the takedown of Alexandre Cazes, the 00:18:47.030 --> 00:18:52.890 kingpin of AlphaBay, they were kind of annoyed that they had not been involved. 00:18:52.890 --> 00:18:54.450 They hadn’t been invited to the arrest. 00:18:54.450 --> 00:18:58.690 They hadn’t even been invited to the War Room in the Thai police headquarters where 00:18:58.690 --> 00:19:03.460 people were watching the live stream of the arrest from surveillance footage. 00:19:03.460 --> 00:19:11.090 So, they’re sitting in Suvarnabhumi Airport, the Bangkok airport, and so Tigran, just out 00:19:11.090 --> 00:19:16.760 of boredom, starts calling people to try to figure out what their next case is going to 00:19:16.760 --> 00:19:17.760 be. 00:19:17.760 --> 00:19:23.280 He calls Jonathan Levin at Chainalysis, and Jonathan Levin is like yeah, it’s funny 00:19:23.280 --> 00:19:29.679 that you should ask because I just came across a lead on a massive child sexual abuse materials 00:19:29.679 --> 00:19:36.720 case, and if somebody just pulls these threads and follows the money, I think that you could 00:19:36.720 --> 00:19:41.380 take this whole thing down, and I think that you’re just the two agents to take this 00:19:41.380 --> 00:19:42.380 on. 00:19:42.380 --> 00:19:49.049 JACK: Yeah, but that’s the thing that kinda surprises me, the IRS investigating a criminal 00:19:49.049 --> 00:19:52.070 pedophile website. 00:19:52.070 --> 00:19:54.559 How are they just the two agents to take this down? 00:19:54.559 --> 00:20:00.289 ANDY: Exactly; it’s so – that’s part of what’s so weird about this case and that 00:20:00.289 --> 00:20:05.929 made it so interesting to hear about from the agents who carried it out and the prosecutors, 00:20:05.929 --> 00:20:12.340 because Tigran and Chris and Zia, the – Zia Faruqui, the federal prosecutor who led the 00:20:12.340 --> 00:20:19.670 case in Washington, DC, none of them had ever done a child exploitation case before. 00:20:19.670 --> 00:20:21.890 They were financial investigators. 00:20:21.890 --> 00:20:23.590 They had done money laundering cases. 00:20:23.590 --> 00:20:29.790 Zia Faruqui had done national security cases where they followed the money to find people 00:20:29.790 --> 00:20:33.030 selling weapons to North Korea and stuff like that. 00:20:33.030 --> 00:20:37.400 Tigran and Chris had followed the money, and Tigran actually was this – probably the 00:20:37.400 --> 00:20:40.510 best cryptocurrency tracer in the IRS. 00:20:40.510 --> 00:20:46.520 But none of them had ever dealt with child abuse before, and that was what was weird 00:20:46.520 --> 00:20:51.450 about this case, is that is was a financial investigation, but a financial investigation 00:20:51.450 --> 00:20:59.270 to find and dismantle a child abuse network, which is really rare because as I said, most 00:20:59.270 --> 00:21:06.130 of these dark web child abuse markets don’t have any form of payment and certainly don’t 00:21:06.130 --> 00:21:07.549 use cryptocurrency. 00:21:07.549 --> 00:21:14.710 But Zia Faruqui, I think to his credit, the prosecutor who took on this case, he was like, 00:21:14.710 --> 00:21:15.710 it doesn’t matter. 00:21:15.710 --> 00:21:17.529 [MUSIC] We are going to follow the money. 00:21:17.529 --> 00:21:19.070 We know how to do this. 00:21:19.070 --> 00:21:26.220 We have a fantastic lead here and we’re gonna trace Bitcoins to take down this whole 00:21:26.220 --> 00:21:27.220 network. 00:21:27.220 --> 00:21:32.860 JACK: So the two IRS criminal investigators took the case to take down Welcome to Video. 00:21:32.860 --> 00:21:36.980 You might think that they might be looking for tax evasion or some kind of financial 00:21:36.980 --> 00:21:41.529 crime to bust these people for, but the IRS criminal investigators can really investigate 00:21:41.529 --> 00:21:43.420 just about any federal crime. 00:21:43.420 --> 00:21:49.740 For instance, in 2021, 72% of their cases were tax-related, but 11% were just narcotics-related. 00:21:49.740 --> 00:21:54.940 ANDY: IRS Criminal Investigations, they are a real law enforcement agency. 00:21:54.940 --> 00:21:59.020 They carry guns, they make arrests, they travel around the world extraditing people. 00:21:59.020 --> 00:22:03.330 JACK: In fact, the IRS criminal investigation team even has two cyber-crime units. 00:22:03.330 --> 00:22:06.860 So, the case got opened on Welcome to Video, but where do you start? 00:22:06.860 --> 00:22:11.260 Well, like any case, you should get to know the situation and learn exactly what’s happening 00:22:11.260 --> 00:22:12.260 on the site. 00:22:12.260 --> 00:22:17.670 The two agents opened up a Tor browser and navigated to Welcome to Video’s darknet 00:22:17.670 --> 00:22:18.830 site. 00:22:18.830 --> 00:22:22.830 You can’t see anything unless you make a membership, so they signed up with just a 00:22:22.830 --> 00:22:27.750 free account though, and they were greeted with a search box that was misspelled. 00:22:27.750 --> 00:22:31.520 ANDY: [MUSIC] They’re completely unprepared for this. 00:22:31.520 --> 00:22:36.610 Like I said, they have never dealt with a child sexual abuse materials case before. 00:22:36.610 --> 00:22:41.950 They’re not actually allowed to download videos because they’re not undercover agents, 00:22:41.950 --> 00:22:47.110 but they nonetheless are allowed – not that they really wanted to, but they just begin 00:22:47.110 --> 00:22:53.049 by looking at the thumbnails on the homepage and they can see just this endless scroll 00:22:53.049 --> 00:22:59.029 of thumbnails showing the rape and abuse of children. 00:22:59.029 --> 00:23:08.630 I should say that I think a lot of people think of these sites as being full of just 00:23:08.630 --> 00:23:10.850 sexual videos of pre-teens or something. 00:23:10.850 --> 00:23:16.169 I don’t know, not to say that that’s okay, but that the children on these sites are like, 00:23:16.169 --> 00:23:17.929 fifteen or sixteen. 00:23:17.929 --> 00:23:22.040 But it becomes immediately apparent to these agents – they can see actually – two of 00:23:22.040 --> 00:23:25.250 the most commonly searched terms are one-year-old and two-year-old. 00:23:25.250 --> 00:23:31.070 They’re horrified to see these thumbnails too, the abuse of these children. 00:23:31.070 --> 00:23:36.299 These are, in many cases, infants and toddlers – I’m sorry to even say this out loud; 00:23:36.299 --> 00:23:41.140 it’s not fun to talk about – that are being abused in these videos. 00:23:41.140 --> 00:23:48.600 They are – they’ve just been thrown into the deep end of the CSAM cesspool, basically. 00:23:48.600 --> 00:23:54.000 JACK: Gosh, where do you even begin here? 00:23:54.000 --> 00:23:57.000 Just imagine you’re a federal agent and you’ve just opened the door to a room and 00:23:57.000 --> 00:24:02.450 found hundreds of people committing crimes everywhere you look; rape, child abuse, and 00:24:02.450 --> 00:24:04.700 people buying and selling it. 00:24:04.700 --> 00:24:06.110 Who do you arrest first? 00:24:06.110 --> 00:24:12.350 ANDY: The real crimes that are happening are the hands-on abuse and recording of abuse 00:24:12.350 --> 00:24:14.840 of children by people around the world. 00:24:14.840 --> 00:24:21.760 That is just as serious a crime, and in fact, there are kids’ lives at stake not at the 00:24:21.760 --> 00:24:25.670 center of this network, but all along the edges of it. 00:24:25.670 --> 00:24:28.309 That is a much, much more complicated case to take on. 00:24:28.309 --> 00:24:32.610 JACK: They saw the Bitcoin wallets all these users were sending money to. 00:24:32.610 --> 00:24:35.380 This probably was the site owner or admin. 00:24:35.380 --> 00:24:39.460 So, they issued a subpoena to the Bitcoin exchange that the site owner was cashing out 00:24:39.460 --> 00:24:40.460 at. 00:24:40.460 --> 00:24:43.630 ANDY: They also could see that it wasn’t going to be enough to go to a computer at 00:24:43.630 --> 00:24:46.820 the center of this network and take down this market. 00:24:46.820 --> 00:24:52.750 They were going to have to find the actual users of this site, and that is hundreds of 00:24:52.750 --> 00:24:53.750 times more complicated. 