Operation Alice: Police dismantle a massive dark web network with 373,000 fake sites luring users seeking child sexual abuse material.

An international law enforcement operation, code named Operation Alice, shut down one of the largest dark web scams, uncovering over 373,000 fake sites tricking users seeking child sexual abuse content. The operation, first investigated in Germany in 2021, centered on the platform “Alice with Violence CP” and was allegedly run by a single individual controlling hundreds of thousands of fraudulent marketplaces for illicit material and cybercrime services.

“On 9 March 2026, a global operation led by German authorities and supported by Europol was launched against one of the largest networks of fraudulent platforms in the dark web. The investigation began in mid-2021 against the dark web platform “Alice with Violence CP”.” reads the press release by Europol. “During the investigation, authorities discovered that the platform’s operator was running more than 373 000 fraudulent websites advertising child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS) offerings.”

From 9 to 19 March 2026, law enforcement from 23 countries worked together to go after the operator of a dark web platform.

The investigation revealed 440 customers worldwide, prompting further probes against them, with ongoing actions against more than 100 individuals. So far, authorities have identified 1 operator based in the People’s Republic of China, shut down over 373,000 dark web sites, seized 105 servers, and confiscated computers, mobile phones, and other electronic devices, marking a major step against illicit online networks.

“From November 2019 until recently, he operated a network of up to 287 servers at its peak, 105 of which were located in Germany. German authorities have issued an international arrest warrant.” continues the press release.

Over nearly five years, German authorities uncovered a single individual running more than 373,000 dark web sites, including 90,000 offering fraudulent CSAM “packages” for Bitcoin. Prices ranged from €17 to €215 for data from gigabytes to terabytes, but nothing was delivered. The operator also promoted cybercrime services, such as stolen credit card data and system access, tricking users into paying without receiving any actual content or services.

The Europol pointed out that even though customers never received CSAM, paying for it made them suspects, and investigators saw them as potential high-value targets for intelligence. Authorities acted quickly to protect children at risk, such as a 31-year-old father convicted in 2023 for attempting to buy 70 GB of CSAM. Europol coordinated international information sharing, traced cryptocurrency payments, and supported authorities, helping identify the perpetrator. Europol also runs projects to prevent child sexual exploitation, including the “Stop Child Abuse – Trace an Object” initiative and the Help4U platform, offering children secure advice and support.

“Operation Alice sends a clear message: there is nowhere to hide for criminals when the international law enforcement community works hand in glove. We will find them and hold them accountable. Europol will continue to protect children, support victims, and track down the perpetrators.” said Europol’s Executive Director Catherine De Bolle.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Operation Alice, dark web)

A 35-year-old man operating from China ran the largest fraudulent dark web network ever dismantled and the most disturbing detail is not the scale of the infrastructure he built, but what he was selling — child sexual abuse material that did not exist, to thousands of buyers who paid for it anyway.

On March 9, a global operation led by German authorities and supported by Europol was launched against one of the largest networks of fraudulent platforms in the dark web. The investigation began in mid-2021 against the dark web platform "Alice with Violence CP." During the investigation, authorities discovered that the platform's operator ran more than 373,000 fraudulent websites advertising child sexual abuse material and cybercrime-as-a-service offerings.

The first phase of Operation Alice ran for 10 days, with 23 countries joining forces. The participating nations included Spain, Germany, the United States, the United Kingdom, Ukraine, Mexico, Canada, and Australia. Europol facilitated intelligence exchange, provided analytical support, coordinated the international response, and played a critical role in tracing cryptocurrency payments across jurisdictions.

The criminal model this operator constructed sits at an unusual intersection of two distinct threats that security teams rarely analyze together. From February 2020 to July 2025, the suspect advertised child sexual abuse material on different platforms accessible through more than 90,000 of those onion domains. The perpetrator offered material in purchasable packages after buyers provided an email address and made a payment in Bitcoin, with each package costing between €17 and €215 and promising data volumes ranging from a few gigabytes to several terabytes.

The material was never delivered. Customers were tricked into providing payment for these products but received nothing in return. Europol estimated the suspect made around €345,000 — approximately $400,000 — from around 10,000 people who attempted to buy the illicit material.

Not Just Any Other Dark Web Economy

The fraud architecture layered two criminal economies on top of each other. Alongside child abuse material, the platform also offered cybercrime-as-a-service listings — including stolen credit card data and access to compromised backend computer systems — extending the operator's reach from child exploitation into enterprise-grade cybercrime services.

The CaaS dimension means the operator's customer base included not only individuals seeking abuse material but also cybercriminals seeking ready-made access to corporate networks, broadening the downstream harm considerably.

The infrastructure scale alone places this case in a different category from any previous dark web takedown. The dark web runs on onion domains — a special type of website address engineered specifically to conceal the identity and location of both the operator and visitors by routing traffic through layered encryption relays.

Over nearly five years of investigation, German authorities discovered that a single individual operated over 373,000 onion domains on the dark web. Managing that volume of infrastructure requires automation, deliberate operational security planning, and sustained technical capability.

Operation Alice initially only targeted the platform operator. However, through international cooperation, the investigation uncovered the identities of 440 customers who had used the operator's services. Due to the nature of the purchases, additional investigations were launched against them, and the operation remains ongoing against more than 100 of those individuals.

The operational results include the seizure of 105 servers along with computers, mobile phones, and electronic storage devices. Investigators also seized the financial proceeds generated across five years of operation.

Also read: FBI and Europol Dismantle LeakBase Cybercrime Forum With 142,000 Users

Police shut down 373K dark web sites in a one-man CSAM and cybercrime network run by a 35-year-old man in China, with global probe ongoing.