Taskforce Argos had quietly taken over Childs Play, a darknet child abuse forum, three months before the Norwegian newspaper VG had discovered the operation. Argos ran the site for 11 months before busting the admins on unrelated charges.
With assistance from the European police, Taskforce Argos took over the Childs Play site, copied it, and moved it to a server in Sydney, Australia. The case is under investigation and the majority of the documents are sealed. The site’s admin, Benjamin Faulkner, is now doing life in prison for sexual assault.
VG found the server’s IP address through a flaw in the site’s profile picture uploading mechanism.
By telling the forum to fetch a picture from a server Stangvik controlled, he could see in his server logs that the originating IP was with a hosting provider in Sydney – Digital Pacific. Stangvik went on to confirm that outgoing DNS requests originated from the same provider, and that the forum’s software also loaded images included in forum post previews from the same IP.
Then to make sure he had found the correct IP address:
He rented a virtual server with Digital Pacific – the same place as where the suspected IP was located. He then updated the profile picture URL to point to this server. Upon receiving an incoming profile picture request, Stangvik’s server would respond with a redirect to another URL on the same virtual server. Repeating this redirection process several time, Stangvik was able to isolate and measure the roundtrip-time between the two servers. The measurements yielded very low times, consistent with a forum server in close vicinity of his rented server.
And packet size:
Stangvik also paid attention to so-called «Time To Live» values on the incoming data packets. These provide some insight into how many intermediate parties are involved from the sender to the recipient. In this case, the values indicated that there were at most one intermediate – a typical result if the servers were located in the same room.
Not a week after law enforcement arrested the forum’s admin, WarHead, Argos investigators had slipped into the admin account and stealthily took control. “Phew, what a month that was!. A month of my life that I won’t get back. Although technically most of the really screwed up shit happened in October, not September, hence my late foray into this month.” Some users reportedly spoke with each other privately about “WarHead,” pointing out that the author of the posts was not actually WarHead. They never said anything publicly.