00:24:53.750 --> 00:24:59.059 JACK: So using the Chainalysis Reactor tool, they were trying to get information on the 00:24:59.059 --> 00:25:00.210 users of the site. 00:25:00.210 --> 00:25:05.000 Their theory was is if they know the Bitcoin wallet for Welcome to Video, what wallets 00:25:05.000 --> 00:25:09.149 are sending money to this wallet, and are those paying members of the site? 00:25:09.149 --> 00:25:10.700 So, they traced the money. 00:25:10.700 --> 00:25:16.190 If Wallet A was the site owner and Wallet B sent money to it, where did Wallet B get 00:25:16.190 --> 00:25:17.250 that money? 00:25:17.250 --> 00:25:18.970 From a Bitcoin exchange. 00:25:18.970 --> 00:25:23.940 So, a few more subpoenas were issued to exchanges for what they thought could be users of the 00:25:23.940 --> 00:25:24.940 site. 00:25:24.940 --> 00:25:31.260 ANDY: But not only that; Tigran, very early on, started to just kind of scour the site 00:25:31.260 --> 00:25:37.840 for other security mistakes that might have been made in its coding and might reveal something. 00:25:37.840 --> 00:25:43.700 This is kind of incredible, but he just [MUSIC] I think right-clicked the website and hit 00:25:43.700 --> 00:25:50.130 View Source, and amazingly just began to see all these IP addresses for those thumbnails 00:25:50.130 --> 00:25:51.130 on the homepage. 00:25:51.130 --> 00:25:55.410 JACK: Oh, that’s a big mistake for the site owner. 00:25:55.410 --> 00:26:01.270 This website was on Tor, the darknet, and when a website is on Tor, its IP addresses 00:26:01.270 --> 00:26:02.270 are hidden. 00:26:02.270 --> 00:26:05.620 You have absolutely no idea where in the world that website is hosted. 00:26:05.620 --> 00:26:07.350 That’s the point of Tor. 00:26:07.350 --> 00:26:13.419 But when this agent examined the code on the website, the thumbnail images weren’t hidden. 00:26:13.419 --> 00:26:14.419 They weren’t on Tor. 00:26:14.419 --> 00:26:17.659 They were just being served on the plain, old internet. 00:26:17.659 --> 00:26:22.530 This could potentially lead them right to the front door of where this site is hosted. 00:26:22.530 --> 00:26:28.029 ANDY: He immediately did a trace route and saw that these images were sourced from a 00:26:28.029 --> 00:26:32.910 computer in South Korea, and – in a residential IP address. 00:26:32.910 --> 00:26:38.030 So, amazingly, all of these thumbnail images seemed to be on a computer in somebody’s 00:26:38.030 --> 00:26:40.440 home in Korea. 00:26:40.440 --> 00:26:45.299 He actually just started laughing ‘cause he could not believe what a dumb mistake this 00:26:45.299 --> 00:26:46.299 was. 00:26:46.299 --> 00:26:49.150 JACK: Soon enough, the subpoena for the admin wallet came back. 00:26:49.150 --> 00:26:53.790 He investigated, hoping that this would reveal who owned Welcome to Video. 00:26:53.790 --> 00:26:57.220 ANDY: Well, the first thing that they could see – and they could see this actually before 00:26:57.220 --> 00:27:01.930 they even got the results of their subpoena – was that there was no way to take your 00:27:01.930 --> 00:27:03.810 money out of Welcome to Video. 00:27:03.810 --> 00:27:11.030 Once you paid in, once you paid for a membership, essentially, there was no – you couldn’t 00:27:11.030 --> 00:27:14.160 get a refund or something. 00:27:14.160 --> 00:27:18.210 Nobody else was like – it wasn’t like the Silk Road where people were selling stuff 00:27:18.210 --> 00:27:21.460 on Welcome to Video other than the administrators of the site. 00:27:21.460 --> 00:27:26.020 So, all the money that was coming out of the Welcome to Video network, or – it’s the 00:27:26.020 --> 00:27:31.470 cluster on the blockchain; all of the money coming out must belong to the administrators 00:27:31.470 --> 00:27:32.470 of the site. 00:27:32.470 --> 00:27:33.470 They realized that right away. 00:27:33.470 --> 00:27:39.680 So, they traced that money to these two exchanges in Korea and one in China, and started to 00:27:39.680 --> 00:27:42.230 get the subpoena results for those. 00:27:42.230 --> 00:27:46.800 I think a little bit of it had gone through a US exchange too, and they got that one first. 00:27:46.800 --> 00:27:53.990 It showed the identifying information for this older Korean man near Seoul in South 00:27:53.990 --> 00:27:55.170 Korea. 00:27:55.170 --> 00:27:59.400 But Chris Janczewski, he was the one who received that – the results of that subpoena first, 00:27:59.400 --> 00:28:04.070 and he was immediately kind of weirded out by this because this was an older guy and 00:28:04.070 --> 00:28:08.940 he had really dirty hands, like he was some sort of agricultural worker or something. 00:28:08.940 --> 00:28:15.930 He didn’t seem like somebody – the kind of, whatever, basement-dwelling, hands-on-a-keyboard 00:28:15.930 --> 00:28:19.520 guy who would be running a dark web market. 00:28:19.520 --> 00:28:25.470 Then as they got more of the information back, they began to see that there was this other 00:28:25.470 --> 00:28:32.539 guy who was much younger, had the same last name as the older guy; his name was Son Jung-woo. 00:28:32.539 --> 00:28:35.130 JACK: [MUSIC] Son Jung-woo. 00:28:35.130 --> 00:28:39.200 They’ve got a name, and they looked closer at this guy. 00:28:39.200 --> 00:28:44.230 He was twenty-one years old living in South Korea, and he had the same last name as that 00:28:44.230 --> 00:28:46.210 other guy, the guy with the dirty fingernails. 00:28:46.210 --> 00:28:49.750 They looked into it, and this was the son of that older guy. 00:28:49.750 --> 00:28:54.880 Son Jung-woo also lived in the same city where the IP address resolved for the images on 00:28:54.880 --> 00:28:56.220 the site. 00:28:56.220 --> 00:29:00.850 As the investigators looked at him more, they connected enough dots for them to believe 00:29:00.850 --> 00:29:07.350 Son Jung-woo was the admin and owner of the dark web site Welcome to Video. 00:29:07.350 --> 00:29:09.080 They found their guy. 00:29:09.080 --> 00:29:11.799 ANDY: You might think that that is case closed. 00:29:11.799 --> 00:29:13.000 They’ve got their guy. 00:29:13.000 --> 00:29:14.740 He’s in South Korea. 00:29:14.740 --> 00:29:20.250 He’s in this town just a couple hours south of Seoul. 00:29:20.250 --> 00:29:23.789 But then they started to get the results from all their other subpoenas. 00:29:23.789 --> 00:29:31.950 These are the users of the site, like uploaders, downloaders, hands-on abusers of children, 00:29:31.950 --> 00:29:34.039 like people creating these videos. 00:29:34.039 --> 00:29:39.090 They start to see that the users they’re identifying – and these are hundreds of 00:29:39.090 --> 00:29:40.090 men. 00:29:40.090 --> 00:29:41.960 I mean, they’re almost all men, of course. 00:29:41.960 --> 00:29:48.450 They include a vice principal of a high school in Georgia and an actual Homeland Security 00:29:48.450 --> 00:29:49.769 Investigations agent. 00:29:49.769 --> 00:29:53.620 By this time, IRS had actually partnered with Homeland Security because they didn’t have 00:29:53.620 --> 00:29:56.820 the manpower to do this massive investigation. 00:29:56.820 --> 00:30:01.890 So, immediately they’re in this awkward situation where they see that one of their 00:30:01.890 --> 00:30:05.120 own, a federal agent, is one of the users of this site. 00:30:05.120 --> 00:30:10.450 But that also – the administrator of a high school and a federal agent, these are people 00:30:10.450 --> 00:30:15.180 in positions of power and potentially with access to children. 00:30:15.180 --> 00:30:20.809 So, they start to realize that their first priority can not be to go after the server 00:30:20.809 --> 00:30:23.660 or go after Son Jung-woo in South Korea. 00:30:23.660 --> 00:30:29.160 They have to try to find these especially sensitive cases, the users of the site who 00:30:29.160 --> 00:30:30.640 might have access to kids. 00:30:30.640 --> 00:30:36.020 They have an ethical responsibility to go find them first and arrest them or charge 00:30:36.020 --> 00:30:39.450 them or whatever, stop them from potentially abusing kids. 00:30:39.450 --> 00:30:45.640 JACK: One of the subpoenas came back for a guy right in Washington DC, where the IRS 00:30:45.640 --> 00:30:46.669 investigators were based. 