Czech Police Uncover Crypto-Enabled CSAM Scam, Leading to Arrests and Hundreds Exposed
In a significant development in the fight against organized crime, the National Organized Crime Agency (NCOZ) of the Czech Republic has successfully dismantled a network of dark web portals distributing child sexual abuse material (CSAM). This operation highlights the growing intersection of cryptocurrency and cybercrime, as investigators leveraged blockchain technology to trace illicit financial activities linked to these heinous acts.
NCOZ’s Role in Cybercrime Investigation
The NCOZ, a specialized division within the Czech Police’s Criminal Police and Investigation Service, is tasked with addressing serious and organized crime across the nation. Within this agency, the Cyber-Enabled Crime Division serves as the central hub for tackling digital threats, including financial crimes, network intrusions, and illicit cryptocurrency activities. Radek Matějka, a senior cryptocurrency investigator at NCOZ, emphasizes the agency’s mission: “We trace for our agency, but we also provide tracing for other police agencies. We are the main methodology experts on virtual currency investigation for all Czech law enforcement agencies.” His expertise has been pivotal in enhancing investigative capabilities, developing methodologies for asset seizure, and training colleagues in navigating the complexities of tracing funds across both traditional cryptocurrencies and emerging smart contract platforms.
From the Dark Web to Prague
In 2023, NCOZ investigators were alerted to suspicious activities associated with hidden portals on the Tor network. These portals were found to be distributing CSAM, enticing buyers to pay for access to content that ultimately did not exist. The operators of these portals accepted cryptocurrency payments, fully aware that their fraudulent activities were unlikely to be reported.
Initial intelligence derived from blockchain analysis revealed over ten interconnected dark web portals that were accepting cryptocurrency payments. Carolina Christofoletti, a blockchain intelligence analyst at TRM, noted, “We saw that all of these sites were depositing funds into the same wallet at the same time. That told us we weren’t looking at isolated scams but a coordinated network that could be disrupted with a single trace.”
Matějka recognized the suspicious transactions as a critical lead, prompting the initiation of an investigation aimed at identifying the operators behind the scams. The investigation soon revealed that the cryptocurrency payments traced back to cash-out points at Bitcoin ATMs in the Czech Republic. This financial trail provided a potential pathway to the perpetrators.
The Investigation: Linking Wallets to Faces
The investigation commenced with a focus on the flow of cryptocurrency. Matějka observed that deposits from the CSAM websites were routed to Bitcoin ATMs within a few transactions. Each ATM generated a unique address for deposits, which were subsequently funneled into a consolidation wallet. This pattern became the first significant lead in the case.
Christofoletti’s analysis uncovered a complex network of intermediary wallets connecting the dark web portals to Bitcoin ATMs in Prague. “Even though the operators rotated wallets weekly — and later monthly — we could keep following them,” she explained. “Each time they changed an address, we updated our attribution to maintain full coverage.”
Collaboration with the ATM operator proved crucial. Matějka recalled, “The CEO of the company was very helpful and proactive.” The operator provided transaction records and images from ATM cameras, which allowed investigators to link digital wallets with individuals withdrawing cash.
By mapping the ATM infrastructure, Matějka, Christofoletti, and their colleagues confirmed that all withdrawals converged at a single machine whose transactions flowed to a centralized exchange. “Being able to link the on-chain payments to a specific ATM was the breakthrough,” Christofoletti stated. “It meant there was no place left for the criminals to hide when cashing out.”
The first suspect was identified when he attempted a withdrawal and, under pressure from a second-factor authentication check, entered his own phone number. This number matched records in police databases, providing investigators with a confirmed identity.
A second suspect proved more elusive. Facial recognition software applied to Czech databases yielded no results. However, when investigators shared ATM images with a major cryptocurrency exchange, the exchange’s Know Your Customer (KYC) system quickly returned a match, confirming the suspect had an account in his name. This rapid identification underscored the effectiveness of collaboration between investigators and exchanges in dismantling criminal anonymity on the blockchain.
In parallel, Matějka’s team discovered that the second suspect had used the same wallets displayed on the CSAM websites to make payments through a Czech payment processor linked to one of the country’s largest e-commerce platforms. This connection provided an additional thread of evidence, reinforcing the suspect’s identity.
With identities established, prosecutors secured a search warrant. At the suspect’s residence, investigators seized digital devices that directly linked him to the management of the portals. “The analysis of the data from his computer showed clearly that he was the operator. The addresses we found matched exactly the ones from the websites,” Matějka explained.
Investigators found that the suspects had hosted the dark web servers from their homes, illustrating the low-tech infrastructure that can underpin a global network. “They were literally running the servers from their living rooms,” Matějka noted. “It shows how critical it is to connect the blockchain side to the physical world.”
Perpetrators Brought to Justice, Hundreds More Exposed
The operation yielded significant results. The first suspect was prosecuted and imprisoned in the Czech Republic, while a second suspect, a Ukrainian national, fled before prosecution but was identified and linked to the case.
For Christofoletti, witnessing the case transition from analysis to arrest was a validation of her work. “Waking up to the message that the suspects were arrested and the websites were down was amazing,” she remarked. “It’s the moment you realize that tracing crypto can actually protect children.”
The investigation extended beyond the main perpetrators. The fraudulent portals had collected payments from individuals seeking illicit material, allowing investigators to trace hundreds of attempted users. This intelligence was shared with Europol’s Analysis Project Twins (AP Twins), a unit specializing in investigations of child sexual abuse material across Europe. “We identified hundreds of users who sent crypto to these addresses and provided the information to Europol,” Matějka stated.
This case exemplifies how blockchain investigations can transform digital transactions into actionable leads. What began as fraudulent websites on the dark web culminated in the incarceration of perpetrators and a wealth of intelligence to support international partners. “Without professional tools and collaboration, this kind of case would be impossible to solve.”
The operation also highlights the potential of targeting scam-based CSAM networks. “If you take down one scam operator, you remove dozens of portals and the illicit material they used to lure users,” Christofoletti noted. “A single trace can clean up a large part of the dark web.”
According to publicly available www.trmlabs.com reporting, the successful dismantling of this network illustrates the critical role of law enforcement agencies in combating cyber-enabled crimes, particularly those involving the exploitation of vulnerable individuals.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
