Key Findings

• Single operator in China ran 373,000 fraudulent dark web sites offering CSAM and cybercrime services

• Operation Alice, led by German authorities with support from 23 countries, dismantled the network from March 9-19, 2026

• Law enforcement seized 105 servers, identified 440 customers worldwide, and issued international arrest warrant for 35-year-old suspect

• Operator earned over €345,000 from roughly 10,000 customers through fake "packages" priced between €17 and €215

• All advertised CSAM and services were fraudulent, designed to collect cryptocurrency without delivering any actual content

Background

The investigation started in 2021 as a routine probe into a dark web platform called "Alice with Violence CP." What began as a focused inquiry quickly expanded when German authorities discovered the scale of the operation behind it. Rather than a distributed network of criminals, investigators found one person orchestrating an enormous criminal enterprise across hundreds of thousands of websites. The sheer volume of sites suggested a much larger operation than actually existed, which was partly the point. By flooding the dark web with countless fake marketplaces, the operator created confusion and made law enforcement tracking significantly harder.

The Operation and Scope

Operation Alice ran for just over a week in March 2026, representing one of the most coordinated international takedowns of dark web infrastructure to date. Agencies from 23 countries participated in the operation, pooling resources to dismantle the network simultaneously. Beyond seizing the 373,000 onion domains, authorities took control of more than 100 servers and confiscated computers, mobile phones, and other electronic devices. The suspect had operated a network of up to 287 servers at its peak, with 105 located in Germany alone. From November 2019 until the takedown, this single individual maintained the infrastructure necessary to run nearly a third of a million fraudulent websites.

The Business Model

The operator's approach was straightforward but effective. He created hundreds of thousands of short-lived websites advertising two main offerings: fraudulent CSAM and cybercrime services like stolen credit card data and system access. Approximately 90,000 sites specifically offered fake CSAM "packages" in various sizes, from gigabytes to terabytes. Prices ranged from €17 to €215 depending on the package size. The cybercrime services offered similar variety at comparable price points. Customers paid exclusively in cryptocurrency, ensuring anonymity on both sides. The catch, however, was that nothing was ever delivered. Every transaction was designed to steal money without providing any actual content or services.

Financial Impact and Customer Base

Despite the low cost per transaction, the operation proved highly profitable. Over nearly five years, the operator generated more than €345,000 from approximately 10,000 customers. This represented a remarkable return on investment for what was essentially a scam network with minimal overhead. The investigation identified around 440 individuals who had used the platform, with more than 100 cases still under investigation. Law enforcement treated all customers as potential suspects and high-value intelligence targets. Even though the CSAM was never actually delivered, attempting to purchase such material remains a serious criminal offense in most jurisdictions worldwide.

Technical Strategy

The operator's approach to scaling the operation relied on automation and the inherent properties of dark web hosting. By creating hundreds of thousands of disposable websites rather than maintaining a few high-value platforms, he achieved several objectives simultaneously. First, the volume created the illusion of a much larger operation, which could attract more users while spreading law enforcement attention thin. Second, the constant creation and deletion of sites made tracking and takedowns exponentially harder. Third, the distributed nature meant that losing some infrastructure wouldn't destroy the entire network. This strategy of quantity over quality proved effective until law enforcement coordinated across multiple countries to hit all infrastructure simultaneously.

The Suspect

Authorities identified the main suspect as a 35-year-old man believed to be based in China. An international arrest warrant has been issued for him, though as of the operation's conclusion he remained at large. The investigation traced his activities through cryptocurrency payments, server locations, and electronic evidence seized during the operation. His location in China presented additional complications for law enforcement, requiring diplomatic coordination and international legal frameworks to pursue accountability.

Ongoing Investigation

The takedown represents a major disruption to dark web criminal infrastructure, but authorities recognize it's not an endpoint. Law enforcement continues to track both customers identified during the investigation and any remaining infrastructure connected to the operation. More than 100 individuals remain under active investigation for attempting to purchase illegal material. Europol and partner agencies are also monitoring for signs of successor networks attempting to fill the void left by Operation Alice's dismantling. History suggests that criminal enterprises often reconstitute quickly, adopting similar tactics under new identities and platforms.

Broader Implications

The scale of this operation underscores how easily dark web networks can expand using automation, cryptocurrency payments, and distributed hosting infrastructure. A single individual managed to operate infrastructure rivaling that of supposedly larger criminal syndicates. The case also demonstrates the effectiveness of international law enforcement coordination when agencies prioritize joint operations. However, it equally reveals the challenge facing authorities: as soon as one network falls, competitors often emerge to serve the same market, sometimes learning from predecessors' mistakes to avoid detection. The cycle of takedown and reconstitution continues, requiring persistent international cooperation and evolving tactics to combat these networks.

Sources

• https://hackread.com/police-shut-down-dark-web-sites-csam-network/

• https://securityaffairs.com/189828/uncategorized/international-police-operation-alice-take-down-373000-dark-web-sites-exploiting-children.html

• https://www.bleepingcomputer.com/news/security/police-take-down-373-000-fake-csam-sites-in-operation-alice/

• https://www.irishexaminer.com/news/arid-41814113.html