00:30:46.669 --> 00:30:50.840 ANDY: It was really important to them to realize that there was a user of Welcome to Video 00:30:50.840 --> 00:30:51.840 in Washington, DC. 00:30:51.840 --> 00:30:56.950 In fact, this guy lived just down the block from the prosecutor’s office where a lot 00:30:56.950 --> 00:30:58.830 of this work was happening. 00:30:58.830 --> 00:31:03.360 One of the prosecutors had actually just moved out of this building where this guy lived, 00:31:03.360 --> 00:31:04.360 amazingly. 00:31:04.360 --> 00:31:07.650 It was really just a few blocks away. 00:31:07.650 --> 00:31:11.970 That was important – I mean, it was not just a weird coincidence, but it was important 00:31:11.970 --> 00:31:15.669 because it meant that if they could prove that this guy had used Welcome to Video, that 00:31:15.669 --> 00:31:18.290 would allow them to charge the whole case in their jurisdiction. 00:31:18.290 --> 00:31:22.539 This is one of the weirdnesses of law enforcement that we don’t think about a lot, but they 00:31:22.539 --> 00:31:29.630 have to prove that one of the criminal suspects in the case, at least, is located in their 00:31:29.630 --> 00:31:32.820 jurisdiction to take on this case in Washington, DC. 00:31:32.820 --> 00:31:36.179 JACK: So, they decided to make this guy their test case. 00:31:36.179 --> 00:31:39.230 He’s suspected to be a user of Welcome to Video. 00:31:39.230 --> 00:31:42.059 Now it’s time to see if that’s true and arrest him if it was. 00:31:42.059 --> 00:31:44.160 So, they look up who this guy was. 00:31:44.160 --> 00:31:48.730 [MUSIC] He was a former congressional aid, and now he’s a high-level executive for 00:31:48.730 --> 00:31:51.110 an environmental group in DC. 00:31:51.110 --> 00:31:55.880 ANDY: So, they’re worried that this guy might make a stink and go to the press or 00:31:55.880 --> 00:32:01.460 try to blow the lid off of their still-undercover covert investigation. 00:32:01.460 --> 00:32:04.529 But they decide that they have to do it anyway, that they have to go after this guy as the 00:32:04.529 --> 00:32:05.760 first step in their case. 00:32:05.760 --> 00:32:10.130 So, in the midst of this, they also see that – they find this guy’s social media profiles 00:32:10.130 --> 00:32:16.679 and they see that he’s gone quiet just recently, just in the last week or two, and they figure 00:32:16.679 --> 00:32:22.260 out by pulling his flight records that he’s gone to the Philippines, which they suspect 00:32:22.260 --> 00:32:28.390 might – the Philippines, sadly, is a place where a lot of child abuse and sex tourism 00:32:28.390 --> 00:32:30.250 happens. 00:32:30.250 --> 00:32:36.149 But they also realize that that will allow them, when this guy flies back to the US – again, 00:32:36.149 --> 00:32:43.160 for better or worse, there is this carve-out in American civil liberties that I find pretty 00:32:43.160 --> 00:32:48.610 appalling normally, which is that customs and border protection can just pull you aside 00:32:48.610 --> 00:32:54.340 at the airport and hold you as long as they want, practically. 00:32:54.340 --> 00:33:00.299 Your rights just don’t apply somehow at the border in that way, which is kind of sickening. 00:33:00.299 --> 00:33:04.430 But in this case – sorry, this doesn’t – that was an aside, but in this case, it 00:33:04.430 --> 00:33:08.080 meant that they could detain this guy when he flew back from the Philippines. 00:33:08.080 --> 00:33:12.380 JACK: So they figure out when he’s coming back and what his route is. 00:33:12.380 --> 00:33:17.590 He was flying back home through Detroit, and the IRS federal agents were able to get Border 00:33:17.590 --> 00:33:22.200 Patrol to pull him aside in Detroit and seize his devices. 00:33:22.200 --> 00:33:24.160 They made him turn over his phone and computer. 00:33:24.160 --> 00:33:28.700 Of course he protested, but the Border Patrol told him that he’s being investigated for 00:33:28.700 --> 00:33:30.160 child sexual abuse material. 00:33:30.160 --> 00:33:34.529 So they took his devices and let him fly home to DC. 00:33:34.529 --> 00:33:37.340 Border patrol began looking through his devices. 00:33:37.340 --> 00:33:44.320 ANDY: CVP, not long after this, told the investigators in DC that they had managed to access the 00:33:44.320 --> 00:33:46.570 storage of those devices. 00:33:46.570 --> 00:33:49.029 Some of it was encrypted; some of it was not. 00:33:49.029 --> 00:33:55.700 They found child sexual abuse videos, they found actual surreptitiously-recorded videos 00:33:55.700 --> 00:33:58.080 of adults having sex as well. 00:33:58.080 --> 00:34:01.970 So, they knew that this test case had actually come back positive. 00:34:01.970 --> 00:34:08.579 The next day – this is just a bizarre twist in the case – one of the prosecutors involved 00:34:08.579 --> 00:34:13.690 in the Welcome to Video investigation got an e-mail from the management of her old building. 00:34:13.690 --> 00:34:17.419 She no longer lived there, but she was still on the mailing list. 00:34:17.419 --> 00:34:23.629 It said that the – that tragically, someone had committed suicide in the building and 00:34:23.629 --> 00:34:34.240 had jumped from – I think the 11th floor, and their body was on the sidewalk and therefore, 00:34:34.240 --> 00:34:37.929 the parking garage was closed. 00:34:37.929 --> 00:34:46.679 This was – I mean, it’s a bizarre e-mail to get, but she immediately realized that 00:34:46.679 --> 00:34:53.570 this was their suspect, and Chris Janczewski and Tigran Gambaryan drove over to the building 00:34:53.570 --> 00:34:57.940 right away and talked to the management and figured out that yes, this was their test 00:34:57.940 --> 00:34:58.940 case. 00:34:58.940 --> 00:35:04.550 This was their guy, and he had just committed suicide. 00:35:04.550 --> 00:35:09.400 Chris Janczewski and Tigran went to this guy’s apartment – as you do in a case like this 00:35:09.400 --> 00:35:18.610 – to just look for evidence, and they could see the patch of wetness on the sidewalk eleven 00:35:18.610 --> 00:35:20.990 stories down, looking out from the balcony. 00:35:20.990 --> 00:35:24.770 They could see the half-eaten pizza on the table. 00:35:24.770 --> 00:35:28.030 This is, you would think, kind of when it hit home. 00:35:28.030 --> 00:35:31.829 But I think that the fact that the guy had killed himself just drove home for all of 00:35:31.829 --> 00:35:38.020 them the gravity of what they were doing, that the human impact of this case was going 00:35:38.020 --> 00:35:43.931 to be enormous, that people’s lives truly were at stake, and not just kids, but it is 00:35:43.931 --> 00:35:46.240 just a life-and-death scenario. 00:35:46.240 --> 00:35:51.760 I mean, this is more impactful, in a way, than taking down a dark web drug market or 00:35:51.760 --> 00:35:54.680 a hacking conspiracy or something. 00:35:54.680 --> 00:36:01.630 This is a crime where in some cases, the conviction is worse than death. 00:36:01.630 --> 00:36:07.089 But I think it speaks to the trauma that they had already experienced in investigating this 00:36:07.089 --> 00:36:12.240 case, that they had no sympathy for this guy. 00:36:12.240 --> 00:36:16.550 I think that the investigators in part were like, we just need to focus on the victims 00:36:16.550 --> 00:36:17.550 here. 00:36:17.550 --> 00:36:21.420 There are real victims that we need to actually help in this case. 00:36:21.420 --> 00:36:28.570 But they also had come face-to-face, by this point, with hours of these videos. 00:36:28.570 --> 00:36:34.120 Chris Janczewski was actually the one who eventually was assigned to watch these videos 00:36:34.120 --> 00:36:39.319 to be able to write the affidavit for whatever charging documents they would come up with. 00:36:39.319 --> 00:36:48.480 So, in this Clockwork Orange way, he was forced to watch hours and hours of child rape, and 00:36:48.480 --> 00:36:54.640 after that, I think he had very little sympathy for the defendant, and his immediate thought 00:36:54.640 --> 00:37:00.090 was well, there’s one less case where I have to do the paperwork. 00:37:00.090 --> 00:37:03.740 I have hundreds more of these guys to go after, so, all the better. 00:37:03.740 --> 00:37:04.940 Let’s move on. 00:37:04.940 --> 00:37:06.940 JACK: This is getting heavy. 