A 35-year-old man operating from China ran the largest fraudulent dark web network ever dismantled and the most disturbing detail is not the scale of the infrastructure he built, but what he was selling — child sexual abuse material that did not exist, to thousands of buyers who paid for it anyway.
On March 9, a global operation led by German authorities and supported by Europol was launched against one of the largest networks of fraudulent platforms in the dark web. The investigation began in mid-2021 against the dark web platform “Alice with Violence CP.” During the investigation, authorities discovered that the platform’s operator ran more than 373,000 fraudulent websites advertising child sexual abuse material and cybercrime-as-a-service offerings.
The first phase of Operation Alice ran for 10 days, with 23 countries joining forces. The participating nations included Spain, Germany, the United States, the United Kingdom, Ukraine, Mexico, Canada, and Australia. Europol facilitated intelligence exchange, provided analytical support, coordinated the international response, and played a critical role in tracing cryptocurrency payments across jurisdictions.
The criminal model this operator constructed sits at an unusual intersection of two distinct threats that security teams rarely analyze together. From February 2020 to July 2025, the suspect advertised child sexual abuse material on different platforms accessible through more than 90,000 of those onion domains. The perpetrator offered material in purchasable packages after buyers provided an email address and made a payment in Bitcoin, with each package costing between €17 and €215 and promising data volumes ranging from a few gigabytes to several terabytes.
The material was never delivered. Customers were tricked into providing payment for these products but received nothing in return. Europol estimated the suspect made around €345,000 — approximately $400,000 — from around 10,000 people who attempted to buy the illicit material.
Not Just Any Other Dark Web Economy
The fraud architecture layered two criminal economies on top of each other. Alongside child abuse material, the platform also offered cybercrime-as-a-service listings — including stolen credit card data and access to compromised backend computer systems — extending the operator’s reach from child exploitation into enterprise-grade cybercrime services.
The CaaS dimension means the operator’s customer base included not only individuals seeking abuse material but also cybercriminals seeking ready-made access to corporate networks, broadening the downstream harm considerably.
The infrastructure scale alone places this case in a different category from any previous dark web takedown. The dark web runs on onion domains — a special type of website address engineered specifically to conceal the identity and location of both the operator and visitors by routing traffic through layered encryption relays.
Over nearly five years of investigation, German authorities discovered that a single individual operated over 373,000 onion domains on the dark web. Managing that volume of infrastructure requires automation, deliberate operational security planning, and sustained technical capability.
Operation Alice initially only targeted the platform operator. However, through international cooperation, the investigation uncovered the identities of 440 customers who had used the operator’s services. Due to the nature of the purchases, additional investigations were launched against them, and the operation remains ongoing against more than 100 of those individuals.
The operational results include the seizure of 105 servers along with computers, mobile phones, and electronic storage devices. Investigators also seized the financial proceeds generated across five years of operation.
