Methods developed by the Complexity Science Hub (CSH) helped uncover a link between a vast network of criminal dark web sites and their alleged operator.
IN A NUTSHELL
The method that connected the dots
- The dark web shields users’ identities through advanced encryption protocols, while cryptocurrency payments further obscure financial trails – making investigations difficult.
- GraphSense, a tool developed by Bernhard Haslhofer and his team at the Complexity Science Hub, can systematically trace these transactions, reconstruct fund flows between cryptocurrency addresses, and surface connections between cases that appear entirely unrelated.
- Among other methods, this approach helped reveal that ~370,000 seemingly unrelated dark web pages were in fact all part of one single criminal operation – traceable to one suspected perpetrator.
What happened
- Bavarian authorities today took down ~370,000 dark web pages – a significant share of all currently active dark web content.
- All pages were traced back to a single suspected perpetrator of Chinese origin.
- An international arrest warrant has been issued.
What was on those pages
- Child sexual abuse material, stolen financial credentials, and compromised login data, among other illegal content, all offered for sale.
- Every listing was in fact advance-fee fraud: buyers paid in cryptocurrency and received nothing.
The Complexity Science Hub’s role
- The CSH has collaborated with the Bavarian Central Office for the Prosecution of Cybercrime (ZCB) since 2022, as part of an international effort spanning Germany, the Netherlands, and Austria.
- What started in 2022 with a few dozen pages under investigation ultimately uncovered a network of several hundred thousand.
Bavarian law enforcement authorities are taking down around 370,000 pages on the dark web today as part of the investigative complex known as “Operation Alice.” These pages – on which, among other things, child sexual abuse material as well as stolen financial and login credentials were offered for sale – account for a significant share of all currently active pages on the dark web. Every listing, however, was a prepayment scam: buyers paid in cryptocurrency and received nothing in return. Tracing all of these pages back to a single alleged operator was made possible in part through analytical methods developed at the Complexity Science Hub (CSH).
STARTING WITH A FEW DOZEN PAGES IN 2022
“When we started working together in 2022, we were illustrating our work with visualizations of a few dozen pages. Now we’re looking at several hundred thousand,” says Bernhard Haslhofer, who heads the Digital Currency Ecosystems research group at the Complexity Science Hub. At the outset, the full extent of the infrastructure was unknown. “The fact that we were able to map a network of this size is a clear demonstration of what data-driven methods can achieve in the fight against cybercrime.”
Since 2022, the Complexity Science Hub and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB) have been working together to bring scientific methods for cryptocurrency transaction analysis to bear on law enforcement investigations.
MORE LINKS THAN EXPECTED
When the ZCB launched “Operation Alice”, investigators already suspected a link between pages hosting child sexual abuse material. What they did not yet know was the full scope of what they were dealing with. “The fact that there was a flood of other fraudulent offers involved, meaning that we are dealing with a huge cluster of related pages that all belong to a single complex, only became apparent with the help of the methods developed at CSH,” says Thomas Goger, Deputy Director of the ZCB. The scale of the operation, its duration, and the fact that a single suspect of Chinese origin allegedly ran all of these pages make this case highly unusual.
The dark web shields users’ identities through advanced encryption protocols, while cryptocurrency payments such as those made in Bitcoin further obscure financial trails. “With our tool GraphSense, we can systematically trace these transactions, reconstruct fund flows between cryptocurrency addresses, and surface connections between cases that appear entirely unrelated,” says Haslhofer.
The operation’s findings were presented today at a press conference by Bavarian Minister of the Interior Joachim Herrmann and Minister of Justice Georg Eisenreich. As part of the press conference, the suspect’s name and photograph have been released and an international arrest warrant has been issued.
COLLABORATION
The findings are the result of an international research collaboration spanning Germany, the Netherlands, and Austria, bringing together law enforcement (ZCB), academic institutions (Complexity Science Hub, TNO), and implementation-focused companies (CFLW Cyber Strategies and Iknaio Cryptoasset Analytics GmbH, a spinoff born out of research at the Complexity Science Hub).