00:37:06.940 --> 00:37:09.670 I think we’ll take a short break here. 00:37:09.670 --> 00:37:11.849 Be right back. 00:37:11.849 --> 00:37:17.430 The criminal investigators at the IRS kept going with their investigation, looking for 00:37:17.430 --> 00:37:20.579 more users of the site that were in the US. 00:37:20.579 --> 00:37:24.660 They had issued subpoenas to crypto-exchanges and were getting details back about potential 00:37:24.660 --> 00:37:25.660 users of the site. 00:37:25.660 --> 00:37:33.760 ANDY: The next guy on their list was this assistant principal outside of Atlanta, in 00:37:33.760 --> 00:37:34.760 Georgia. 00:37:34.760 --> 00:37:38.599 This was the case for – at least as Chris described it to me, he – Chris Janczewski 00:37:38.599 --> 00:37:43.170 was the one who flew down to Georgia and, with the Homeland Security agents in that 00:37:43.170 --> 00:37:51.690 area, knocked on this guy’s door, executed a search warrant, swarmed his house with agents, 00:37:51.690 --> 00:37:53.369 seized all of his computers. 00:37:53.369 --> 00:37:58.369 But this was a guy who had a family and they had to separate his kids, put them in one 00:37:58.369 --> 00:38:02.069 room, put his wife in another and question her. 00:38:02.069 --> 00:38:08.930 They questioned this man who was an administrator at a school in another room, and for Chris, 00:38:08.930 --> 00:38:14.061 who was kind of like – he was not the one executing the warrant; he was the IRS agent 00:38:14.061 --> 00:38:19.990 who was leading the case, basically, so he was kind of standing there in the eye of this 00:38:19.990 --> 00:38:22.089 storm of activity. 00:38:22.089 --> 00:38:26.160 This was the moment that it hit home for him, even after that – the earlier suicide, that 00:38:26.160 --> 00:38:31.940 – what this meant for people’s lives, that they were essentially destroying this 00:38:31.940 --> 00:38:38.329 guy’s life by doing this to him and doing it in front of his family. 00:38:38.329 --> 00:38:44.119 He had this moment where he was like, I really hope that this cryptocurrency tracing thing 00:38:44.119 --> 00:38:48.790 works and that we’re – and that we are getting the right people here. 00:38:48.790 --> 00:38:53.720 JACK: Because, remember, the only evidence they had on these people was that they sent 00:38:53.720 --> 00:38:55.839 Bitcoin to the owner of the site. 00:38:55.839 --> 00:39:01.550 It’s really wild to simply start raiding people’s homes just because they sent money 00:39:01.550 --> 00:39:03.109 to another Bitcoin wallet. 00:39:03.109 --> 00:39:06.090 Is that really enough evidence? 00:39:06.090 --> 00:39:10.610 What if someone else stole that guy’s Bitcoin wallet and it was someone else who sent that 00:39:10.610 --> 00:39:11.610 money? 00:39:11.610 --> 00:39:15.510 What if the guy in South Korea just had some side business and was selling some totally 00:39:15.510 --> 00:39:19.591 normal web page design or something like that and he was just using the same Bitcoin wallet 00:39:19.591 --> 00:39:21.480 for both sites? 00:39:21.480 --> 00:39:25.870 It would be really bad for the investigators to put a whole family through this ordeal 00:39:25.870 --> 00:39:28.470 if he isn’t actually a pedophile. 00:39:28.470 --> 00:39:32.319 But this risk was worth taking to the criminal investigators. 00:39:32.319 --> 00:39:39.550 ANDY: But that guy then was taken in for questioning, [MUSIC] admitted eventually to inappropriate 00:39:39.550 --> 00:39:45.890 touching of kids at his school and was eventually charged with sexual assault, not just possessing 00:39:45.890 --> 00:39:49.220 child sexual abuse materials, but sexual assault. 00:39:49.220 --> 00:39:54.310 They were right that this was a high-priority case. 00:39:54.310 --> 00:40:01.240 They had followed his cryptocurrency payments and it really had identified an abuser of 00:40:01.240 --> 00:40:02.240 kids. 00:40:02.240 --> 00:40:05.820 JACK: At least, that’s what the agents and prosecutors told Andy about this guy. 00:40:05.820 --> 00:40:09.839 I do know he lost his job over this and was facing numerous felony accusations. 00:40:09.839 --> 00:40:16.160 ANDY: The important thing was that within hours, this moment of doubt that Chris Janczewski 00:40:16.160 --> 00:40:21.650 had was dispelled, that they knew that this guy – this was another test case that had 00:40:21.650 --> 00:40:23.150 come back positive. 00:40:23.150 --> 00:40:26.000 The blockchain had not lied. 00:40:26.000 --> 00:40:34.500 They had once again identified a real case of sexual exploitation of kids through cryptocurrency 00:40:34.500 --> 00:40:35.640 tracing alone. 00:40:35.640 --> 00:40:41.270 So, in the midst of this, they – at the same time, this investigative group, these 00:40:41.270 --> 00:40:46.880 IRS agents and prosecutors were also continuing to scour everything happening on Welcome to 00:40:46.880 --> 00:40:47.880 Video. 00:40:47.880 --> 00:40:51.810 The site was still online and there was a chat function on the site, like a kind of 00:40:51.810 --> 00:40:56.560 discussion in real time on Welcome to Video, too. 00:40:56.560 --> 00:41:03.430 They began to see – to notice that there were these messages that would appear periodically 00:41:03.430 --> 00:41:06.390 that seemed to be from a kind of Help Desk administrator, almost. 00:41:06.390 --> 00:41:11.810 Like, if you have a problem, e-mail me here and I can help. 00:41:11.810 --> 00:41:19.130 [MUSIC] So, they started to ask themselves, is this another moderator or even administrator, 00:41:19.130 --> 00:41:24.099 another creator of Welcome to Video that they needed to track down? 00:41:24.099 --> 00:41:27.910 Is this Son Jung-woo, the guy in Korea, or is it someone else, even? 00:41:27.910 --> 00:41:34.450 So, Chris Janczewski and this contractor who worked with the agents – his name was Aaron 00:41:34.450 --> 00:41:42.530 Bice; they tried to figure out, based on the e-mail address, who this was. 00:41:42.530 --> 00:41:46.150 JACK: They did some pretty incredible investigative work for this one. 00:41:46.150 --> 00:41:49.780 The e-mail was on a Tor-protected e-mail service, so that was no help. 00:41:49.780 --> 00:41:54.589 But they were able to find a similar e-mail address as a user of a popular Bitcoin exchange 00:41:54.589 --> 00:41:55.680 called BTCE. 00:41:55.680 --> 00:42:00.200 Or, at least BTCE used to be a popular Bitcoin exchange. 00:42:00.200 --> 00:42:05.110 It was taken down by US authorities because of the money laundering that was going on 00:42:05.110 --> 00:42:10.890 there, which meant the US authorities had all the logs and data from that Bitcoin exchange, 00:42:10.890 --> 00:42:14.170 and a very similar e-mail address was registered to that exchange. 00:42:14.170 --> 00:42:19.339 The user had logged into the exchange ten times to access their Bitcoin there, but this 00:42:19.339 --> 00:42:23.600 exchange didn’t have user information other than the IP address that the user logged in 00:42:23.600 --> 00:42:24.600 from. 00:42:24.600 --> 00:42:28.850 So, the investigators looked at the IP addresses that logged into this account, and every single 00:42:28.850 --> 00:42:32.650 IP they looked up came back to a VPN service. 00:42:32.650 --> 00:42:34.680 This was a dead end for them. 00:42:34.680 --> 00:42:41.740 But the last IP they looked up came from a residential address in the US, not a VPN. 00:42:41.740 --> 00:42:43.520 This must have been a mistake by the user. 00:42:43.520 --> 00:42:47.230 ANDY: So, they did a trace route on that IP address and found that it was in Texas. 00:42:47.230 --> 00:42:50.500 It was clearly not Son Jung-woo. 00:42:50.500 --> 00:42:54.349 It seemed kind of unlikely, even, that somebody in Texas was working with Son Jung-woo. 00:42:54.349 --> 00:42:58.960 JACK: The investigators were able to gather more information about who this person was, 00:42:58.960 --> 00:43:02.190 and they eventually were able to get a name and address of this person. 00:43:02.190 --> 00:43:07.280 ANDY: It turned out to be a Border Patrol agent, another federal agent, [MUSIC] who 00:43:07.280 --> 00:43:11.380 was based in this Texas town near the border. 00:43:11.380 --> 00:43:13.850 JACK: A Border Patrol agent. 