iOCATA 2015

Online child sexual exploitation (CSE) is a constantly evolving phenomenon, shaped by developments in technology, growing levels of Internet adoption via territorial coverage and bandwidth, and further expansion of mobile connectivity.

The key threat areas include criminal activities in P2P environments and the Darknet, live streaming of child sexual abuse, sexual extortion, and developments in the commercial distribution of child abuse material (CAM). Focus will also be on the offender environments and threats relating to the growing level of competence amongst offenders in terms of networking and technical capability, use of encryption and anonymisation tools as well as the abuse of hosting services for distributing CAM.

Some of these areas were already reported in the 2014 IOCTA; they still remain the main challenges, even if there were no significant developments over the last year.

Key threat – P2P environment img

Key threat – P2P environment

P2P file sharing methods remain the main platform to access child abuse material and the principal means for non-commercial distribution. These are invariably attractive for CSE offenders and easy to use. They are a highly effective and efficient means of building and rebuilding a collection quickly after accidental loss or apprehension.

Some specialists describe the material which is being shared there as known and often dated. However, P2P is an important part of a possible offending pathway, from open searching using search engines, via exchanges on the open Internet to the hidden services in the Darknet.

This environment is also – due to its nature - deemed to be the one where the greatest volume of offending is identified. P2P cases still constitute the majority of investigations conducted by specialised units.

Some specialists noted a slight shift of users of hidden services to P2P environments as a result of recent successful LE interventions. While it is impossible to confirm such observations by reliable quantitative data, it perfectly supports an assumption that current online distribution of CAM is very dynamic, and the operations of LE agencies inevitably influence the extent of misuse of particular environments.

Key threat – the Darknet img

Key threat – the Darknet

Criminals who are present on the Darknet appear more comfortable offending and discussing their sexual interest in children than those using the Surface Web. The presumed greater level of anonymity and strong networking may be favouring their sexual urges, which would not be revealed in any other environment lacking such features.

The use of Tor in the proliferation of CAM remains a key threat, regardless of some loss of trust about its complete anonymity and technical limitations.

Restricted areas of Tor pose the highest risk to children as they are linked to the production of new CAM to retain community membership and status, which inevitably leads to further hands-on abuse. It is likely that more abuse of an extreme and sadistic nature is being requested and shared in these areas.

Key threat - Live streaming img

Key threat - Live streaming

The live streaming of abuse1 is no longer an emerging trend but an established crime, the proliferation of which is expected to further increase in the near future. Child sexual abusers continue to exploit technology that enables the streaming of live images and video in many different ways. This includes use of live streaming methods in sexual extortion cases, organising invitation-only videoconferencing of contact abuse among members of closed networks, as well as the trend reported in 2014 concerning the profit driven abuse of children overseas, live in front of a camera at the request of Westerners2.

The low cost to consumers of pay-per-view child sexual abuse makes it possible to order and view the abuse regularly without the need for downloading. This represents a significant driver for such a modus operandus to become even more widespread. The frequent small amounts of money being transferred through intermediaries minimises any red flags from financial transaction monitoring agencies3.

Recently, some intelligence strengthened the connection between live streaming and hands-on abuse, where live-distant abuse is followed by travel to another country to contact abuse the same children.

  1. Live-distant child abuse (LDCA) is a term suggested by specialists to underline the fact of sexual abuse even if physical contact between an offender and a victim does not take place
  2. Europol, IOCTA 2014,, 2014
  3. EFC Strategic Assessment 2014,, 2015
Key threat – Online solicitation and sexual extortion img

Key threat – Online solicitation and sexual extortion

The last few years have witnessed changes in the online distribution of self-generated indecent material (SGIM) produced by young people, much of which is distributed through mobile devices and social media platforms. Although intended to be shared with trusted partners, there is the potential for such material to be captured and distributed among CSE offenders if it is later placed on the open Internet.

SGIM can also be acquired by offenders through online solicitation, often combined with grooming, where children are offered money or gifts in exchange for complying with the desires of the offender. Using mobile devices or webcams to record the media, a victim is lured into sending photos or videos to the abuser, who may also pretend to be a teenager. Voluntary involvement, however, frequently turns into involuntary participation as the abuser turns to coercive measures to obtain valuable new material.

