Know Your Enemy: How OSINT Collaboration Can Profile a Predator

What does a pedophile look like? OSINT knows the answer.

‘No one grows up wanting to be a pedophile…’ – Dr. Fred Berlin, Johns Hopkins Sex and Gender Clinic Director [Source: NYT]

How would you describe the average unrepentant pedophile? 

Scientific and psychiatric thinking today holds pedophilia as a ‘biological disorder’. From data on convicted ‘hands-on’ abusers, a majority are men – but ‘rough estimates’ put the rate of pedophilic attraction in both men and women at 1-to-5% in the general population. Although a small subset target toddlers and infants, most pedophiles target children aged 6-17. 

This coincides with the age most children begin to use the Internet.

If this looks like a ticking time bomb, that’s because it is. The world has seen an 830% rise in online Child Sexual Abuse Material (CSAM) since 2014. Every one of these images, videos and messages encapsulates the worst moments of a child’s life, flickering across a million screens. Each one documents a life-altering crime. As if that harm isn't enough, it’s now thought unlikely that only a small fraction of pedophiles who view CSAM will physically abuse a child. In 2007, a controversial study by FBI psychologists reported 85% of online offenders acknowledged in therapy they had assaulted a child offline – the lowest estimate for a history of contact offending remains at 55%.

‘We shouldn’t assume that viewing online images leads to abuse of a child victim in person… In my clinical experience, it’s the other way around. Most of these men have already committed hands-on offenses.’ – Joe Sullivan, UK-Ireland Sex Crimes Against Children Specialist [Source: The Cut]

It’s unlikely that watching abuse causes these offenders to wake up to what they are. Instead, these are active and usually unrepentant predators overcoming their final mental guardrails, or any fear of getting caught, via CSAM – or more compellingly, by the pedophile communities built to create, distribute and ‘justify’ it. Their urges never went away, and have often already created victims. As these groups and the content they promote erode members’ inhibitions to the bone, a pedophile loses any remaining scraps of shame. Often, group members will encourage and instruct members how to create more ‘fresh’ CSAM. Their desires will become more aggressive, and their offending more frequent. Sometimes their victims will get younger, or the abuse more severe.

‘What you see, in their search histories… is that they learn how to evade law enforcement, they become more confident and they begin to use cognitive distortions to overcome their moral inhibitions.’ – Dr. Michael Bourke, US Marshals Behavioral Analysis Unit Chief [Source: NYT]

A shameless pedophile is a more dangerous pedophile. This shamelessness, in theory, should make them easier for law enforcement to profile, trace and track. However, for such flagrant offenders, they go pretty far to brush away their footprints. 

Investigators face two hurdles. Most CSAM content, even if hosted on the clearweb, originated in darkweb communities via peer-to-peer networks like Tor. These sites can host millions of files of even the most extreme abuse. A medium-sized group has 30,000 plus members. Unfortunately for analysts, Tor employs onion routing: user data is encrypted in a multi-layer system, and relayed through a series of nodes that decrypt only one specific layer each. No investigator can access every node in the circuit of a user’s journey to a pedophile site, making an IP address trace impossible. 

The second hurdle is by pedophiles’ own design: anonymous registration. Most darkweb CSAM forums and sites not only operate via username aliases, but keep registration easy – and unverified. Only a username and password link a user to their account (or accounts), and no proof of identity is required to sign up; making sure that no pedophile can be traced back to so much as an email address.  

‍“With the security scares brought about recently… and the general lack of good forums anymore, I decided to bring Childs Play to the community. The goal of Childs Play is to provide a simple free access forum to the community, while simultaneously allowing a safe and secure place to talk and just be ourselves.” – Message from ‘WarHead’ aka Benjamin Faulkner, Admin of the Web’s largest CSAM forum. [Source: VG]

A workflow or process for investigators to access pedophiles’ identities on the darkweb would help law enforcement to finally exploit these predators’ absent sense of shame. In the last year, several OSINT investigators may have found this key. OSINT investigator and blogger ‘Arden22’,

Arden made a workflow. Focussing on clearweb data, this analyst turned to Stealer logs. Saved credentials grabbed from CSAM sites infected with InfoStealer malware; usernames and device data, each with unique serial numbers. Matching login credentials and device serial numbers across different logs could deanonymize users who consumed CSAM. 

