Operation Alice Shuts Down 373,000 Dark Web Sites in Major International Crackdown
In a significant development in the fight against cybercrime, German investigators launched an extensive inquiry into a dark web platform named “Alice with Violence CP” in 2021. Initially focused on the platform’s familiar features—onion domains, cryptocurrency transactions, and the allure of anonymity—the investigation quickly expanded into a vast network of fraudulent dark web sites. Authorities have reported that these sites were involved in the advertisement of child sexual abuse material and various cybercrime services on an unprecedented scale.
By March 2026, the operation had evolved into what Europol and German authorities termed a major international initiative. From March 9 to March 19, law enforcement agencies from 23 countries participated in Operation Alice. This effort, which initially aimed to identify the platform’s operator, ultimately uncovered over 373,000 dark web sites, identified 440 customers globally, and led to the seizure of 105 servers along with various electronic devices, including computers and mobile phones.
The Scale of the Operation: A Shift in Illicit Commerce
The scale of Operation Alice illustrates not only the extensive infrastructure involved but also the evolving nature of illicit commerce on the dark web. Investigators discovered that the sites in question did not deliver the content they advertised. Instead, they functioned as a vast fraud network, utilizing the language and imagery of serious criminal material to extract Bitcoin payments from users who believed they were purchasing access to illegal content or cybercrime tools.
This structure placed the investigation at the intersection of several law enforcement priorities, including child protection, cybercrime, cryptocurrency tracing, and cross-border policing.
From One Platform to Hundreds of Thousands of Hidden Sites
The inquiry began with the platform “Alice with Violence CP,” but over nearly five years, German authorities uncovered a much broader architecture. A single suspect is believed to have operated more than 373,000 onion domains—hidden sites accessible through specialized browsing tools designed to obscure the location of both users and website operators.
From February 2020 to July 2025, over 90,000 of these sites were reportedly used to advertise child sexual abuse material. These offerings were presented as purchasable “packages” that users could obtain by submitting an email address and paying in Bitcoin. Prices ranged from 17 euros to 215 euros, with claims of providing anywhere from a few gigabytes to several terabytes of material.
However, investigators determined that these sites were fraudulent. The advertised material was never delivered. Alongside these offerings, the operator also promoted cybercrime-as-a-service products, including purported credit card data and access to foreign systems, with the same objective: to convince customers to pay for services that would never materialize.
This dual structure—exploiting demand for both abusive material and cybercrime tools—gave the network a unique breadth. Authorities described it as a criminal deception machine, monetizing illicit intent itself. Customers were not merely paying for promised content or access; they were also investing in the belief that the hidden internet would shield them from scrutiny.
The Operator, the Customers, and the Reach of the Investigation
German authorities identified the suspected operator as a 35-year-old man based in the People’s Republic of China. He reportedly profited over 345,000 euros from approximately 10,000 customers worldwide who attempted to purchase the advertised material. At its peak, investigators estimate he controlled a network of as many as 287 servers, with 105 located in Germany. An international arrest warrant has been issued for him.
However, the investigation did not conclude with the suspected operator. Europol indicated that international collaboration enabled the identification of 440 customers who utilized the service. Due to the nature of their purchases, authorities initiated additional investigations into these individuals, with over a hundred remaining under active scrutiny.
Even in instances where illegal material was not delivered, an attempted purchase could serve as a basis for suspicion and prosecution. Investigators viewed these customers as significant targets, not only for their pursuit of abusive material but also for the potential intelligence they could provide about broader offending networks.
One notable case involved a 31-year-old father in Bavaria, who, in August 2023, was found to have transferred 20 euros to buy a package purportedly containing 70 gigabytes of child sexual abuse material. He was later convicted, illustrating how Operation Alice extended from server infrastructure and cryptocurrency tracing to individual users and, in some cases, child protection interventions.
A Case Built on Infrastructure, Anonymity, and Cryptocurrency
At the core of the investigation was a familiar dark web equation: anonymity technology, large-scale hosting, and digital payments. Onion domains are designed to conceal both location and identity, presenting a persistent challenge for investigators. In this case, authorities noted that this concealment was amplified across hundreds of thousands of sites, creating an infrastructure capable of functioning almost like an automated criminal ecosystem.
Cryptocurrency facilitated this model. Europol’s specialists played a crucial role in tracing Bitcoin payments and generating intelligence for the countries involved. In dark web investigations, the ability to follow digital money has become increasingly vital, not only for identifying operators but also for reconstructing the size and direction of criminal demand. Financial analysis was essential in linking the suspect to the network and understanding the volume of attempted purchases.
The investigation also highlighted the importance of international coordination. Twenty-three countries participated, including Germany, the United Kingdom, the United States, Canada, Australia, and several European partners. Europol facilitated information exchange, provided analytical support, and coordinated the broader response. In a case spanning multiple jurisdictions, language systems, legal frameworks, and technical environments, such coordination was not peripheral; it was central to the operation.
Catherine De Bolle, Europol’s executive director, emphasized that the case demonstrated the reach of international law enforcement cooperation. However, the operational significance extended beyond that statement. Dark web systems are often resilient due to their distributed nature. Operation Alice represented an attempt to respond in kind—with distributed enforcement.
Beyond Enforcement: A Focus on Victims and Prevention
While the operation centered on servers, domains, and suspects, authorities also underscored the child protection aspect of the case. Europol stated that throughout the investigation, officers acted promptly whenever they identified children believed to be in danger, taking necessary steps to protect them.
This emphasis is critical because investigations involving child sexual abuse material are not solely about digital evidence or criminal marketplaces. Each image or video, as Europol reminded the media, reflects an actual act of abuse. The agency urged journalists to avoid the term “child pornography,” arguing that it obscures the violence and coercion inherent in the material and falsely suggests consent or legitimacy.
The case unfolded alongside Europol’s broader efforts in child protection. Recently, the agency released new photos to its “Stop Child Abuse – Trace an Object” platform, which seeks public assistance in identifying objects seen in cold cases of child sexual abuse. Europol also highlighted Help4U, a digital platform launched in late 2025 for children and teenagers facing sexual abuse or online harm.
These initiatives underscore a tension that has become increasingly visible: while the dark web is often portrayed as a realm of technical sophistication, its consequences are profoundly human. Operation Alice was, in one sense, a cyber investigation into fraudulent sites, hidden servers, and cryptocurrency payments. In another, it was an effort to reach the individuals behind the screens—the operator, the customers, and, most importantly, the children whose abuse was exploited as bait, threat, or evidence in a criminal economy.
The investigation revealed not only the scale of one network but also how modern illicit systems can intertwine fraud, abuse, and technology into a single architecture. Hidden websites, fake packages, Bitcoin transactions, and cross-border infrastructure may create an illusion of abstraction. However, the individuals harmed by these operations remain painfully real.
According to publicly available the420.in reporting, the implications of Operation Alice extend far beyond immediate law enforcement actions, highlighting the urgent need for continued vigilance and collaboration in the ongoing battle against cybercrime.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