In the most extreme cases online solicitation may turn into sexual extortion, where victims are threatened by disseminating indecent materials depicting them and have to comply with offender demands, leaving them with psychological damage and increasing the potential for self-harm or suicide attempts. Such modus operandi reflects the general trend towards more extreme, violent or degrading demands where coercive techniques are adopted.

As a methodology, business models based on blackmailing young people may also be attractive to those who are not sexually interested in children but seek financial gain. Although such crimes are not primarily aimed at minors, it is likely that children (below the age of 18 years) may be among its victims, and may experience serious psychological damage. Cybercrime groups running such schemes are known to operate out of north-west African states and south-east Asia.

Key threat – Commercial distribution img

Key threat – Commercial distribution

There is a need to widen the understanding of the current scope of online commercial CAM distribution. It is necessary to acknowledge that new CAM can be a currency in itself. The value of an image is its novelty which is likely to define the means of its circulation. This needs to be differentiated from instances of obtaining financial gain from distribution of CAM.

A full understanding of the commercial distribution of CAM requires taking into account all forms of commercial activity involving its distribution, not only the ‘traditional model’ of dedicated websites offering such material on the open Internet. This includes new methods for distributing CSE such as ‘disguised websites’4, dissemination through cyberlockers, live streaming of child sexual abuse for payment as well as instances of commercial CSE in the Darknet. Additionally, a continuation of migration from traditional payment mechanisms to those offering a greater degree of anonymity, particularly pseudonymous payment systems5 such as Bitcoin, has been observed. Commercial distribution exists, and is evolving. This is despite the producer’s perception that financial flows may compromise their security.

The traditional distinction between commercial and non-commercial distribution, which cast the former as largely profit driven and conducted by those with limited sexual interest in children, is no longer as obvious. It is weakened by the fact that offenders with a sexual interest in children who produce and distribute CAM are becoming entrepreneurial, exploiting developing technologies6.

  1. The disguised websites’ present different content depending on the route the user takes to reach them. When the URL is loaded directly into the browser, the page which loads contains legitimate adult content. However, when accessed via a particular gateway site (‘referrer’) the page displays child sexual abuse content. IWF Annual report 2013
  2. ICMEC, The Digital Economy,, 2014
  3. EFC Strategic Assessment 2014,, 2015
Key threat – Networking and forensic awareness of CSE offenders img

Key threat – Networking and forensic awareness of CSE offenders

CSE offenders continue to exploit currently available technology, coupled with anonymous networks to hide their activities from LE attention. Increasingly user-friendly Internet-related technologies provide access to a variety of services they can feel comfortable and secure with. It is likely that some of them will make use of more than one route to access CAM simultaneously.

The use of techniques such as anonymisation, encryption and anti-forensic tools, such as 'wiping' software or operating systems (OS) run from removable media, are now considered the norm rather than the exception.

Communities of offenders mature and learn from the mistakes of those that have been apprehended by law enforcement, becoming more difficult to infiltrate. This is believed to refer more specifically to the users of the Darknet, who continue to develop trusted relationships and share relevant technical expertise. Offenders have also vacated Hidden Wiki, the Darknet’s most popular directory of hidden services, in an effort to keep their profile low. Presumptions of safety, strengthened by the perception of anonymity and strong support from a like-minded community, influence an offender's behaviour and are likely to be reinforcing factors in an individual's offending pathway.

CSE offenders continue to misuse legitimate hosting possibilities to store and distribute CAM. According to INHOPE records, in 2014 the total number of unique URLs confirmed to contain CAM and inserted into their reporting system was 83 644 (48 910 in 2013 and 33 821 in 2012). In 2014 the top hosting countries were United States (37% of identified CAM), Russian Federation (24%), Netherlands (16%) and Canada (11%). Image hosting sites were identified as hosting 42% of the reported URLs (an increase from 22% in 2013), followed by website hosting - 30% (37% in 2013) and file hosting sites – 20% (29% in 2013)7.