Putting this process to work quickly identified a predator. With the crucial links and leads revealed by Stealer log data, Arden22 could cross-reference OSINT – emails, IP addresses, and social media profiles – to discover the real "katy." This pedophile was using a fake identity, pretending to be a young lesbian girl to join groups like "lesbian minors under 18," "cute little ones” and more, including grooming minors online. By starting from CSAM sites and working towards their visitors, Arden22 could build a real-world identity for any user infected with a Stealer. Arden22 could profile pedophiles. 

Aaron, an OSINT specialist, read Arden22’s blog delineating this pedophile-hunting workflow. He had an idea.

So far, this process had only been implemented to catch clearweb predators: the tip of the iceberg. To truly profile any pedophile, Aaron set out to crack the darkweb. Starting like Arden22 from CSAM-related URLs – this time from darkweb sources (such as Tor sites) – listed within Stealer logs, this analyst began leveraging OSINT tools to deanonymize even darker pedophiles. A key step in this workflow? OSINT Industries.

Meet Aaron, OSINT and Cyberintelligence Specialist.

“On the Stealer log side, this is a use-case that I think showcases exactly why anyone involved in #OSINTForGood should be aware of, or actively collecting information like this to support their investigations…” – Aaron, OSINT and Cyberintelligence Specialist. [Source: AaronCTI]

Aaron, is an expert in OSINT and cyberintelligence, key member of the OSINT Community, and Founder/Director of Perspective Intelligence. He’s also an OSINT Industries user – and he “catches bad guys”. 

At Perspective Intelligence, Aaron specializes in cyber threat intelligence, digital investigations, and OSINT training. Precisely because he’s actively dedicated to actively making the internet a safer place, Stealer log datasets form a common (and ingenious) part of Aaron’s cyberintelligence strategy, particularly for Person of Interest (POI) investigations. 

The data contained in Stealer logs is generated by InfoStealers. This type of malware infects victims via phishing emails (through malicious attachments or links), pirated software (like cracked programs, keygens, or cheats for games), malicious websites (including drive-by downloads), and/or social engineering – any tricks that can convince a target to let their guard down. 

But what does a Stealer log look like? ‘In reality’, Aaron describes, you’ll begin looking at the shell: an enormous archived .zip, .rar or .7z file, with anything from one to millions of logs within. Downloads can reach tens of gigabytes in size. When an analyst cracks this file open, the logs themselves will present country codes, device serial numbers, login details, IP addresses and other data – from crypto wallets to cookies, to applications, operating systems and even screenshots of desktop activity. For OSINT, ULP files (URL, Login, Password) are ideal.

Driven by the increased commercialization and profitability of Malware-as-a-Service (MaaS), Stealers have seen a boom in the past five years. Still, they’re more common in more suspect environments; on the darkweb, they’re an epidemic. When stolen data gets beamed to an attacker’s server, the intention is to sell victims’ data to fraudsters, cybercriminals and extortionists in what Aaron describes as ‘naughty forums’.

“These—I would even call them companies— allow you to purchase a relatively cheap license and gain access to a ready to use command-and-control portal. From there, all you need to do is focus on infecting users and gather the data that is coming from the infected devices.. Yeah, the typical — ‘🔧HOW TO DOWNLOAD & USE PHOTOSHOP ON PC / LAPTOP FOR FREE🔥(2024)’ — we all know…” – Aaron, OSINT and Cyberintelligence Specialist [Source: AaronCTI]

Perhaps because they don’t realize the value of what they have (or simply because profit is profit) there’s nothing malware operators can do to stop a committed OSINT-er accessing that same data too – and using it for good. Aaron’s usual work is threat detection, alerting clients of their presence in a log to prevent malware operators from getting what they want. However, if it means catching “bad guys”, he’s more than willing to play the game. 

