Operation Boylover
Transcription
Operation Boylover
Operation Agora: Difficulties in building a Case against a Boylover’s Group Carles Gallardo Cybercrime Unit mossos d’esquadra Catalonia Autonomical Police Operation Agora: Difficulties in building a Case against a Boylover’s Group Summary • Forum «protegenos.com» Paedophile Meeting point • Core group of suspects in Barcelona • Active exchange of strategies and techniques • Exchange and distribution of (Links, Photos and videos) sexual abuse of Children content • Preparatory acts to Contact and abuse of Children • Conspiracy to stablish a «sex tourism» route to Venezuela Protegenos.com Domain registered in Domains by Proxy Inc.(US) Hosted on IP belonging to GoDaddy Inc.(US) Administrator of domain and Forum uses Hotmail (US) The IP history showns only Proxy connections Identification Thorough Analysis of Forum and Blog led to an Spanish IP subscriber that hosted the Forum contents ‘at home’ Protegenos.com Administrator of the site had direct relation ship with a similar website that contained links to sexual abuse of Children content (sueños de kitty) and hosted copies of Paedophyle and ‘ChildPorn’ sites Protegenos.com The suspects evolved from openly sharing of links and content to a “Boylover activism” that meant cover up their real motivations and purposes Investigation details •March 2010, discovery of Blog in www.protegenos.com •May 2010, wire tap and DSL interceptions begin •June 2010, 13 Core users in Spain, 9 in Barcelona ID’d •November 2010, enough evidence collected •December 2010 ,search warrants and arrests •Collection of information (open sources) •Communications interception (DSL and Voice Calls) Cooperation with other LEA (Guardiacivil, Venezuela Police) •Data analysis and victim identification Investigation details DSL interception provided loads of information on the Forum and Blog activity. Navigation activity was analysed daily and many packs of data had to be decoded Group relations and activities Investigation details DSL interception provided loads of information on the Forum and Blog activity. Navigation activity was analysed daily and many packs of data had to be decoded Group relations and activities Investigation details The investigation resulted in the identification of 20 suspects The core group members were located in Catalonia The rest were located in different provinces of Spain and in South America (Venezuela, Mexico, Colombia, ..) Group relations and activities Investigation details The Forum administrator was de main link between the Spanish members and the SouthAmerica members Thanks to International Cooperation (stablished by Guardiacivil) it was possible to locate and Identify a suspect in Venezuela Group relations and activities Investigation details Many of the members were included in the more than 4000 intelligence reports issued by Europol on the website Boylover.net (OPERATION RESCUE) International Impact OUTCOME • Arrest and indictment of arrested suspects • Provisional imprisonment of core group members • Computer equipment seized • International arrests: Venezuela • Post operation Bonus: Children exploitation criminal group dismanteled in Venezuela International Impact DIFFICULTIES • Tech savvy suspects, aware of LEA actions • Active use of Anti forensic Techniques • Analysis and decryption of DSL interceptions data • International Cooperation • Identification and location of victims Corporal Carles Gallardo Cybercrime Unit mossos d’esquadra Avinguda de la Pau, 120 08206 Sabadell (Barcelona) mossosdti@gencat.cat itpg6951@gencat.cat http://www20.gencat.cat/portal/site/mossos