Fingerprinting child abuse images
Visitors to child porn honeypot completely failed to hide their identity Wikimedia Commons

Paedophiles searching the dark web for child pornography are giving the illegal websites their real names and email addresses - some even let a site install a file-scanning programme onto their computer.

They also used easily-guessable passwords, were upfront and honest about what depraved material they were looking for, and spoke about online communities and forums dedicated to child abuse.

This is according to an internet security researcher who ran a honeypot website claiming to contain pornographic images of children.

The website, hidden from search engines like Google and only accessible through the anonymising Tor web browser, was joined by two more created by the same researcher - one claiming to sell counterfeit documents and another claiming to sell drugs.

'Shockingly high' traffic

Posting his findings on Geek Slop, the unnamed researcher said traffic to the paedophile website was "shockingly high - magnitudes higher than traffic on the counterfeiting and drug honeypot sites. After the first five days, the counterfeiting site had two registrations while the faux drug sales site saw six registrations. Both sites saw hundreds of visitors. The paedophile site however, saw several thousand visitors in just five days and brought in over 200 member registrations."

The two other honeypots saw no new member registrations after the first five days. This could be because the researcher required an email address - a rare request on the dark web. But in the same time frame the paedophile site attracted over 1,000 visitors every day, and by the end of the 14-day experiment it had a database of nearly 700 registered users.

"Out of hundreds of registrations, only a single user complained about having to use their email address to register," the researcher said.

Using language like "community" and "friendship" on the site's home and registration pages (none of which contained any illegal material, or direct mentions of it), "a surprising number of paedophiles freely provided their Clearnet [the regular, Google-searchable internet] email addresses as their username. The number of legit email addresses was astounding."

Many passwords used by registered members contained phrases linked to child pornography, and a "comments, suggestions and preference," field included on the registration form revealed the "deeply unsettling" nature of what visitors were looking for.

Such requests included:

  • "girls 11-14"
  • "I like girls age 8-13"
  • "girls, 6-12"
  • "love young girls"

Passwords chosen by users were equally unsettling:

  • DeeplyDisturbed0
  • godhatesme
  • doctorsatan999
  • lolitaporn

Some signed up to the honeypot hoping for more than just photos and videos; they asked for a "dating service" to lure children in, the researcher claims.

"Will you offer dating?" one registered user asked.

In another instance a user said: "Hi I'm a married dad of three. I'm looking forward to joining in and sharing in the community."

Deeply unsettling

"Many freely told me what type of content they preferred", the researcher said. "Their crass and frank attitudes as if all of this were perfectly normal, was deeply unsettling."

The site's internal private messaging system also revealed how unremarkable its users thought their actions were. They begged the site administrator to give them full access to the site (membership worked in tiers, with the top tier only accessible to users who allowed their computer to be scanned for security vulnerabilities).

"Site seems cool, and useful," said one member. "Interesting site concept. Looking forward to exploring it. Thanks," and "Just browsing around. Friendly, like-minded 20 year old chap," said two others.

Some were more direct: "I am a pedo lover. Hope to be friends with you. I like little girls age 8-13."

By monitoring site traffic and convincing some users to click on a link to the Clearnet, exposing their IP address and more personal information, the researcher was able to build partial identities of visitors to the honeypot. He twice contacted the FBI to say what he was doing and offered all the data he had collected, but had no response

Security scanner revealed users' names

The researcher's final act before shutting down all three honeypots was to introduce a 'security scanner' - a small Windows programme claimed to be used to ensure the computers and web connections of the site's highest tier of members were safe and secure, enhancing the encryption and anonymity for all.

Items recorded included the machine's true external IP address and host name, the internal IP address, the OS and version, number of CPUs, user domain, all local networking interfaces and their IP addresses, the Windows username of the logged in user, a list of drive devices and their status, the path to the browser's cookie file, all installed software on the machine, all running processes on the machine, and a sample of file names from their My Pictures directory.

"Dozens" of users installed and voluntarily ran the scanner, accounting for between 4-7% of the site's user base. Only one user cancelled the scanner before it completed its work, but then they immediately reopened it and let it run to completion.

After 14 days, the three sites were shut down with no notice or explanation. The researcher concluded: "No matter how much I wanted to scare the holy s**t out of those who had been identified, I decided to depart quietly and leave the playing field open for other security researchers."

More about the dark web