Arden22 had profiled pedophiles on the clearweb; searching his collection of stealer logs, Aaron could identify Tor URLs for darkweb CSAM sites – for pedophile communities – listed in ULP files. What if he fed this information into OSINT Industries’ Maltego transform? Could he “leverage information from publicly available stealer logs to identify consumers of CSAM”? Could he “subsequently identify them online by leveraging tools” like Maltego and OSINT Industries? 

Well, “as it turns out, yes, you can.’”

‘Naughty Forums’: The OSINT Search Begins

The hunt was afoot. First, Aaron had to comb his masses of logs for infected users who had visited known darkweb CSAM sites. Due to the masses of data produced by Stealers, this analyst has become adept at sifting the “ton of garbage floating around.” Aaron had a partial Tor URL, and multiple Linux commands at his disposal — Grep, RipGrep, and QGrep – and could search through over 2TB of stealer logs in just a minute or two.

“You’ve got reused logs, incomplete datasets, and endless Telegram channels sharing and resharing the same data over and over. But with the right tools, or some patience and cleaning up… this info becomes super effective for getting real work done.” – Aaron, OSINT and Cyberintelligence Specialist [Source: AaronCTI]

From these results, he picked a single IP that had visited the “known-bad CSAM site”: “to save everyone, just trust me when I say the site is beyond abhorrent.” Turning to his Maltego Graph, he leveraged a breached-data OSINT tool to find any prior data breaches that included this potential pedophile IP.

Aaron now had email addresses. Any of them could be a predator, or none of them could be. It was time to enrich them with OSINT Industries. 

“Why…? Firstly, I think OSINT Industries is the best commercially available enrichment for email addresses currently… This can be a superpower for finding an individual online quickly.” – Aaron, OSINT and Cyberintelligence Specialist [Source: AaronCTI]

Aaron hoped to find account associations, profile images, usernames, partial phone numbers or any other vital data points. The data he uncovered was massive. 

With the enormous quantity of data generated by his OSINT Industries searches and Arden22’s workflow, Aaron had identified six named individuals that consumed CSAM – six potential pedophiles. He pinpoints this as where he would usually “hand the data over, provide my methodology and the source information and offer support, if needed, to the law enforcement officers who could hopefully draw more concrete links.”

This time, he decided to go further. Searching against breached CSAM site data provided by fellow #OSINT4Good activist and OSINT Industries user OSINTGuardian, he was going to profile these predators. 

Realizing he could make the most impact in his own country, Aaron began looking for UK addresses, with UK email domains; soon, he found them. Aaron then repeated Arden22’s Stealer log process – with a secret weapon. OSINT Industries’ Maltego integration, Aaron describes, was a “lifesaver”. Soon he was able to isolate an email address within the breached data. At random, using OSINT Industries and other tools, he amassed results that could expose the predator unlucky enough to be selected.

A profile picture of the suspect. A partial phone number. Usernames. Social media profiles. Numerous accounts, including adult websites and those facilitating affairs. An approximate location for GeoInt – and even restaurant reviews on Yelp.

An analyst could discern from this data the kind of person that consumes CSAM; this predator’s entire digital life was exposed for all to see. Pushing the data pass even further, Aaron incorporated facial recognition software.

Results, again, for multiple adult websites confirmed his suspicions about this CSAM consumer. The image showed the man who had accessed a pedophile community on the darkweb. This was what a pedophile looks like.

Aaron immediately shared his findings with law enforcement — along with his methodology, and guidance on his steps to catch a predator.

The House of Cards: Destabilizing Pedophile Groups

“People who traffic in child exploitation materials are on the cutting edge of technology...” – Susan Hennessey, ex-National Security Agency Lawyer and Cybersecurity Researcher for the Brookings Institution [Source: Seattle Times]

On his blog, Arden22 correctly likens investigating pedophile communities to a “house of cards”: by mapping those users infected with malware, “all we need is to dip our toe in just enough for the house of cards to start wobbling and eventually collapse.” 

