Operation Boylover

Operation Agora:
Difficulties in building a
Case against a
Boylover’s Group
Carles Gallardo
Cybercrime Unit
mossos d’esquadra
Catalonia Autonomical Police
Operation Agora:
Difficulties in
building a Case
against a
Boylover’s Group
Summary
• Forum «protegenos.com» Paedophile
Meeting point
• Core group of suspects in Barcelona
• Active exchange of strategies and
techniques
• Exchange and distribution of (Links,
Photos and videos) sexual abuse of
Children content
• Preparatory acts to Contact and abuse of
Children
• Conspiracy to stablish a «sex tourism»
route to Venezuela
Protegenos.com
Domain registered in
Domains by Proxy Inc.(US)
Hosted on IP belonging to
GoDaddy Inc.(US)
Administrator of domain and
Forum uses Hotmail (US)
The IP history showns only
Proxy connections
Identification
Thorough Analysis of Forum
and Blog led to an Spanish IP
subscriber that hosted the
Forum contents ‘at home’
Protegenos.com
Administrator of the
site had direct relation
ship with a similar
website that contained
links to sexual abuse of
Children content
(sueños de kitty) and
hosted
copies
of
Paedophyle
and
‘ChildPorn’ sites
Protegenos.com
The suspects evolved from openly
sharing of links and content to a
“Boylover activism” that meant
cover up their real motivations and
purposes
Investigation details
•March 2010, discovery of Blog in
www.protegenos.com
•May 2010, wire tap and DSL interceptions
begin
•June 2010, 13 Core users in Spain, 9 in
Barcelona ID’d
•November 2010, enough evidence collected
•December 2010 ,search warrants and
arrests
•Collection of information
(open sources)
•Communications interception
(DSL and Voice Calls)
Cooperation with other LEA
(Guardiacivil, Venezuela Police)
•Data analysis and victim
identification
Investigation details
DSL interception provided
loads of information on the
Forum and Blog activity.
Navigation
activity
was
analysed daily and many
packs of data had to be
decoded
Group relations and activities
Investigation details
DSL interception provided
loads of information on the
Forum and Blog activity.
Navigation
activity
was
analysed daily and many
packs of data had to be
decoded
Group relations and activities
Investigation details
The investigation resulted in
the identification of 20
suspects
The core group members
were located in Catalonia
The rest were located in
different provinces of Spain
and
in South America
(Venezuela,
Mexico,
Colombia, ..)
Group relations and activities
Investigation details
The Forum administrator
was de main link between
the Spanish members and
the SouthAmerica members
Thanks to International
Cooperation (stablished by
Guardiacivil) it was possible
to locate and Identify a
suspect in Venezuela
Group relations and activities
Investigation details
Many of the members were
included in the more than
4000 intelligence reports
issued by Europol on the
website
Boylover.net
(OPERATION RESCUE)
International Impact
OUTCOME
• Arrest and indictment of
arrested suspects
• Provisional imprisonment of
core group members
• Computer equipment seized
• International arrests: Venezuela
• Post operation Bonus: Children
exploitation criminal group
dismanteled in Venezuela
International Impact
DIFFICULTIES
• Tech savvy suspects, aware
of LEA actions
• Active use of Anti forensic
Techniques
• Analysis and decryption of
DSL interceptions data
• International Cooperation
• Identification and location
of victims
Corporal Carles Gallardo
Cybercrime Unit
mossos d’esquadra
Avinguda de la Pau, 120
08206 Sabadell (Barcelona)
[email protected]
[email protected]
http://www20.gencat.cat/portal/site/mossos