00:43:13.850 --> 00:43:20.369 When a person in authority is committing crimes like this, it feels more awful because they 00:43:20.369 --> 00:43:23.350 have a type of power and trust that they’re abusing. 00:43:23.350 --> 00:43:28.440 ANDY: So, now they’ve got this guy of interest who was sending these weird messages on Welcome 00:43:28.440 --> 00:43:31.960 to Video, who seems to be a kind of moderator or a Help Desk person on the site. 00:43:31.960 --> 00:43:35.930 But then they also check his account on Welcome to Video and they see that he’s uploaded 00:43:35.930 --> 00:43:43.250 real child sexual abuse videos, and as they piece together the picture of who this Border 00:43:43.250 --> 00:43:49.340 Patrol agent is, they also see a GoFundMe where he’s raising money to adopt a daughter, 00:43:49.340 --> 00:43:55.300 to adopt his actual – his partner’s daughter as his own step-daughter. 00:43:55.300 --> 00:43:59.440 Chris Janczewski’s painstakingly watched all the videos uploaded by this Border Patrol 00:43:59.440 --> 00:44:08.140 agent and he recognizes this red flannel shirt that the girl is wearing in one of the abuse 00:44:08.140 --> 00:44:14.390 videos, and he spots it also in one of the photos on the GoFundMe page, that this is 00:44:14.390 --> 00:44:21.510 exactly the same girl, and this Border Patrol agent is essentially abusing his own step-daughter 00:44:21.510 --> 00:44:25.740 and uploading the recordings of it to thousands of men around the world. 00:44:25.740 --> 00:44:32.051 JACK: To make that connection for the investigators must have felt like a punch in the gut. 00:44:32.051 --> 00:44:36.420 But at the same time, what an opportunity to rescue this girl from this monster. 00:44:36.420 --> 00:44:42.390 ANDY: But in this particular case now, Chris knew that every moment that he was not taking 00:44:42.390 --> 00:44:47.579 down this Border Patrol agent, this girl might be abused again. 00:44:47.579 --> 00:44:55.040 JACK: Yeah, so briefly walk me through what they need to do to either, I don’t know, 00:44:55.040 --> 00:44:56.490 go arrest him or whatever. 00:44:56.490 --> 00:45:00.480 They need to call the local police, they need to call another assistant – like, I don’t 00:45:00.480 --> 00:45:02.990 think the IRS is gonna just show up by themselves, right? 00:45:02.990 --> 00:45:09.020 ANDY: I think in this case, IRS had partnered with Homeland Security because that – because 00:45:09.020 --> 00:45:13.349 Homeland Security Investigations has a lot more manpower and it is the one that very 00:45:13.349 --> 00:45:16.860 often does take on child exploitation cases. 00:45:16.860 --> 00:45:18.530 Not IRS, obviously. 00:45:18.530 --> 00:45:22.530 But in this case, because they were arresting somebody who was part of Border Patrol, which 00:45:22.530 --> 00:45:27.770 is part of DHS, HSI actually had to bring in the FBI, too, I believe, and local law 00:45:27.770 --> 00:45:33.090 enforcement, if I remember correctly, who all kind of were there to make sure there 00:45:33.090 --> 00:45:35.010 was no conflict of interest or anything. 00:45:35.010 --> 00:45:42.020 But Chris Janczewski, too, flew down to Texas with one of the HSI agents on the case, and 00:45:42.020 --> 00:45:46.950 they stopped this Border Patrol agent on his way home from work, took him to a hotel, and 00:45:46.950 --> 00:45:54.050 interrogated him while Chris went to his house [MUSIC] and searched it and found exactly 00:45:54.050 --> 00:45:58.359 the room where he had, in fact, filmed his own abuse of his step-daughter. 00:45:58.359 --> 00:46:00.030 He could recognize it from the videos. 00:46:00.030 --> 00:46:06.809 To him it felt like he’d kind of fallen through the screen of his computer into the 00:46:06.809 --> 00:46:09.010 scene of some horror movie that he had watched. 00:46:09.010 --> 00:46:14.140 JACK: So, you’ve got to move fast to get a warrant – a search warrant to go through 00:46:14.140 --> 00:46:15.140 someone’s house. 00:46:15.140 --> 00:46:21.050 ANDY: Exactly, so with – it was ten days after the results of – Chris’ subpoena 00:46:21.050 --> 00:46:26.640 came back that he arrested this guy, and he barely went home or saw his family during 00:46:26.640 --> 00:46:27.640 that time. 00:46:27.640 --> 00:46:32.369 I think that it had become so real for him that he was haunted by this notion that every 00:46:32.369 --> 00:46:39.609 moment he was not working to get this guy separated from his victim was a moment a child 00:46:39.609 --> 00:46:41.210 could be raped again. 00:46:41.210 --> 00:46:45.369 Not to – I’m sorry to say these things out loud, but that is the truth. 00:46:45.369 --> 00:46:52.480 So, the entire team, but especially Chris, just truly raced to get this guy arrested 00:46:52.480 --> 00:46:59.650 and to have – and the girl was, in fact, separated from him, brought to a safe place. 00:46:59.650 --> 00:47:05.930 They brought with them on this search somebody who was experienced in speaking to child victims, 00:47:05.930 --> 00:47:13.780 and that agent did interview the girl who then – yes, she opened up and eventually 00:47:13.780 --> 00:47:16.400 talked about the abuse that she had experienced. 00:47:16.400 --> 00:47:21.830 JACK: Man, thinking about the victims here really is another punch in the gut for me. 00:47:21.830 --> 00:47:28.290 This kid suffered so much trauma, and it could take a lifetime for her to heal from all this. 00:47:28.290 --> 00:47:32.760 Abusers sometimes go through great lengths to keep all this quiet, like threatening the 00:47:32.760 --> 00:47:36.680 kid or gas-lighting them and saying no, that didn’t happen; that was just a dream you 00:47:36.680 --> 00:47:37.680 had. 00:47:37.680 --> 00:47:41.000 ANDY: [MUSIC] So they proved, yes, that this guy was a hands-on abuser of children, of 00:47:41.000 --> 00:47:42.010 his own step-daughter. 00:47:42.010 --> 00:47:46.940 JACK: Well, these are the allegations made by the agents and prosecutors in the case. 00:47:46.940 --> 00:47:49.020 This guy has not been convicted of anything yet. 00:47:49.020 --> 00:47:53.470 ANDY: But they also, in interrogating him, found that he was not, by any means, the administrator 00:47:53.470 --> 00:47:55.180 or moderator of the site. 00:47:55.180 --> 00:48:00.880 He was actually just phishing people, essentially, on Welcome to Video, pretending to be a moderator 00:48:00.880 --> 00:48:05.010 and then stealing their – using that to steal their credentials and log into the site 00:48:05.010 --> 00:48:14.500 as them and get access to their cache of child sexual abuse videos, just as a way to save 00:48:14.500 --> 00:48:15.500 money, basically. 00:48:15.500 --> 00:48:23.430 As petty as that sounds, he was just exploiting these exploiters and trying to get access 00:48:23.430 --> 00:48:27.099 to more videos without paying for them. 00:48:27.099 --> 00:48:30.850 But when they took him down, it was this big disappointment because they thought maybe 00:48:30.850 --> 00:48:35.940 that they had found another kingpin or moderator of this site, at least, and he was none of 00:48:35.940 --> 00:48:36.940 the above. 00:48:36.940 --> 00:48:45.180 He was just one of the hundreds of men who were using the site. 00:48:45.180 --> 00:48:50.059 As Chris was flying back to DC, he had taken down this guy, but he also knew that the guy’s 00:48:50.059 --> 00:48:56.849 videos were still up on Welcome to Video and were being watched by the whole crowd of thousands 00:48:56.849 --> 00:48:58.300 of other men using this site. 00:48:58.300 --> 00:49:01.170 JACK: So, they decided this site has been up long enough. 00:49:01.170 --> 00:49:02.850 It really needs to be shut down. 00:49:02.850 --> 00:49:06.350 They’ve proven their case is very severe and the longer it stays up, the more abuse 00:49:06.350 --> 00:49:07.840 will continue to happen. 00:49:07.840 --> 00:49:12.490 So the IRS criminal investigators decided it was time to head to South Korea and arrest 00:49:12.490 --> 00:49:14.599 the site admin, Son Jung-woo. 00:49:14.599 --> 00:49:21.760 ANDY: [MUSIC] But they needed the actual Korean police, the Korean National Police Agency, 00:49:21.760 --> 00:49:23.380 the KNPA, to actually carry out this arrest. 00:49:23.380 --> 00:49:26.740 They can’t just fly to Korea and start arresting people. 