CSAM (child sexual abuse material) is an understudied part of the crypto crime ecosystem. The industry is broadly aware that there are digital spaces where CSAM can be bought and sold using crypto, and there are well-publicized instances of law enforcement shutting down crypto-based CSAM marketplaces like Welcome to Video.
Not all CSAM activity involves cryptocurrency, and in many cases, users simply trade CSAM amongst themselves. But cryptocurrency-based sales of CSAM are a growing problem. Tamsin McNally, Hotline Manager at the Internet Watch Foundation (IWF) shared with us that they “find virtual currency is the dominant choice for buyers and sellers of commercial child sexual abuse content, so much so that we now have a dedicated crypto unit that works with law enforcement and the finance industry to help provide evidence for investigations.” This analysis is our first attempt to produce a comprehensive, objective measure of the CSAM-cryptocurrency ecosystem.
First, we debut a methodology for measuring the scope of the crypto-based CSAM ecosystem across a number of different variables, based on on-chain activity. Overall, our data suggests that while the size of the crypto-based CSAM market has decreased in 2023, the sophistication of CSAM sellers and in turn their resilience to detection and takedowns has increased over time. In addition, we’ll look at CSAM vendors’ use of obfuscation measures such as mixers and privacy coins like Monero, and examine how vendors may benefit from them.
All of the CSAM data we analyze here is based on a subset of over 400 on-chain CSAM vendor wallets we’ve identified that were active between 2020 and 2023 and met a specific threshold of transaction activity. We observed over 10,000 wallets that sent funds to CSAM vendor wallets in 2023, which for the purposes of this analysis we label as CSAM buyers. Identifying CSAM vendors isn’t easy, as most shy away from advertising even on the darknet due to the stigma associated with this particularly abhorrent form of crime — virtually all darknet markets, for example, explicitly ban the sale of this material. Our identifications of CSAM vendor wallets come from a variety of sources, including the IWF, other partners and customers, and our own investigations.
We are almost certainly not capturing all on-chain CSAM activity, but given the breadth of sources we draw from, as well as the fact that we have a big enough sample size to measure non-scale based characteristics like longevity and sophistication, we believe this analysis sheds valuable light on how on-chain CSAM marketplaces operate and have changed over time.
How crypto’s CSAM problem has changed over time: A four-component measurement
We quantify most forms of cryptocurrency-based crime primarily based on the crypto value received by illicit addresses. However, this would be misleading in the case of CSAM. As a recent research report by the European Parliament explains, there’s more CSAM on the internet than ever before, and it’s never been cheaper to produce. Given the flood of inexpensive material, and the fact that each piece of content inherently involves abuse, we don’t believe that a dollar figure can accurately measure the true damage of CSAM.
Instead, we’ve come up with a four-component measurement to assess the unique problem of CSAM over time based on different on-chain metrics. For any given period of time, we can assign a score for each of the four components, and in that way see how the cryptocurrency-based CSAM market changes across each component over time. Those four components are:
Scale: Scale captures the size of the CSAM market in terms of transactions and participants. On-chain metrics here include:
- Number of wallets sending to CSAM vendors [1]
- Number of distinct CSAM vendors active during the time period
- Number of transactions incoming to CSAM vendors
- Total value sent to CSAM vendors
Severity: Severity is intended to capture the extremity and volume of the content being shared on a per transaction basis. While this can’t be directly seen on-chain, we can infer these characteristics based on the price of individual transactions with CSAM vendors. On-chain metrics here include:
- Mean payment size
- Median payment size
- Number of CSAM vendors that have received payments of $70 or more in size — these represent the highest tier of payments that CSAM vendors typically charge in a single transaction for content. We’ll explain the five-tier payment classification system experts use for CSAM marketplace analysis in more detail later.
Sophistication: Sophistication refers to the level of obfuscation measures taken by CSAM providers during a given time period. Later in the report, we’ll examine the relationship between sophistication and CSAM vendors’ ability to stay in operation for longer. On-chain metrics here include:
- Inflows to CSAM vendors from mixers (which we assume to be customer payments made via mixers)
- Outflows from CSAM vendors to mixers (which we assume represent efforts by CSAM vendors to launder funds)
- Outflows from CSAM vendors to instant exchange services that support privacy coins like Monero (which we assume are possible conversions into privacy coins by CSAM vendor operators for money laundering purposes)
Resilience: Resilience refers to CSAM vendors’ ability to become active and stay in business. On-chain metrics here include:
- Average cumulative lifespan of active CSAM vendors
- Number of CSAM vendors that became inactive during the time period (this would negatively impact the resilience score)
- Number of new services that became active during the time period
- The net growth or decline of CSAM vendors, calculated by subtracting the number of services that became inactive during a given year from the number of new services that emerged in that year
Let’s look at how the crypto-based CSAM market has changed over the last four years along each of those four axes.
Overall, we see that the scale and severity of CSAM activity peaked in 2021 after relatively low activity in 2020. The fluctuations in severity become clearer when we incorporate our five-tier payment classification system. This tiered pricing system has been identified by IWF as being used by many CSAM vendors, with higher tiers being more expensive and giving users a greater volume of content, and often more extreme content, in the context of a single purchase. The tiering system is as follows:
- Tier 1: $10 – $20
- Tier 2: $20 – $35
- Tier 3: $35 – $50
- Tier 4: $50 – $70
- Tier 5: >$70
As we can see on the chart below, purchases in Tiers 4 and 5 have decreased as a share of overall CSAM transactions over time since 2021, while the share for Tiers 1 and 2 has increased.
