Very recently, I was talking with some LEA friends of mine about cases where cryptocurrencies appeared associated with Child Sexual Abuse Material (CSAM) crimes. “Have you ever seen something like that”, I asked. If you want to read, in a Research Report, what the current findings of the financial scenario related to CSA and CSE crimes are, ICMEC has important findings on the amount of those mechanics. They told me yes. “And did you solve it through the crypto addresses?”. “No”. “But was it solved?”. “Yes, but through other means”. “Would a cryptocurrency analysis tool have helped you”?. “And how much”.  

When we think about cryptocurrencies involved in CSAM crimes, we have, at least, two people we would, at least, considering talking to: Banks, that should be trained to identify CSAM patterns in their transitions monitors once those patterns were identified, and Law Enforcement Agencies, that have to be able to deal with speedily, sometimes in a scenario of missed data.

For researchers, whose function would have been to set the methodology to compile this data, the question would be of a “retrospective nature”, once again. We have to start from the end. And the end, at the current state of arts, means where those addresses were found together with CSAM images. As those cases tend to be “found out more in” cases (I, personally, do not like the word ‘teaser’ in this context’), we might be talking, still, about the live-streaming complexities to compile this data haven’t already came to the table. For example, criminals could be announcing it only textually, or with legal material (such as a neutral victim picture) in CSAM forums, where everybody understands what this “neutral image means”.

How live-streaming appear in criminal forums is a further point of research and whose data probably do not exist in present due to the collection methodology of those compilations. I would like but to explore the data where it exists. Cryptocurrencies addresses found on CSAM forums or websites.

If we started looking for patterns over financial transitions which originate on Child Sexual Abuse Material (CSAM) forums, what would we find? If we stated to compile things like Bitcoin addresses that appear as a payment instruction in illegal forums where CSAM streaming is being advertised, what would we find? No idea.

The problem with crypto paid crimes as a whole is that, often, those cryptocurrency wallets are never found. This phrase translated as something more or less like cases where intelligence is disseminated, somewhere on the other side of the ocean.

What Courts of Justice and criminal investigators sees comes eventually to be, eventually, only a small-picture fragment of something that belongs to a big-picture context. If we lost networks sights, we are prosecuting only half-of-the things, with all the complexities that a CSAM criminal procedure involves. Criminals trust that law enforcement agencies is not prepared to deal with live-streaming (which is a fake assumption) and that there is no intelligence track involving it.

And my claim now is for this track to be created.

We shall count, in the live-streaming case, on the hypothesis that CSAM streaming viewers negotiate, possibly, directly with the streamer, but we should also count on the possibility of things being more “criminally organized” than one would initially think. And that is something we only see if we have something, like interrelated financial transactions, to compare. And, in order to allow this as a legal evidence (retrospective evidence), judges will need to know how the Prosecution Office came to this conclusion. Mapping it, so, matters.

What if one came to the finding that the very same Bitcoin address found previously in a seized CSAM forum “recomposes” itself in another illegal forum of the same nature? What a data those addresses are for Open-Source Investigators, which might have lead a successful prosecution. The missing points are to be found somewhere else based on the original reference.

And the problem with those crypto-related cases is, more than an investigative one, a logical one: In order to investigate anything, one need to have this “anything” to investigate. And having “anything to work with” involves, most of the time, keeping a diligent track of the databases.

The problem with cryptocurrencies is not anonymity any more, but intelligence: Prior to banks, transnational transactions were impossible. When banks arrived, transactions were traceable with your personal documents. When cryptocurrency arrived, the “global financial market” needed, more than ever, integrated intelligence to solve the “no-legal-authority-to-request-anything” problem.

The best chance here is, as such, having the crypto coin address abuse notice and, from here, starting not only to investigate, but also to monitor it.

Chain Analysis, a company dedicated to Bitcoin analysis partners, already since 2016, with the Internet Watch Foundation in the UK to analyse Bitcoin addresses related to Child Sexual Abuse Material on the Dark Web. And even though we must recognize the impact potential of such a partnership, I still miss the global monitor on this behalf.

Internet Watch Foundation, as a CSAM hotline based in the UK provides, also, a possibility of partnering with them in order to receive information about Cryptocurrencies addresses that were found to be linked with Child Sexual Abuse Material. Those databases are but, for obvious reasons (the very same of the Open-Source Investigators one), closed by Membership Requirements. Forensic Tools aiming at the CSAM detection domain should, as such, think about the benefits of having the IWF Virtual Currency Alerts in their working database.

About the Virtual Currency CSAM alert, this initiative would be a great one to be thought beyond UK, in a transnational basis and involving all CSAM hotlines, opening it up, in my opinion, also the possibility of Law Enforcement Agencies of adding new tips to it. Following the money tips in a Child Sexual Abuse Imagery investigation, the Italian police seized 14,000 Bitcoin wallets worth around €1m (£800,000) in 2015. How much it could not have helped other similar cases.

We need CSAM intelligence to be global.

The CSAM related crypto addresses hardly ever come to the discussion table of Justice Courts. But those same addresses come, indeed, to CSAM forums, and maybe, its monitoring would be a crucial tip to found out where the next crime stays or, translating it, how things are interconnected inside the criminal world. Where and how, after all, all those CSAM cryptocurrencies cross.

This data needs to be crossed not only in individual criminal investigations, but also inside the network of similar data. Identifying authorship is important, but identifying networks and how they communicate with each other also.

For investigators, maybe we could add some further questions of interest: Are CSAM live-streaming after all commercial in nature? If so, are crypto coins involved in those transactions? If so, how permanent are those crypto coin addresses? Is that the case that those addresses receive, during a specific time, a huge number of transitions, and then it suddenly stops? Are those transactions identifiable through any pattern? If we needed to supply streaming forensics with a “where to look” data based on those transactions, could we do it anyhow? Are those payments “access ransoms”, never paid in advance? How payments and streaming data come, after all, together?

Questions for you… to think about.