00:49:26.740 --> 00:49:32.589 They had to actually get him extradited from South Korea, and that actually is pretty hard, 00:49:32.589 --> 00:49:33.589 it turns out. 00:49:33.589 --> 00:49:39.170 South Korea, I only sort of learned in my reporting on this case, is not the easiest 00:49:39.170 --> 00:49:41.750 place to get international cooperation. 00:49:41.750 --> 00:49:48.250 Luckily, Zia Faruqui, the federal prosecutor in this case, had actually carried out cases 00:49:48.250 --> 00:49:50.670 in South Korea and had contacts with the KNPA. 00:49:50.670 --> 00:49:55.970 He had done a case where they tracked down people selling weapons to the North Korean 00:49:55.970 --> 00:49:59.240 government and had worked with South Koreans in that case. 00:49:59.240 --> 00:50:02.940 So, he had these contacts there, he and an HSI agent who were involved. 00:50:02.940 --> 00:50:08.700 So, they get the cooperation of the KNPA, they set up surveillance of Son Jung-woo as 00:50:08.700 --> 00:50:10.030 he’s coming and going. 00:50:10.030 --> 00:50:15.040 They follow his every move as he comes and goes from his apartment in this apartment 00:50:15.040 --> 00:50:17.050 complex a couple hours south of Seoul. 00:50:17.050 --> 00:50:23.010 So, in February of 2018, Chris Janczewski and a couple of the prosecutors in the case 00:50:23.010 --> 00:50:28.091 fly to Seoul and prepare for this takedown with – in cooperation with the KNPA. 00:50:28.091 --> 00:50:36.270 They make this plan to arrest the guy on Monday morning at his home; like, bust down the door 00:50:36.270 --> 00:50:37.740 and get him at home. 00:50:37.740 --> 00:50:41.640 But then on the day before they’re planning to make the arrest, they figure out from their 00:50:41.640 --> 00:50:46.680 surveillance team that Son Jung-woo has driven up to Seoul, that he’s spending part of 00:50:46.680 --> 00:50:48.930 the weekend in the city. 00:50:48.930 --> 00:50:56.329 The KNPA make this last-minute plan to basically stake out his – to drive south to the town 00:50:56.329 --> 00:51:01.030 where he lives south of Seoul, stake out his home, and be there ready to get him at his 00:51:01.030 --> 00:51:06.140 front door, and that is in part because they don’t want him to have any chance to try 00:51:06.140 --> 00:51:07.250 to destroy evidence. 00:51:07.250 --> 00:51:13.130 Thanks in part to Tigran Gambaryan’s right-click and View Source, they know that the server 00:51:13.130 --> 00:51:17.510 is actually in Son Jung-woo’s apartment, amazingly. 00:51:17.510 --> 00:51:20.569 So, this is not like in a data center somewhere. 00:51:20.569 --> 00:51:25.040 So, they need to both seize the server and arrest Son Jung-woo. 00:51:25.040 --> 00:51:32.869 They make a plan to do this, which in some ways it’s a very tidy, simple plan. 00:51:32.869 --> 00:51:36.070 Now they only have to raid one location, basically. 00:51:36.070 --> 00:51:41.710 They formulate this last-minute plan, and Chris Janczewski and the Americans and the 00:51:41.710 --> 00:51:46.930 Koreans drive down together in this caravan and stake him out in the parking lot of his 00:51:46.930 --> 00:51:47.930 building. 00:51:47.930 --> 00:51:51.870 It’s long after midnight on this night where it’s pouring rain. 00:51:51.870 --> 00:51:54.000 Chris Janczewski, by the way, has a horrible cold. 00:51:54.000 --> 00:51:59.940 He actually brought a pillow with him for the stake-out and was just miserably waiting 00:51:59.940 --> 00:52:03.880 in the car during all of this. 00:52:03.880 --> 00:52:09.260 The Americans are not actually allowed to make the arrest, so it’s the Koreans who 00:52:09.260 --> 00:52:12.809 follow Son Jung-woo into the apartment when he finally arrives. 00:52:12.809 --> 00:52:17.170 It’s this agent, this Korean agent, who they called Smiley. 00:52:17.170 --> 00:52:20.910 I don’t actually know his real name, but they called him Smiley because he never smiled 00:52:20.910 --> 00:52:28.670 and he was this very intimidating figure who slides into the elevator next to Son Jung-woo, 00:52:28.670 --> 00:52:30.580 rides up the elevator with him. 00:52:30.580 --> 00:52:35.290 When he steps out of the elevator and walks to his apartment, they arrest him just as 00:52:35.290 --> 00:52:40.410 he reaches his front door, and then search his home. 00:52:40.410 --> 00:52:45.450 They asked Son Jung-woo, can we let the Americans in to participate in the search? 00:52:45.450 --> 00:52:51.520 The way that this Mutual Legal Assistance Treaty between the US and Korea works is that 00:52:51.520 --> 00:52:55.710 the victim has to give permission for any Americans to be involved in the search. 00:52:55.710 --> 00:53:02.480 Of course, Son Jung-woo says no, so Chris Janczewski has to just watch the search through 00:53:02.480 --> 00:53:08.200 somebody’s phone on FaceTime while he sort of just sits in this car in the parking lot 00:53:08.200 --> 00:53:09.559 in the rain. 00:53:09.559 --> 00:53:16.000 [MUSIC] Eventually somebody points the phone, points the video, this live stream of the 00:53:16.000 --> 00:53:24.920 search, at this crappy desktop tower machine that is sitting on the floor of Son Jung-woo’s 00:53:24.920 --> 00:53:25.920 bedroom. 00:53:25.920 --> 00:53:31.740 It’s just an old desktop machine with one side open, and you can see that there are 00:53:31.740 --> 00:53:33.550 multiple hard drives in it. 00:53:33.550 --> 00:53:40.849 Essentially, Son Jung-woo had just been adding hard drives to it as each one filled up with 00:53:40.849 --> 00:53:47.730 terabytes of videos of child sexual abuse. 00:53:47.730 --> 00:53:49.710 This is the Welcome to Video server. 00:53:49.710 --> 00:53:51.630 Chris couldn’t even believe it. 00:53:51.630 --> 00:53:56.700 He was just kind of shocked, and it was actually almost anticlimactic for him. 00:53:56.700 --> 00:54:03.990 They had got their guy, they had found this server at the center of this incredibly malevolent 00:54:03.990 --> 00:54:10.130 global network, and it was just this dumpy computer on the floor of this kid’s bedroom. 00:54:10.130 --> 00:54:15.780 JACK: So, when they got to the server, did they immediately pull the plug or did they 00:54:15.780 --> 00:54:20.270 put some forensic tools on it, or did they put a sign on the site that said this is now 00:54:20.270 --> 00:54:21.920 seized by the government? 00:54:21.920 --> 00:54:29.359 ANDY: So, they – yeah, they grab the server, they do put up a banner on Welcome to Video, 00:54:29.359 --> 00:54:30.550 but it’s not a seizure banner. 00:54:30.550 --> 00:54:37.800 They actually put up a ‘undergoing maintenance, please be patient’ banner. 00:54:37.800 --> 00:54:41.900 They even include some typos because Son Jung-woo’s English was pretty bad and there were a lot 00:54:41.900 --> 00:54:44.349 of typos in the actual Welcome to Video site. 00:54:44.349 --> 00:54:49.780 So, they’re trying to just buy themselves some time and not tip off Welcome to Video’s 00:54:49.780 --> 00:54:52.369 users that the site has been taken down. 00:54:52.369 --> 00:55:01.140 [MUSIC] With the server, amazingly, now they can – the breakthrough of now having the 00:55:01.140 --> 00:55:03.880 server is that it’s a kind of Rosetta Stone. 00:55:03.880 --> 00:55:09.690 Now you can see not only who was paying in, but what they were buying. 00:55:09.690 --> 00:55:16.920 With the logs on the server and the database there, you can see which videos each user 00:55:16.920 --> 00:55:20.510 was downloading and watching and uploading, too. 00:55:20.510 --> 00:55:29.480 So, now in combination with the cryptocurrency tracing, they have the entire map of not just 00:55:29.480 --> 00:55:40.079 identities that they’ve got from that tracing, but also the other end of these criminal transactions. 00:55:40.079 --> 00:55:46.050 Now they have the motherload of evidence and they start to assemble, with the help of – actually 00:55:46.050 --> 00:55:53.849 of Chainalysis and of HSI and the IRS – they’re all working together – they start to build 00:55:53.849 --> 00:56:00.090 these dossiers on hundreds of the users of Welcome to Video around the world. 00:56:00.090 --> 00:56:02.869 This is the heart of the case, in fact. 00:56:02.869 --> 00:56:13.030 It’s like the slog of planning to find and arrest and search and raid and charge hundreds 00:56:13.030 --> 00:56:15.490 and hundreds of men around the world. 