Police take down 373,000 fake CSAM sites in Operation Alice

Summary

Operation Alice, an international law enforcement action led by Germany and Europol, has dismantled over 373,000 dark web sites fraudulently advertising child sexual abuse material (CSAM). The investigation targeted a platform operated by a 35-year-old Chinese suspect that scammed approximately 10,000 users out of $400,000 in Bitcoin by promising but never delivering illegal content. Authorities have seized 287 servers (105 in Germany), identified 440 users across 23 countries, and issued an international arrest warrant for the operator.

Full text

Police take down 373,000 fake CSAM sites in Operation Alice By Bill Toulas March 20, 2026 01:19 PM 0 An international law enforcement action called Operation Alice has shut down over 373,000 dark web sites that offered fake CSAM packages. The investigation, led by Germany and supported by Europol, began in mid-2021 and focused on a platform called “Alice with Violence CP,” operated by a 35-year-old suspect based in China. These sites advertised child sexual abuse material (CSAM) and cybercrime-as-a-service offerings, including stolen credit card data and access to compromised systems. Seizure banner on one of the scam sitesSource: Europol According to Europol, the sites used showed previews of claimed CSAM “packages” to trick users into entering their email addresses and paying between EUR 17 and EUR 250 in Bitcoin, receiving nothing in return. “Each package had an estimated cost of between EUR 17 and EUR 215, and promised data volumes ranging from a few gigabytes to several terabytes of CSAM,” explains Europol. “However, these were purely fraudulent sites where CSAM was advertised and previewed but never delivered.” The fraudulent CSAM platform fooled around 10,000 users into paying roughly $400,000 to the operator of the sites. Of those, the authorities have identified 440 users in 23 countries, and are currently investigating 100 of them. Although these people never received the illegal material, they still tried to purchase CSAM, financially supporting child abuse and demonstrating criminal intent. Even attempting to buy such material is prosecuted in many jurisdictions. At its peak, the scam network’s infrastructure comprised 287 servers, with a significant portion (105) located in Germany, all of which have now been seized. German authorities have also issued an international arrest warrant for the Chinese operator. Europol highlights its broader child protection work, including the Help4U support platform launched in November 2025, and its “Stop Child Abuse – Trace an Object” initiative, which invites people to identify the origin of objects seen in CSAM material that may lead to the identification of perpetrators, and the saving of children from abuse. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: The Refund Fraud Economy: Exploiting Major Retailers and Payment Platforms Interpol operation Synergia takes down 1,300 servers used for cybercrimeInterpol disrupts cybercrime activity on 22,000 IP addresses, arrests 41Going the Extra Mile: Travel Rewards Turn into Underground Currency.Europol-coordinated action disrupts Tycoon2FA phishing platform

Indicators of Compromise

• malware — Alice with Violence CP