At the bottom of several pages of the site was a copyright date: March 13, 2015. Welcome to Video had already been online for more than two years. Even at a glance, it was clear that it had grown into one of the biggest repositories of child sexual abuse videos that law enforcement had ever encountered.
As Janczewski and Gambaryan analyzed the site’s mechanics, they saw that users could obtain points not just by purchasing them but also by uploading videos. The more those videos were subsequently downloaded by other users, the more points they would earn. “Do not upload adult porn,” the upload page instructed, the last two words highlighted in red for emphasis. The page also warned that uploaded videos would be checked for uniqueness; only new material would be accepted—a feature that, to the agents, seemed expressly designed to encourage more abuse of children.
The element of the site that Gambaryan found most unnerving of all, though, was a chat page, where users could post comments and reactions. It was filled with posts in all languages, offering a hint at the international reach of the site’s network. Much of the discussion struck Gambaryan as chillingly banal—the kind of casual commentary one might find on an ordinary YouTube channel.
Gambaryan had hunted criminals of all stripes for years now, from small-time fraudsters to corrupt federal law enforcement colleagues to cybercriminal kingpins. He usually felt he could fundamentally understand his targets. Sometimes, he’d even felt sympathy for them. “I’ve known drug dealers who are probably better human beings than some white-collar tax evaders,” he mused. “I could relate to some of these criminals. Their motivation is just greed.”
But now he’d entered a world where people were committing atrocities that he didn’t understand, driven by motivations that were entirely inaccessible to him. After a childhood in war-torn Armenia and post-Soviet Russia and a career delving into the criminal underworld, he considered himself to be familiar with the worst that people were capable of. Now he felt he had been naive: His first look at Welcome to Video exposed and destroyed a hidden remnant of his idealism about humanity. “It killed a little bit of me,” Gambaryan says.
as soon as they had seen firsthand what Welcome to Video truly represented, Gambaryan and Janczewski understood that the case warranted an urgency that went beyond that of even a normal dark-web investigation. Every day the site spent online, it enabled more child abuse.
Gambaryan and Janczewski knew their best leads still lay in the blockchain. Crucially, the site didn’t seem to have any mechanism for its customers to pull money out of their accounts. There was only an address to which they could pay for credits on the site; there didn’t even seem to be a moderator to ask for a refund. That meant that all the money they could see flowing out of the site—more than $300,000 worth of bitcoins at the time of the transactions—would almost certainly belong to the site’s administrators.
Gambaryan began reaching out to his contacts in the Bitcoin community, looking for staff at exchanges who might know executives at the two Korean exchanges, Bithumb and Coinone, into which most of Welcome to Video’s money had been cashed out, as well as one US exchange that had received a small fraction of the funds. He found that the mere mention of child exploitation seemed to evaporate the cryptocurrency industry’s usual resistance to government intervention. “As libertarian as you want to be,” Gambaryan says, “this is where everybody kind of drew the line.” Even before he sent a formal legal request or subpoena, staff at all three exchanges were ready to help. They promised to get him account details for the addresses he had pulled from Reactor as soon as they could.
In the meantime, Gambaryan continued to investigate the Welcome to Video site itself. After registering an account on the site, he thought to try a certain basic check of its security—a long shot, he figured, but it wouldn’t cost anything. He right-clicked on the page and chose “View page source” from the resulting menu. This would give him a look at the site’s raw HTML before it was rendered by the Tor Browser into a graphical web page. Looking at a massive block of code, anyway, certainly beat staring at an infinite scroll of abject human depravity.
He spotted what he was looking for almost instantly: an IP address. In fact, to Gambaryan’s surprise, every thumbnail image on the site seemed to display, within the site’s HTML, the IP address of the server where it was physically hosted: 18.104.22.168. He copied those 11 digits into his computer’s command line and ran a basic traceroute function, following its path across the internet back to the location of that server.