Full Report
An international law enforcement action called Operation Alice has shut down over 373,000 dark web sites that offered fake CSAM packages. [...]
Analysis Summary
# Incident Report: Operation Alice Dark Web Takedown
## Executive Summary
Operation Alice is an international law enforcement action led by German authorities and supported by Europol that dismantled a massive network of over 373,000 fraudulent dark web sites. The infrastructure, operated by a Chinese national, scammed approximately 10,000 users by selling fake Child Sexual Abuse Material (CSAM) and cybercrime-as-a-service offerings for Bitcoin. While no actual abuse material was found, the operation led to the seizure of 287 servers, an international arrest warrant, and the identification of hundreds of individuals attempting to purchase illegal content.
## Incident Details
- **Discovery Date:** Mid-2021
- **Incident Date:** Mid-2021 to March 2026
- **Affected Organization:** Not applicable (Scam operation targeting dark web users)
- **Sector:** Law Enforcement / Cybercrime Takedown
- **Geography:** Global (Infrastructure centered in Germany, operator based in China)
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-2021
- **Vector:** Targeted investigation into dark web marketplaces.
- **Details:** German police began monitoring the platform "Alice with Violence CP" after identifying it as a hub for illegal advertisements.
### Lateral Movement
- **Details:** The operator expanded the network by spinning up hundreds of mirrors and subdomains, eventually reaching over 373,000 individual URLs to maximize visibility and resilience against takedowns.
### Data Exfiltration/Impact
- **Financial Impact:** Approximately $400,000 (EUR 370,000 equivalent) stolen from users.
- **Data Collection:** Users were tricked into providing email addresses and cryptocurrency during the checkout process.
### Detection & Response
- **Detection:** Discrepancies between advertised illegal material and delivered content identified the sites as a "honeypot-style" scam operation.
- **Response Actions:** Coordination between 23 countries led by Europol and the German Federal Criminal Police Office (BKA). On March 20, 2026, authorities seized the infrastructure and issued an arrest warrant for the primary suspect.
## Attack Methodology
- **Initial Access:** SEO/Link-spamming on dark web forums and onion directories to drive traffic.
- **Persistence:** High-volume domain rotation and server redundancy (287 servers).
- **Defense Evasion:** Use of Bitcoin for untraceable payments and hosting on the Tor network to mask server locations.
- **Collection:** Gathering user emails and crypto-wallet addresses.
- **Impact:** Financial fraud and secondary legal risk for the victims (law enforcement investigation of the "customers").
## Impact Assessment
- **Financial:** $400,000 in Bitcoin lost by participants.
- **Data Breach:** Compromise of 10,000 user emails and payment metadata.
- **Operational:** Complete dismantling of the "Alice with Violence CP" infrastructure (373,000 sites).
- **Reputational:** Public exposure of users attempting to purchase illegal materials; 440 individuals identified globally.
## Indicators of Compromise
- **Network Indicators:**
- Platform Name: "Alice with Violence CP"
- Hosting: Onion-based URLs (defanged: alice[.]onion variants)
- Servers: 105 servers located in Germany (now seized)
- **Behavioral Indicators:**
- Requests for Bitcoin payments between EUR 17 and EUR 250 for "packages" of data.
- Offers of "Cybercrime-as-a-Service" alongside CSAM.
## Response Actions
- **Containment:** Seizure of 287 servers globally to stop the scam operation.
- **Eradication:** Shutdown of over 373,000 dark web domains associated with the suspect.
- **Recovery:** Transition of investigation data to the "Stop Child Abuse – Trace an Object" initiative to further child protection efforts.
## Lessons Learned
- **The "Scammer Scams the Criminal" Dynamic:** Significant portions of the dark web economy are comprised of fraudulent sites targeting individuals with criminal intent.
- **Infrastructure Scale:** Modern cybercrime operations can scale to hundreds of thousands of sites using automated scripts and cheap VPS hosting.
- **Jurisdictional Challenges:** While the infrastructure was in Germany, the operator's location in China presents long-term extradition and prosecution hurdles.
## Recommendations
- **Law Enforcement Cooperation:** Continue cross-border intelligence sharing via Europol to track cryptocurrency flows.
- **Public Awareness:** Promote platforms like Help4U to provide legitimate support for victims of online abuse.
- **Monitoring:** Security analysts should monitor Bitcoin addresses associated with these takedowns to identify potential overlap with other cybercrime syndicates.