Future threats and developments img

Future threats and developments

Historically, CSE offenders were commonly located and identified as a result of their true IP address being revealed during an investigation. These could then be used to obtain subscriber’s details from ISPs. The invalidation of the Data Retention Directive in May 2014 was replicated in several EU Member States and will increasingly stand as a barrier to the success of future CSE investigations.

In February 2015, a report passed to US liaison officers at Europol from the US National Center for Missing and Exploited Children (NCMEC) prompted an investigation by EC3's FP Twins. Swift cooperation with the Romanian authorities resulted in the arrest of the offender and the rescue of his 22-month old daughter from further abuse.

The development and use of technologies which complicate traditional police methods of identification of online CSE offenders is likely to continue. It is expected that the link between online content and user will be less visible as a consequence of using anonymising tools, encryption and the remote storage of data. Increasing Internet coverage through broadband and 4G in developing countries will result in live-distant child abuse becoming more widespread, leading to a growing multitude of unknown victims and complicated investigations requiring close cooperation with LE outside the EU.

The further professionalisation of criminal activities on the Darknet, including the evolution of online markets and alternative payment methods, may be leading to the facilitation of illicit payments for novel CAM. Criminals offering commercial live streaming of CAM may also adopt decentralised streaming solutions with built-in payment systems8 instead of centralised commercial products.

The noticeable online proliferation of SGIM corresponds with the increased online presence of children and teenagers. According to a recent media use survey in the UK, children aged 5-15 spend 12.5 hours online per week. 41% own a mobile phone, which are increasingly capable of accessing the Internet. Ownership of tablets in this age group has almost doubled – growing from 19% in 2013 to 34% in 20149. This trend will most probably increase, and with it the exposure of children to potential threats on the Internet.

It is safe to assume that emerging technologies such as virtual reality headsets, combined also with advancements in other fields such as artificial intelligence, will be adopted for adult entertainment as well10 11 12. The adult entertainment industry is a key driver for the adoption of media formats and emerging technologies, and it is therefore likely that such content will find its way to one of the developing virtual reality platforms, allowing for a high degree of immersion and interactivity. This technology may also be abused by CSE offenders to simulate child abuse virtually, although the legal implications of this are unclear13.

  1.,, 2015
  2. Ofcom, Children and Parents: Media Use and Attitudes Report,
  3. The Register, Virtual Reality Porn on the Rift? ‘Why not?’ Says Oculus Founder,, 2015
  4. Gizmodo, The Next Oculus Rift Might Let You See Your Actual Hands in VR,, 2015
  5. SingularityHub, The Future of Sex: Androids, VR, and the Orgasm Button,, 2009
  6. BBC News, Second Life ‘child abuse’ Claim,, 2007
Recommendations img


  • EU law enforcement must not only ensure they are familiar with emerging trends, technologies and methodologies used in CSE online, but extend their expertise and experience to jurisdictions that require capacity building and additional support.
  • Cooperation with both reporting bodies as well as content service providers is essential. The marked increase in the abuse of hosting services requires its providers to introduce procedures for identifying and mitigating distribution of CAM.
  • The relationship between the production of SGIM online and CSE remains unclear and merits additional research. Tailor-made prevention activity resulting in a greater awareness of online threats is vital to reduce the threat of online grooming and solicitation.
  • Law enforcement should focus on identifying and dismantling the communities and forums in which offenders congregate as these drive the demand for fresh CAM leading to the abuse of new victims.
  • Effectively investigating CSE in closed like-minded offender communities requires relevant legal instruments allowing undercover work and the efficient use of traditional policing investigation methods.
  • In order to counter the increasing occurrence of encryption used by offenders, law enforcement should invest in live data forensics capability and prioritise the seizure of devices in situ when arresting suspects, to capture the relevant artefacts in an unencrypted state.
  • There is a need to constantly enhance victim identification strategies. Resources spent on the efficient use of available Victim ID databases, taking into account current and future efforts undertaken by EC3 and Interpol in this field, as well as detailed analysis of the material, often lead to successful rescue operations.