In October 2019, an international law-enforcement operation exposed and dismantled one of the largest dark-web child-sexual-abuse marketplaces ever discovered: “Welcome to Video.” The case stands out not only for the scale of the abuse and the number of arrests, but for the way investigators used blockchain analysis (i.e., tracking Bitcoin payments across public ledgers) to pierce the veil of apparent anonymity and trace criminal proceeds to real-world identities.
What was Welcome to Video?
Launched in 2015 and operated from South Korea, Welcome to Video offered users access to a massive repository of child sexual abuse material (CSAM). Access was monetized: users purchased site “points” with Bitcoin and could upload content in exchange for credits, creating an incentive structure that amplified distribution and rewarded new uploads.
At the time of the takedown, investigators estimated hundreds of thousands of downloads and hundreds of thousands to over a million registered users. Law enforcement actions led to arrests in dozens of countries.
Where the trail began
Traditional investigations often start with servers and hosting providers. In this case, that vector mattered, but it was the money trail that proved decisive.
Site operators built an on-site economy that required Bitcoin payments; those transactions were publicly recorded on the Bitcoin blockchain.
By applying modern blockchain-analysis tools and investigative tradecraft, agencies were able to cluster addresses, follow value flows, and identify points where illicit funds touched regulated services (exchanges, custodial wallets), enabling subpoenas and account seizures.
The investigation
The takedown was a global effort: South Korea’s National Police Agency (KNPA) led the action against the site operator, while agencies such as the U.S. Department of Justice, Homeland Security Investigations (HSI), the U.S. Internal Revenue Service Criminal Investigation (IRS-CI), Britain’s National Crime Agency (NCA), Europol, and other national partners collaborated on identifying users, laundering flows, and executing arrests.
That mix of local investigators, cyber units, and blockchain specialists allowed each link in the chain (on-site evidence, cryptocurrency flows, and downstream cashouts) to be pursued simultaneously.
How blockchain analysis works
Every Bitcoin transaction is permanently recorded on the blockchain. Investigators start by finding the Bitcoin addresses the site provided, like deposit addresses or aggregator wallets. Next, they group addresses likely controlled by the same entity by using heuristics (e.g., common-input clustering) and pattern analysis.
The value of the transaction is traced forward (to mixers, exchanges, or other services) and backward (to donors or uploader rewards). When funds move to a regulated exchange or service that enforces KYC, law enforcement can issue legal process to get account details.
Finally, public data (such as social media, reuse of usernames, reused email addresses, or OPSEC mistakes) and seized server logs allow investigators to tie blockchain clusters to real persons.
Key factors in cracking the case
- Operator mistakes: as with many dark-web operations, the site operator leaked operational metadata and made identifiable OPSEC errors that helped locate servers and link accounts. The KNPA ultimately arrested the operator in South Korea.
- Blockchain pivots: tracing Bitcoin flows revealed where payments aggregated and where they were cashed out. That allowed investigators to obtain records from exchanges and identify users who attempted to convert Bitcoin into fiat. The IRS-CI played a prominent role in following those flows and coordinating financial subpoenas.
- International cooperation: once clusters and cash-out points were identified, partner agencies across 38 countries executed arrest warrants and protective actions; reports cited hundreds of arrests and scores of rescued victims.
The outcome of the operation
Public statements at the time reported roughly 337 arrests across 38 countries and the rescue of dozens of victims. Numbers varied slightly between agencies, but they universally underscored the operation’s global reach.
The website operator faced prosecution in South Korea and other jurisdictions; many users were identified through the combined server evidence and blockchain tracing.
You can find more details from official sources linked below:
A strategy game
To protect their platform, the offenders put in place standard anti-forensic techniques, such as using Bitcoin tumblers and mixers to obfuscate flows, splitting transactions across numerous addresses (address churn), and employing peer-to-peer exchanges or decentralized services.
Investigators countered these techniques by employing advanced heuristics to detect mixing patterns and link split flows, focusing on exchange deposits (the weak link when KYC applies), and cross-referencing server logs, point-of-sale timestamps, and user metadata to corroborate on-chain evidence.
Crypto and anonymity
As it happened with Operation Pacifier and the takedown of Playpen, the Welcome to Video takedown showcased how cryptocurrency, often perceived as a shield of anonymity, is frequently an investigative advantage because of ledger transparency.
The case strengthened the argument for proactive blockchain capabilities within national cyber units and for stronger public–private cooperation between investigators and blockchain-analysis firms. At the same time, it renewed debates about privacy, due process, and the technical limits of anonymity.
The investigator's advantage
For anybody investigating these types of cases, there are a few lessons learnt from the Welcome to Video takedown:
- The ledger is evidence: public blockchain records are a forensic goldmine when combined with traditional investigative techniques.
- Follow the money to find people: off-ramps (exchanges, custodial services) are the most productive legal choke points.
- OPSEC errors are fatal: even small mistakes (reused accounts, sloppy payment addresses) can unravel large networks.
- International, multi-disciplinary teams win: server seizures, blockchain forensics, and domestic arrest powers must be synchronized for maximum effect.