Elysium Owner Caught After Leaking IP Address


While investigating darkweb crime in 2017, investigators with the German Federal Criminal Police Office discovered a darknet child abuse forum called “Elysium.” Georg Ungefuk, the Attorney General in Frankfurt, led an investigation into the forum that eventually shuttered it and brought its owners into custody.

In Frankfurt, four men are currently standing trial for operating or helping operate the forum. One of the four, according to the prosecution, worked as the forum operator. One of the defendants had allegedly programmed the forum software and assembled the server used to host Elysium. And two defendants had allegedly helped with the day-to-day work sick as administration and forum moderation.

An official announcement from the German Federal Criminal Police Office on the topic of darknet crime and Elysium (PDF).

The Investigation

Undercover investigators joined Elysium and scoured messages, [the Attorney General said](). “The Elysium platform was not built like the typical child pornography sites on the Darknet,” he explained. He said that anyone could sign up and access the forum without providing proof that they had no affiliation to law enforcement.

Many child abuse sites, forums, and groups on social media applications require new members to share something that law enforcement would not or could not share. We have learned that law enforcement in both the United States and in Australia have been secretly uploading child abuse content in order to maintain their access to such forums or groups.

As noted in a previous article, the German Federal Criminal Police Office believes the aforementioned method of investigation needs reconsideration. In the Elysium case, investigators had no need to upload illegal content—something the police likely appreciated.

IP Leaks

In May, the hours of examination of the forum’s source code paid off. Investigators discovered references to a clearnet I.P. address in the source code of the forum that led them directly to an address in Hesse. They knew the I.P. address was the I.P. address used by the bare metal server that hosted the forum. Tor protects those who correctly use Tor. But in cases like this, Tor provides only a false sense of security.

The police raided the home in Hesse connected to the residential I.P. address found in the Elysium source code. Law enforcement conducted the raid with the same precision seen in the Germany in the DeepWeb raid. The police stormed the house and accessed the server before the owner had the opportunity to push a panic button or “close his laptop.”

They pulled “several terabytes” of data from the server and an unknown amount of information from his personal devices.

The 40-year-old from Hesse faces charges for distributing child pornography and for facilitating child pornography distribution through the forum.

Messages

Messages recovered from the 40-year-old’s devices allegedly provided evidence that the man who had been hosting the server in his garage had not actually built the darkweb child abuse forum. The Attorney General accused the recipient of those messages or both creating the forum and building the server found in the garage of the primary defendant.

Since the 40-year-old knew the alleged forum builder—a 58-year-old from the district of Tübingen—the police tracked him down with little effort. He, of course, denied any participation in the Elysium conspiracy. His chances of convincing the court of his innocence, however, are very slim; investigators had already found evidence that implicated the man in the administration of the former darkweb child abuse forum called “The Giftbox Exchange.” They have accused him of a role as a moderator.

Graphic Design

One man, a 62-year-old artist from Landsberg, had allegedly worked as an administrator on the forum. The prosecutors have accused him of working for the site owner.

The German Federal Criminal Police Office identified him after combing through gigabytes of child abuse photos and videos. He had uploaded a picture or video where a father could be seen abusing his seven-year-old daughter. The alleged forum administrator had been present during the abuse of the girl. He denied any participation in the abuse.

The police, after a thorough examination of the media, identified the general region the video had been filmed. Investigators correctly aged the girl and talked to school teachers in the area. One of the teachers recognized the girl as one of her students. The police then arrested the girl’s father and—through an undisclosed method—used his arrest to identify and arrest the 62-year-old alleged administrator (the father almost certainly identified the forum administrator for the police)

Unknown

We have not yet learned how the fourth defendant landed in police custody. We know he was a 47-year-old from Baden-Württemberg that had allegedly moderated specific parts of the forum.

The trial

The trial began last week. It will continue through the next week and then temporarily end. It will pick back up again in November. All four defendants face ten years in prison and two face preventative detention.

Since the German Federal Criminal Police Office ended Elysium, authorites in Germany and Austria have identified and reportedly rescued 28 children. And last spring, the police arrested 14 suspected child abusers who had posted identifying information on Elysium.

Frankfurt Attorney General Georg Ungefuk has treated this case with care. “For the first time in Germany, a child pornography ring on the darknet was located and smashed,” Ungefuk said.