How the FBI Located Suspected Admins of the Dark Web’s Largest Child Porn Site

In February 2015, the Federal Bureau of Investigation launched an operation that was notable for two reasons: it was the largest known law enforcement hacking operation to date, and it entailed operating a child pornography website as a honeypot for 13 days.

In addition, court documents reviewed by Motherboard suggest that a foreign agency working with the FBI may have operated a different child porn site in some capacity for at least four months.

The targets of the FBI's investigation were users of Playpen, a site on the so-called dark web that one FBI agent described as "the largest remaining known child pornography hidden service in the world" in a criminal complaint.

In order to locate these users in the real world, the agency took control of Playpen and operated it from February 20 to March 4 in 2015, deploying a hacking tool to identify visitors of the site. The FBI hacked computers in the US, Greece, Chile, and likely elsewhere.

But, in identifying at least two high ranking members of Playpen, and possibly one other, the FBI relied on information provided by a foreign law enforcement agency (FLA), according to court documents.

That FLA had "seized" another child pornography site identified only as "Website 2." Documents suggest this site was operational four months after the seizure, with no indication that the FLA had given up control of it. The foreign agency used a hacking technique of its own to identify at least one user of that site, which led the FBI to identify a suspected moderator of Playpen.

Three US-based men, Steven Chase, Michael Fluckiger, and David Lynn Browning, have all been indicted for their role as suspected administrators and moderators of Playpen, including engaging in a child exploitation enterprise. Their cases were unsealed in March and August of 2015, but have only now been reported.

In November 2014, an FLA, "acting independently and according to its own national laws," seized a child pornography site hosted on the so-called dark web, according to a complaint against one of the defendants, signed by Karlene Clapp, a special agent with the FBI. The complaint and other court documents do not name the agency or country, nor the website that was taken over.

The following month after the seizure, the FLA obtained an IP address for one of the moderators of this site by sending the target a link to a streaming video on an external website.

"If the user chose to open the file, a video file containing images of child pornography began to play, and the FLA captured and recorded the IP address of the user accessing the file," the FBI complaint reads. Some of the related court documents were recently shared by a user on Reddit.

The video was configured in such a way that when it was opened, the target's computer would open up an internet connection outside of the anonymity network used by the child pornography site, "thereby allowing FLA to capture the user's actual IP address, as well as a session identifier to tie the IP address to the activity of a particular user account," the complaint continues. (The documents do not explicitly say whether this site was hosted on the Tor network, or another less popular network, such as I2P; it only refers to the website operating within "the Network".)

This IP address was then provided to the FBI, and led to David Lynn Browning of Kentucky. Browning, in addition to allegedly being a moderator of the child pornography site seized by the FLA, was suspected of being a moderator on Playpen, according to communications provided by the FLA to the FBI in April 2015. He was arrested in July 2015, according to court documents.

The FLA also obtained the IP address for Michael Fluckiger, a suspected moderator on the seized site and administrator on Playpen. The court documents do not say whether he was identified in the same fashion, however, and he was arrested in March 2015. In Fluckiger's complaint, the FBI mention that the FLA was able to obtain communications from another, third website, which was used as a chat room to discuss child pornography and exploitation.

Steven Chase has also been indicted for his role as an administrator in Playpen. It is not clear how he was identified, but he was arrested on February 20, 2015, the day that the FBI started to run Playpen from its own servers. On Tuesday, a judge granted more time to complete a mental health examination of the defendant.

Much attention has focused on how the FBI ran Playpen for 13 days. Defense lawyers have argued that this constituted "outrageous conduct" from the FBI because the agency, in essence, distributed child pornography. A judge in a related case has ruled otherwise, though.

But, looking at the timeline of the FLA's involvement, it seems like this unknown agency might have had some sort of control over a child pornography site for a much longer period of time, possibly for at least four months. According to court documents, the FLA seized the site in November 2014. On March 13, 2015, an FBI agent acting in an undercover capacity accessed the site. Logically, the site must have still been active for an FBI agent to successfully log into it.

"After successfully logging into the site, the undercover Agent observed a chat window, which listed users currently in the chat room on the left side of the page and recent messages posted by these users to the right of their usernames," the complaint said.

However, it is not clear from the court documents what exactly constituted a seizure of the second child pornography site. The documents don't say whether this refers to the FLA running the site from their own servers, similar to the Playpen case, or whether it took control of a primary administration account and allowed the site to continue operating.

Playpen had three administrators, including Fluckiger and Chase, and numerous moderators, including Browning, according to court documents. Admins handled the technical aspects of the site and hosted it, developed and enforced rules, and other tasks. Moderators, meanwhile, didn't have such a technologically hands-on role, and kept the forum clean and organised.

Playpen is not named in the court documents of these three defendants, but it is clearly the site in question. One criminal complaint says that "From on or about August 2014 until on or about February 20, 2015, Website 1 was physically hosted on servers in Lenoir North Carolina." Playpen was based in the same physical location, until February 20, when it was seized by the FBI. From that point, Playpen was run from servers in Virginia, according to court documents.

Chase, Fluckiger and Browning have all been included in the same indictment, charging them with a slew of child pornography offenses. Browning pleaded guilty in December, and Fluckiger did the same. Chase's case, however is still going through the courts.

But, only two out of three Playpen administrators are covered in this indictment. It is unclear whether the third is still at large. It is also not totally clear whether Chase, who was arrested on February 20, 2015, was the one who led the FBI to take control of the Playpen server.

When asked specific questions about these cases, Peter Carr, a spokesperson for the Department of Justice, told Motherboard in an email that "We don't have anything public we can point you to beyond what you have already identified."

The FBI declined to comment and the US Attorney's office did not respond to a request for comment.

The UK's National Crime Agency told Motherboard in an email that "the NCA does not routinely confirm or deny the receipt of specific intelligence or ongoing investigations for reasons of operational security." "We work closely with international partners both in law enforcement and industry to share intelligence and work collaboratively to bring those involved in the sexual exploitation of children to account," the spokesperson added.

Although the name of the FLA is not mentioned in court documents, the investigation into Playpen was part of a joint FBI and Europol effort called Operation Pacifier.

Claire Georges, a spokesperson for Europol, told Motherboard in an email that "Unfortunately, Europol is unable to provide any comments on Operation Pacifier. We can only refer you back to the FBI who are allowed to communicate on the matter." When asked to confirm whether the action by the foreign law enforcement agency was indeed part of Pacifier, Georges added "I'm really sorry but I am not allowed to say anything more."

As more details about the shuttering of child porn sites comes to light, it's clear that multiple law enforcement agencies will use a variety of tactics to identify suspects on the so-called dark web.