This may indicate that the CSAM being disseminated is becoming less extreme, or that less material is being provided on a per purchase basis. Of course, it could also mean that the market is being flooded with content, leading to price drops across the board regardless of the extremity of the content. For instance, researchers have noted that AI is enabling the dissemination of synthetic CSAM — a glut of such content could drive prices down.
We also see that the resilience of CSAM vendors has gone up. Look at the chart below, which shows the lifespan of all CSAM vendors we track by start date and end date.
Lifespans are trending upwards: In 2023, the lifespan of the average active CSAM vendor is 884 days, up from 560 days in 2022. However, relatively few new CSAM vendors have cropped up in 2023 — just 43, compared to 112 in 2022. Still, how is it that so many CSAM vendors are able to persist for so long, and why is resilience going up?
Of course, there are many steps CSAM vendors could be taking to obfuscate their activity that have nothing to do with cryptocurrency, such as the use of internet anonymity tools like Tor. But when it comes to crypto specifically, the data suggests CSAM vendors may be benefiting from the use of Monero. Monero is the most popular of the so-called “privacy coins,” which are cryptocurrencies whose blockchains employ unique privacy enhancing features that make it more difficult to follow the flow of funds or discern their original source.
Many CSAM vendors have adopted Monero in recent years, though Bitcoin is by far the most widely used cryptocurrency for CSAM purchasing. In fact, while the screenshot above shows a vendor asking users to pay in Monero, the data suggests Monero’s role is more prevalent in CSAM vendors’ efforts to launder their on-chain earnings, rather than to obscure the purchases themselves. It’s difficult to show Monero’s role directly on-chain using standard blockchain analysis techniques, but we can look at CSAM vendors’ use of Monero-friendly instant exchangers to estimate their potential Monero use. Unlike traditional centralized exchanges (CEXes), which have largely delisted Monero, instant exchangers are non-custodial and generally don’t offer crypto-to-fiat conversion — but unlike, say, a DeFi protocol, they are centrally managed by a single organization. Instant exchangers typically draw on the liquidity of multiple CEXes to give users the best possible prices, and facilitate the exchange of one crypto for another directly between users’ wallets, such that the transaction is often difficult to trace on-chain. That, along with the fact that many instant exchangers don’t require KYC, can make them helpful for concealing the original source of cryptocurrency.
It’s also possible that CSAM vendors are swapping into other cryptocurrencies, including privacy coins other than Monero. But based on vendors’ specific solicitation of Monero and our own investigations, we believe Monero to be the currency of choice for laundering via instant exchangers.
Our data shows that CSAM vendors’ usage of instant exchangers that allow for Monero conversion has increased significantly over the last few years.
Traditional CEXes have always been the biggest recipient of funds sent by illicit services, including CSAM vendors. However, Monero-friendly instant exchangers have narrowed the gap in recent years, suggesting that CSAM vendor wallets may be increasing their usage of Monero for money laundering purposes, even though they continue to receive the bulk of customer payments in Bitcoin. Some CSAM vendors have transitioned almost entirely away from direct sending to CEXes, instead sending funds only to Monero-friendly instant exchangers. We can see two examples of CSAM vendors that made that switch in 2022 on the chart below.
If CSAM vendors’ usage of Monero-friendly instant exchangers does indeed correlate with actual usage of Monero, the data suggests that Monero may be helping those CSAM vendors survive longer. Check out the chart below, which compares the survival rates over time of a sample of CSAM vendors that send funds to Monero-friendly instant exchangers versus those that do not.
CSAM vendors that use Monero-friendly instant exchangers are much more likely to survive initially than those that don’t — within 50 days of launching, the survival rate of potential Monero using CSAM vendors is roughly 77.6%, compared to just 57.0% for all others. Furthermore, at the 1,000 day mark, 19.2% of potential Monero using CSAM vendors are still active, compared to just 3.8% of all others. While the lack of KYC at many instant exchangers and inability to trace through these centralized services may also play a role, the data suggests that Monero could be a huge boon to CSAM vendors.
It’s important to note that the use of an instant exchanger does not necessarily provide anonymity for users. Some instant exchangers do have KYC and other compliance processes, including transaction monitoring. We also know that many comply with law enforcement requests related to investigations, including ones involving CSAM.
Overall, 52.0% of CSAM vendor wallets active in 2023 have sent funds to Monero-friendly instant exchangers. One reason that number isn’t higher could be Monero’s comparative difficulty of use. Many exchanges don’t support Monero for off-ramping purposes, though users could always swap back from Monero to a different cryptocurrency that’s easier to convert into cash. Regardless, the data suggests that the availability of privacy coins like Monero may help CSAM vendors stay in business longer. Law enforcement may consider investment in specialized blockchain analysis services that can make tracing Monero and other assets possible, and instant exchangers that do not employ traditional compliance practices may consider building programs that contribute to a safer ecosystem.
End notes:
[1] For the purposes of this analysis, we do not count transactions from services to CSAM vendors, which could also represent people purchasing this material. We also do not count instances where one individual may be purchasing CSAM from another who made the initial purchase from a CSAM vendor. For example, if personal wallet 1 transfers to CSAM vendor 1, and then personal wallet 2 transfers to personal wallet 1, we don’t count that second transaction, which might be redistribution. Again, we are almost certainly not capturing all on-chain CSAM activity.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, investment, regulatory or other professional advice, nor is it to be relied upon as a professional opinion. Recipients should consult their own advisors before making these types of decisions. Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information herein. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.