00:56:15.490 --> 00:56:20.359 Not just in the US, but practically every continent in the world. 00:56:20.359 --> 00:56:25.970 JACK: There were thousands of users on the site, and hundreds of them were paying to 00:56:25.970 --> 00:56:27.130 view the videos. 00:56:27.130 --> 00:56:31.990 It really was the Bitcoin-tracing techniques that gave investigators all the information 00:56:31.990 --> 00:56:34.510 they needed to take this whole operation down. 00:56:34.510 --> 00:56:36.340 It was a huge operation. 00:56:36.340 --> 00:56:42.299 ANDY: So, when they seized the database, they now can see the full scale of the size of 00:56:42.299 --> 00:56:44.039 Welcome to Video, too. 00:56:44.039 --> 00:56:49.780 They can see, for instance, that by volume, there are more child sexual abuse videos than 00:56:49.780 --> 00:56:52.309 they’ve ever seen on a dark web site before. 00:56:52.309 --> 00:56:56.260 When they share all of this stuff with the National Center for Missing and Exploited 00:56:56.260 --> 00:57:04.170 Children, which is abbreviated NCMEC, N-C-M-E-C, NCMEC says that they have never actually seen 00:57:04.170 --> 00:57:08.490 – they were the ones who track these sorts of videos, and they’ve never seen almost 00:57:08.490 --> 00:57:13.150 half of them before, which is remarkable and it shows that Welcome to Video wasn’t just 00:57:13.150 --> 00:57:23.260 enormous but that it actually had really incentivized people to create lots of new abuse videos, 00:57:23.260 --> 00:57:27.790 to actually abuse children, and these weren’t just videos copied from other sites, but they 00:57:27.790 --> 00:57:31.300 were – many of them were uniquely made for Welcome to Video. 00:57:31.300 --> 00:57:36.510 JACK: Now the agents had mountains more of evidence against the users of the site. 00:57:36.510 --> 00:57:40.030 It was time to start arresting as many users as they could. 00:57:40.030 --> 00:57:48.410 ANDY: As these intelligence packets were assembled, essentially, and sent out to agents and police 00:57:48.410 --> 00:57:57.690 around the US and around the world, there was no coordinated one day of hundreds of 00:57:57.690 --> 00:57:58.690 takedowns. 00:57:58.690 --> 00:58:00.849 It was too big of a case to even attempt that. 00:58:00.849 --> 00:58:05.609 There was no – the way that things happen in movies where all these doors get knocked 00:58:05.609 --> 00:58:06.960 down at the same time. 00:58:06.960 --> 00:58:13.690 Instead, it was this rolling, distributed process of just taking down these guys one 00:58:13.690 --> 00:58:16.829 by one around the entire world. 00:58:16.829 --> 00:58:20.809 JACK: Andy tried looking to see who these people were that were getting arrested, and 00:58:20.809 --> 00:58:24.010 was just too many people to keep track of or follow up on. 00:58:24.010 --> 00:58:28.330 But there were a few people that he did hear about that got arrested that are worth mentioning. 00:58:28.330 --> 00:58:33.270 ANDY: This guy in Kansas, who it turns out had run an at-home daycare for infants and 00:58:33.270 --> 00:58:38.500 toddlers – and when he was busted, he had – they had found that he deleted all of 00:58:38.500 --> 00:58:45.799 his videos from his computer, but the prosecutors were able to find that he still had remnants 00:58:45.799 --> 00:58:48.180 of the videos in his computer storage, and was charged. 00:58:48.180 --> 00:58:52.670 JACK: There was another guy in New York that when the police went to his house, his dad 00:58:52.670 --> 00:58:55.349 stopped them at the door and was like, you’ve got the wrong guy. 00:58:55.349 --> 00:58:57.000 It can’t be my son you’re after. 00:58:57.000 --> 00:59:01.140 But when the investigators showed the dad the evidence they had, he was shocked and 00:59:01.140 --> 00:59:02.140 let them in. 00:59:02.140 --> 00:59:06.930 Not only was the son a member of Welcome to Video, but he was also found to have sexually 00:59:06.930 --> 00:59:11.990 assaulted the daughter of a family friend, and hacked into another girl’s webcam and 00:59:11.990 --> 00:59:15.470 was recording her without her knowing, at least according to prosecutors. 00:59:15.470 --> 00:59:20.660 ANDY: Another guy in Washington, DC tried to commit suicide when the HSI agents raided 00:59:20.660 --> 00:59:24.260 his house, and he hid in his bathroom and slit his own throat. 00:59:24.260 --> 00:59:29.579 Only because one of the agents had medical training were they able to save his life. 00:59:29.579 --> 00:59:35.579 They found 450,000 hours of child sexual abuse videos on his computer, including some of 00:59:35.579 --> 00:59:39.319 the recordings that were created by that Border Patrol agent in Texas. 00:59:39.319 --> 00:59:41.329 JACK: 450,000 hours. 00:59:41.329 --> 00:59:45.190 That’s like an addiction beyond my imagination. 00:59:45.190 --> 00:59:49.010 ANDY: These are sad individuals. 00:59:49.010 --> 00:59:50.010 They are. 00:59:50.010 --> 00:59:54.680 They’ve done terrible things, but when you hear about who they are, you do kind of realize 00:59:54.680 --> 00:59:57.330 that this is a sickness, too. 00:59:57.330 --> 01:00:03.900 There was one man who they found had suffered brain damage and he had been taking this medication 01:00:03.900 --> 01:00:09.170 that heightened his sexual appetites and reduced his impulse control, and he had basically 01:00:09.170 --> 01:00:12.430 the cognitive abilities of a child himself. 01:00:12.430 --> 01:00:15.579 These are truly tragic cases on both sides. 01:00:15.579 --> 01:00:20.580 But then in another case, they found a guy in New Jersey had been negotiating to actually 01:00:20.580 --> 01:00:23.780 buy a child for his own exploitation. 01:00:23.780 --> 01:00:32.100 There’s no doubt that this – despite the tragedy for the criminal defendants here, 01:00:32.100 --> 01:00:36.450 too, this is a case that saved kids. 01:00:36.450 --> 01:00:42.349 Ultimately twenty-three children were rescued around the world as a result of this case. 01:00:42.349 --> 01:00:48.569 It was around the world; I should say – I’ve listed cases in the US, but ultimately, Welcome 01:00:48.569 --> 01:00:55.990 to Video users were arrested in the Czech Republic, Spain, Brazil, Ireland, France, 01:00:55.990 --> 01:00:58.380 Canada, England, Peru. 01:00:58.380 --> 01:01:04.230 One guy fled to Saudi Arabia and was arrested there, and the agents in the case don’t 01:01:04.230 --> 01:01:05.819 even know what happened to him. 01:01:05.819 --> 01:01:12.170 But in Saudi Arabia, sexual offenders are sometimes punished under Sharia law, which 01:01:12.170 --> 01:01:14.690 can include beheading. 01:01:14.690 --> 01:01:19.780 But then in other cases, the – these suspects fled internationally and got away with it. 01:01:19.780 --> 01:01:26.569 There was one guy in the Seattle area who worked for Amazon, was a Chinese national, 01:01:26.569 --> 01:01:30.359 and they searched his car and they found, in fact, that he had a map of playgrounds 01:01:30.359 --> 01:01:37.230 in his car, along with a teddy bear despite having no children of his own. 01:01:37.230 --> 01:01:41.670 After this guy saw that his car had been searched, he fled to China and they never found him 01:01:41.670 --> 01:01:42.670 again. 01:01:42.670 --> 01:01:50.630 In total, 337 people were arrested around the world, and twenty-three kids were rescued. 01:01:50.630 --> 01:01:57.120 I think it is probably, in terms of – I mean, in this whole book that I’ve written 01:01:57.120 --> 01:02:02.010 about cryptocurrency tracing cases, this is the one that there’s no doubt that it had 01:02:02.010 --> 01:02:06.490 the biggest impact on people’s lives. 01:02:06.490 --> 01:02:13.180 JACK: [MUSIC] Son Jung-woo made a few hundred thousand dollars from all this, which seems 01:02:13.180 --> 01:02:18.589 like such a small amount of money compared to how much suffering was inflicted on victims 01:02:18.589 --> 01:02:20.559 because of the site. 01:02:20.559 --> 01:02:25.220 Clearly, some of the users on the site did horrendous things or have been put in prison 01:02:25.220 --> 01:02:29.750 for a long time, and I know some of them got decade-long prison sentences or more. 01:02:29.750 --> 01:02:31.760 But that’s just the users. 