The same is true of these communities themselves.

When pedophiles lose their sense of anonymous safety in which to perpetuate their perversion with impunity, their trust in their supposedly cutting-edge community begins to erode. These groups thrive on secrecy. When law enforcement or independent researchers expose members despite their technological know-how, this undermines predators’ assumption that they can operate without consequence. Paranoia sets in. Members become hesitant. Eventually, pedophiles relocate, or abandon a site altogether. Over time, this loss of trust – or reintroduction of shame – can cause entire communities to collapse. Without these communities, pedophiles have nowhere to congregate.

Another positive to Aaron and Arden22’s approaches is how it supports this ‘house of cards’ approach, but as Aaron writes, “can be done entirely without ever considering accessing CSAM sites.” This is not only valuable for legal reasons – as “if you are stupid enough to do that the law will not protect you if found out” – but also because it bypasses risky infiltration operations. Infiltration is often an effective but faulty process. In 2017, Norwegian newspaper VG discovered that Australian police Task Force Argos had infiltrated the notorious ‘Childs Play’ forum, to an administration level, for nearly a year. As part of this ‘Operation Artemis’ sting, police controversially had to participate in the forum, distributing CSAM, to maintain their cover. The network was successfully dismantled, but UNICEF argued this sting was in violation of international conventions on children's rights; what’s more, years had passed with law enforcement unable to report predators, while perpetuating the suffering of the children in the pictures – even if it was for the greater good. 

OSINT deanonymization methods that bypass accessing CSAM entirely could, in theory, help law enforcement and investigators keep their hands clean. It could also mitigate the toll of catching ‘bad guys’ on analysts’ fragile mental health.

Strength in Numbers: OSINT Industries and the OSINT Community

“I think this was a compelling demonstration of OSINT For Good…” – Aaron, OSINT and Cyberintelligence Specialist [Source: AaronCTI]

Community can be a force for evil – but this investigation demonstrates how community can be an even stronger force for good. Aaron is very active in the UK OSINT Community, and this investigation is a prime example of the power and value of a community-focused OSINT strategy. 

It was an OSINT blog post from Arden22 that inspired Aaron’s workflow for catching “genuine villains”, coinciding with an inspiring conversation “just the day before” with “the incredible” Kevin Metcalf, founder of the National Child Protection Task Force for the UK OSINT Community. This meeting led to vital discoveries around both UK and US IPs when Aaron came to investigating CSAM consumers.

What’s more, Aaron’s investigation suggests a thriving community is growing among OSINT Industries users: inspiring each other, and inspiring research. A key player in Aaron’s story was Claudia* at OSINTGuardian, subject of two past Case Studies on exposing clearweb pedophiles with OSINT.** It was querying a partial CSAM Tor URL from her investigation – a “tiny little bit of redacted information” printed in her story – that gave Aaron leads; then, her database was vital to his final success. Aaron’s breakthroughs are proof that when it comes to #OSINT4Good, Case Studies beget more Case Studies, and more positive news.

“I’m just a pillock with a hope and a dream, but what I can do is enrich this data further to provide some extra context for my friends in law enforcement…” – Aaron, OSINT and Cyberintelligence Specialist [Source: AaronCTI]

Going forward, Aaron intends to continue working with OSINT Industries. In this case, Aaron was impressed by cases where he “had emails… like 25 plus”, and “within a minute [our tool] can turn around a person”. We were proud to hear our tool had “surpassed” the tools Aaron had implemented before. 

After all, it’s not often that an analyst can “find a pedophile from an Indian restaurant review.”

To find out more about Aaron’s work, visit:

Perspective Intelligence: Site

LinkedIn: Aaron Roberts

For more about Aaron’s profiling investigation, read:

To Catch A Predator: Using Stealer Logs to Identify Abusers – AaronCTI

*Some names have been changed to protect identities.

**We hope to relist these Case Studies soon, pending legal resolution with those exposed. 

‍