On the 9th of March, we welcomed 118 attendees to kick off our first Expert Insights webinar of this year with the topic: “CSAM and the dark web: tracking new trends through blockchain analysis."

The session was held by TRM Labs, a blockchain intelligence company working with public sector agencies and private sector companies to detect and combat crypto-related crime. Carolina Christofoletti, Threat Intelligence Researcher at TRM Labs, specialises in Child Sexual Abuse Material (CSAM) threats, specifically using cryptocurrencies and blockchain-based services that enable illicit activity. During her presentation, she outlined three emerging trends recently identified within the landscape of CSAM and cryptocurrency. 

CSAM and Cryptocurrencies

Cryptocurrencies have become a prevalent method for CSAM actors to sell and fund abuse and exploitation material. Over the last year alone, TRM Labs identified over 3.5 million dollars sent to CSAM-related addresses. According to Carolina, most transactions are direct purchases of CSAM from a vendor, but there are also other ways in which cryptocurrencies are being deployed in the CSAM trade landscape. "There are cases in which CSAM criminals donate cryptocurrencies to dark web scam forums to support the dark web administrators to finance their servers," she elaborated. In some cases, cryptocurrencies are also being sent as donations to uploaders who make files of abuse material available for free on the dark web.

Trend 1: CSAM Threat-Actor Networks

Following a thorough analysis, TRM Labs recognised specific patterns on the blockchain. "We realised that although there are many cryptocurrency addresses that don't seem to be associated with each other, on-chain analyses revealed that they seemed to be controlled by the same network," Carolina explained. Different entities keep different consolidation addresses and attempt to disguise their affiliation through complicated movements on the blockchain. However, by observing how and where funds from different websites were being consolidated and/or cashed out, TRM Labs identified instances where a set of different CSAM websites actually appear to be controlled by the same threat actor.

Trend 2: CSAM Vendors vs. CSAM Scammers

The analysis of CSAM offenders' on-chain behaviour suggests that some entities operating on the dark web might be "CSAM scams."

Types of CSAM Actors

• CSAM vendors: Actors selling CSAM to other parties. Often offer consumers access to CSAM trading networks.
• CSAM consumers: Actors seeking to purchase CSAM.
• CSAM scammers: Actors seeking to scam consumers purchasing CSAM, who advertise CSAM to consumers and may succeed in collecting payment, but otherwise behave similarly to typical scammers and do not deliver the materials purchased.

When a CSAM consumer attempts to purchase CSAM from several different entities in a short amount of time, it can be an indicator that the vendors they contacted were actually scammers. Unlike true CSAM vendors, who attempt to conceal their activities, CSAM scammers are often easily found through common CSAM keyword searches on the dark web's link directories. Scammers benefit from the centrality provided by dark web search engines where their pages are promoted as ads and appear in a large number of mirrored dark web link directories.

Trend 3: Impersonating CSAM Scammers

Some CSAM vendors realised, that impersonating CSAM scammers could help them disguise illegal activity. “CSAM criminals abuse this situation and impersonate CSAM scams to keep out of the spotlight,” Carolina explained. By impersonating CSAM scammers, CSAM vendors hope that law enforcement authorities will not prioritise those investigations, and instead continue searching for real CSAM vendors.

But TRM Labs found a way to identify impersonators by analysing transaction patterns on the blockchain. The usual patterns for real CSAM scammers show consumers' visible one-time payments to various wallets, indicating unsuccessful attempts to purchase CSAM. This pattern looks different for vendors impersonating scammers: as soon as the consumer has received what they wanted they stop sending funds to other vendors. Then, on-chain transaction analysis shows repeated purchases from the same vendor. "Knowing how to identify on-chain behaviours typical of CSAM scammers and CSAM vendors makes it harder for vendors to successfully impersonate scammers and thus evade law enforcement's attention," pointed out the Threat Intelligence Researcher.

Takeaways for Blockchain Investigations

So what are the main takeaways for agents investigating CSAM in the cryptocurrency landscape? Carolina emphasised that identifying networks of CSAM websites being operated by a common threat actor can be really helpful in disrupting these systems. Furthermore, it is critical to realise, that CSAM vendors might be trying to hide amid the big data lake created by CSAM scammers. Knowing how to distinguish both cases via on-chain analysis can greatly benefit law enforcement investigations. "CSAM scammers create a unique blockchain footprint that allows law enforcement agencies to prioritise cases of actors persistently trying to obtain CSAM," says Carolina. This is why blockchain analysis is so essential in effective online CSAM investigation.


TRM Labs provides investigative and compliance tools for organisations that need to detect and disrupt the illicit use of cryptocurrencies. To learn more about using TRM solutions, including Training and Certification programs, please click here.

Click here to sign up for our upcoming webinars.