01:02:31.760 --> 01:02:35.700 What did the admin, Son Jung-woo, get for his punishment? 01:02:35.700 --> 01:02:43.060 ANDY: The really shocking thing is that Son Jung-woo was out in less than two years. 01:02:43.060 --> 01:02:44.260 JACK: What? 01:02:44.260 --> 01:02:50.780 ANDY: I’m still kind of amazed by this myself, but it seems like South Korea’s child sexual 01:02:50.780 --> 01:03:01.200 abuse laws are just really badly written, and a judge denied extradition in this case. 01:03:01.200 --> 01:03:04.849 I still don’t quite understand this, but I think it’s a cultural disconnect where 01:03:04.849 --> 01:03:11.270 South Korea just historically has not taken this kind of crime seriously. 01:03:11.270 --> 01:03:15.280 But it is worth noting that when Son Jung-woo was given an eighteen-month prison sentence, 01:03:15.280 --> 01:03:21.690 just eighteen months for this horrific crime, I mean, for running this network of horrific 01:03:21.690 --> 01:03:30.440 crimes, there was a huge uproar in South Korea, and people protested. 01:03:30.440 --> 01:03:36.619 There was a petition signed by 400,000 people to prevent the judge in the case from being 01:03:36.619 --> 01:03:42.039 considered for a Supreme Court position, and there was legislation proposed to fix these 01:03:42.039 --> 01:03:46.790 laws and create harsher sentences and change the extradition treaty. 01:03:46.790 --> 01:03:53.220 So, I think that South Koreans are – many of them are as baffled and unhappy about this 01:03:53.220 --> 01:03:54.650 as Americans are. 01:03:54.650 --> 01:03:58.720 JACK: Another story I read says that after he got out of prison, Son Jung-woo was facing 01:03:58.720 --> 01:04:04.140 extradition to the US, but his father sued him only because if you’re facing a lawsuit 01:04:04.140 --> 01:04:06.569 in South Korea, you can’t be extradited. 01:04:06.569 --> 01:04:12.210 So, this kept him in South Korea and cleared him of the extradition, which means he’s 01:04:12.210 --> 01:04:15.390 still walking free, presumably in South Korea. 01:04:15.390 --> 01:04:17.099 ANDY: That’s the end of it. 01:04:17.099 --> 01:04:25.700 Son Jung-woo is out and has completely disappeared from the internet and the – from public 01:04:25.700 --> 01:04:27.050 life in any way that I can see. 01:04:27.050 --> 01:04:28.150 I could not find him. 01:04:28.150 --> 01:04:32.619 JACK: When I began reading Andy’s book, I was under the impression that Bitcoin and 01:04:32.619 --> 01:04:36.779 cryptocurrencies are private and anonymous unless you make a mistake in your opsec and 01:04:36.779 --> 01:04:37.860 expose yourself. 01:04:37.860 --> 01:04:43.319 But after reading the book, I’m realizing just how extremely careful you have to be 01:04:43.319 --> 01:04:46.240 in order to remain private with your cryptocurrency. 01:04:46.240 --> 01:04:50.329 He talks in detail in the book about it, but let’s just break apart a couple ideas. 01:04:50.329 --> 01:04:54.510 LocalBitcoins; this is where you can buy Bitcoins from another person directly and not through 01:04:54.510 --> 01:04:55.510 an exchange. 01:04:55.510 --> 01:04:58.930 Well, that person you bought Bitcoin from probably used an exchange, and there’s stories 01:04:58.930 --> 01:05:03.430 about how law enforcement has subpoenaed exchanges to figure out who that person was that you 01:05:03.430 --> 01:05:06.190 bought Bitcoin from, which has led back to the criminal. 01:05:06.190 --> 01:05:09.050 Or what about mixing services or tumblers? 01:05:09.050 --> 01:05:13.380 Well, time and time again, these get taken down and seized by the feds, and that tumbler 01:05:13.380 --> 01:05:18.990 might contain a whole, perfectly-preserved log book of everything that went in and out, 01:05:18.990 --> 01:05:21.460 effectively de-cloaking all its users. 01:05:21.460 --> 01:05:25.250 There’s even rumor that certain governments know how to defeat some of the security features 01:05:25.250 --> 01:05:29.220 on Monero wallets, which are supposed to be private by design. 01:05:29.220 --> 01:05:34.950 Since the blockchain is a permanent, unchangeable public ledger, once a modern analysis technique 01:05:34.950 --> 01:05:40.440 is discovered, then it can be used to analyze the entire history of the blockchain. 01:05:40.440 --> 01:05:44.279 Even if you realize your mistake, there’s no way to go back and fix it. 01:05:44.279 --> 01:05:50.039 Now, we still don’t know who Satoshi Nakamoto is, the creator of Bitcoin, and whoever they 01:05:50.039 --> 01:05:53.130 are, they have a billion dollars in their Bitcoin wallet that they’ve never touched. 01:05:53.130 --> 01:05:58.170 But as soon as they cash it out, they’ll have to provide identification, which will 01:05:58.170 --> 01:06:00.460 expose who they are. 01:06:00.460 --> 01:06:05.570 There are protocols such as Zcash that encrypt the whole transaction, not exposing the sender 01:06:05.570 --> 01:06:09.089 or receiver’s wallet at all, which seems promising. 01:06:09.089 --> 01:06:13.930 But if you put all your eggs in that basket and some day one of those researchers finds 01:06:13.930 --> 01:06:18.829 a way to de-anonymize it, now your hands are showing. 01:06:18.829 --> 01:06:23.809 With the regulation of Bitcoin, it’s easier than ever, for law enforcement at least, to 01:06:23.809 --> 01:06:26.049 identify who owns what wallet. 01:06:26.049 --> 01:06:30.980 They can even freeze wallets or wallets interacting with a certain wallet, and seize wallets, 01:06:30.980 --> 01:06:31.980 too. 01:06:31.980 --> 01:06:37.240 ANDY: So, I think the trap that cryptocurrency has represented, in fact for more than a decade 01:06:37.240 --> 01:06:39.570 now, it still persists. 01:06:39.570 --> 01:06:44.579 People still believe, in many cases, that they have financial privacy or that they can 01:06:44.579 --> 01:06:51.170 get away with crimes, when in fact, this untraceable currency they’re using is the opposite of 01:06:51.170 --> 01:06:57.740 that and sometimes leads agents and prosecutors right to their door. 01:06:57.740 --> 01:07:07.300 (OUTRO): [OUTRO MUSIC] A big thank-you for Andy Greenberg for coming on the show and 01:07:07.300 --> 01:07:09.140 telling us this story. 01:07:09.140 --> 01:07:12.980 This is only one part of his book, and there’s plenty more amazing stories in the book, so 01:07:12.980 --> 01:07:14.990 you better go grab a copy of it and check it out. 01:07:14.990 --> 01:07:17.400 If you like this podcast, you’ll absolutely love that book. 01:07:17.400 --> 01:07:18.970 It’s called Tracers in the Dark. 01:07:18.970 --> 01:07:23.349 Or, well, the full title is Tracers in the Dark: The Global Hunt for the Crime Lords 01:07:23.349 --> 01:07:24.650 of Cryptocurrency. 01:07:24.650 --> 01:07:29.330 I have an affiliate link to purchase it through Amazon in the show notes, so if you’re going 01:07:29.330 --> 01:07:31.630 to buy it, please use the link. 01:07:31.630 --> 01:07:34.360 I’m putting this show on pause for a while. 01:07:34.360 --> 01:07:38.950 I have no episodes planned for January, February, or March. 01:07:38.950 --> 01:07:42.750 I know my creative itch will be too strong to just be quiet the whole time, but I just 01:07:42.750 --> 01:07:46.980 need to escape from the ever-present due dates of the show and just take a little mental 01:07:46.980 --> 01:07:47.980 health break. 01:07:47.980 --> 01:07:51.500 I’ve been doing this for five years now, and the little breaks I’ve taken have just 01:07:51.500 --> 01:07:54.390 never been enough to really feel like I’m relaxed. 01:07:54.390 --> 01:07:57.670 This show is made by me, the karate skid, Jack Rhysider. 01:07:57.670 --> 01:07:59.470 I did the sound design for this one, too. 01:07:59.470 --> 01:08:03.049 This episode was assembled by Tristan Ledger, and mixing was done by Proximity Sound. 01:08:03.049 --> 01:08:06.130 The theme music is by the hip monk, Breakmaster Cylinder. 01:08:06.130 --> 01:08:10.460 I’ll sign off with one last tip for you; if you do go on Tor and visit the darknet, 01:08:10.460 --> 01:08:16.250 you should always wear a bulletproof vest just in case you get hit with a screenshot. 01:08:16.250 --> 01:08:23.099 This is Darknet Diaries.