Europol sting shuts down over 373,000 dark web sites

The investigation began in mid-2021 against the dark web platform “Alice with Violence CP”.

During the investigation, authorities discovered that the platform’s operator was running over 373,000 fraudulent websites advertising CSAM and cybercrime-as-a-service (CaaS) offerings.

From March 9-19, some 23 countries joined forces in 'Operation Alice,' which initially only targeted the platform operator.

However, through international cooperation, the investigation uncovered the identities of 440 customers who had used the operator's services. 

Due to the nature of the purchases, additional investigations were launched against them. 

The operation is still ongoing against more than 100 of those individuals.

Over nearly five years of investigation, German authorities discovered that a single individual operated over 373,000 onion domains on the dark web. 

An onion domain is a type of website address that is designed to hide the identity and location of the website and the people visiting it. 

From February 2020 to July 2025, the suspect advertised CSAM on different platforms, which were accessible through more than 90,000 of those onion domains.

On these platforms, the perpetrator offered CSAM that could allegedly be purchased as “packages” after providing an email address and making a payment in Bitcoin.

Each package had an estimated cost of between €17 and €215, and promised data volumes ranging from a few gigabytes to several terabytes of CSAM. 

However, these were purely fraudulent sites where CSAM was advertised and previewed but never delivered.

In addition to CSAM, CaaS offerings were promoted, including credit card data and access to foreign systems. 

The goal was always to persuade customers to make payments without receiving any service in return.

Investigations were also conducted against the platform’s operator, a 35-year-old man based in China. 

Authorities estimate that the individual made over €345,000 in profit from approximately 10,000 customers worldwide who, according to authorities, attempted to purchase the material he was advertising.

From November 2019 until recently, he operated a network of up to 287 servers at its peak, 105 of which were located in Germany. 

German authorities have issued an international arrest warrant.

By paying for CSAM, the customers themselves became suspects, even though they never received the material. 

Investigators assessed that individuals seeking access to exclusive –and, therefore, severe — CSAM could represent high-value targets and provide important intelligence for law enforcement worldwide.

Throughout the years of investigation, authorities acted immediately whenever they identified children to be in danger, taking appropriate measures to protect their well-being.

For example, in August 2023, investigators from the Bavarian State Criminal Police Office searched the home of a 31-year-old father who had transferred €20 to purchase a package containing 70GB of CSAM. 

The man was later convicted.