Operation Lobos 1

Operation Lobos 1
Operation Lobos 1
Operation Name	Operation Lobos 1
Type	Child Pornography Crackdown
Roster
Executed by	Brazil, United States, United Kingdom
# of Countries Participated	4+
Mission
Target	Onion Services: Baby-Heart, Hurt-meh, Boy-vids-4.0, Anjos Prohibidos (BR)/Forbidden Angels, Loli-Lust
Timeline
Date executed	March 2019 - June 6, 2019
Results
Arrests	96
Accounting

Operation Lobos ((Portuguese: Operação Lobos), also known as Operation Wolves, was a Brazilian-centered 12-country, multinational operation, to target operations of a TOR onion service known as Baby Heart. Additional objectives/targets of the joint operation were the deanonymization of the TOR host server(s), TOR administrator(s) and TOR users associated with the Target Website and several other targeted websites/chat-sites that were alleged to contain or be used to traffic illegal images of child sexual abuse materials (CSAM) and other categories of legal nude and non-nude images of persons under 18. As of February 2024, the complete list of target websites/chat-sites involved in this operation have not been released by any government, however, the primary targets appeared to be the following: Baby-Heart, Hurt-meh, Boyvids 4.0, Anjos Prohibidos (BR)/Forbidden-Angels, and Loli Lust. Court documents have indicated that there were at least two other websites/chat-sites that were targeted, however the names of the websites/chat-sites have not been made public.

For information on the named operations associated with the searches, seizures, prosecution and litigation of the leads generated from Operation Lobos 1 see Operation Lobos 2 or The country specific summary below.

Investigative history[edit]

The multinational joint investigation that led to Operation Lobos was started as early as August 2015 when the Onion Service Bulletin Board Baby-Heart (website) was originally brought online.

March 2017 Australian Police purportedly relayed information to Portugal's Judiciary cyber crime unit "UNC3T".^[1]
May 2017, Australian police sent UNC3T more information obtained from the arrest and seizure of another suspect in Australia.
Leading up to 20 June 2017 collaboration with the United States Immigration and Customs Enforcement provided criminal intelligence analysis by their experts along with Europol and Interpol.^[2]
20 June 2017^[1] two of the board's administrators (Twinkle^[3] aka XXX and Forgotten) were arrested in Portugal and later sentenced on 23 January 2020.^[1] Twinkle was caught "in the act" of producing CSAM, and he then assisted the Portuguese law enforcement in apprehending Forgotten.
The arrest of Twinkle and Forgotten preceded the arrest and criminal complaint against another Baby Heart site administrator located in Recife/ Pernambuco State (PE) of Brazil^[4]^[5] This website administrator in Recife purportedly yielded an "award winning collaboration agreement/plea-deal" with the Brazilian Federal Public Prosecutor's office also known as the Ministerio Publico Federal (MPF). The administrator turned informant alleged to have an important relationship though the Tor web with the Administrator of the Baby Heart Tor onion service (and other onion services). The existence and importance of the information about the Target Website server administrator was allegedly verified between the Brazilian MPF and the United States Federal Bureau of Investigation (FBI). At the time, the FBI alleged that this one person was maintaining 70% of all CSAM content on the Tor Network^[4]^[5] Fact checking this statistic makes the statement of 70% improbable or misleading, as multiple press releases published subsequently, during and after the operation of those specific onion services indicated numbers greater than 30% for any given set of services. An example is the statistical information provided by the U.S. government about the Korean site "Welcome to Video" (see Welcome to Video case).

Most of what is known about the operation was gathered as a result of Portuguese and later Brazilian authorities conducting press conferences and issuing press releases boasting about their success and participation in what Brazilian authorities described as an "unprecedented" joint operation with the United States (US) Federal Bureau of Investigation (FBI) and the United Kingdom's (UK) National Crime Agency (NCA).^[4]^[5]

Methods[edit]

Initial Investigation[edit]

One tool used was Europol's Trace an Object (objects, backgrounds and garments identified on the net in child abuse) with photos from social networks.
Another tool used to identify suspects was Portugal's Polícia Judiciária Scientific Police Force (LPC)^[1] by creating palmar impressions from the images which included a view of the suspects hands (the suspects never showed their faces in the uploaded images)
An arrest of one of the onion service administrator from Recife/PE Brazil yielded a plea deal whereby the administrator would act as an informant to obtain information about the server administrator.^[4]^[5]

The operation start[edit]

Under the terms of a judicially authorized warrant and through the information obtained from the informant, the Brazilian authorities worked with the FBI to obtain the Internet Protocol (IP) address for the server.^[4]^[5]
A subpoena to the Internet Service Provider (ISP) associated with the suspect IP address was issued, and the ISP provided the physical street address and account information associated with the IP address.^[4]^[5] The physical address also known as the Target Address given was an address in Recife|PE Brazil.

First traffic interception and analysis[edit]

A warrant was granted to intercept the data stream between the ISP and the suspect target physical address.
The intercepted data was monitored with support by the United Kingdom's National Crime Agency (NCA) as part of Project Habitance. They confirmed that 85.53% of the internet traffic corresponded to TOR traffic. The fact that 374 Terabytes (PB) of data flowed through the connection for the duration of the analysis gave law enforcement the suspicion that the target was a TOR server node or Tor relay node.^[4]^[5]

Judicial authorizations from first interception[edit]

The information obtained from the first period of data interception was used to obtain an additional series of warrants.^[4]^[5]

Wire Taps on the telephone communications associated with the address and individuals associated with the Target Address
Search and Seizure warrant for the email provider associated with the individuals that were associated with the Target address.
Search and Seizure warrant for the Target Address residence
A special Covert Search and Surveillance warrant that allowed for recording devices to be installed within the residence to capture passwords entered by the server administrator.
Controlled Action?

Target address search, wire tap, and second traffic interception and analysis[edit]

The second period of interception used a deanonymization technique developed by the FBI. The law enforcement commenced a Denial-of-service attack on the Target Tor Onion Service and monitored the intercepted traffic. By pulsing the DDOS attack, the joint task force was able to distinguish between the periods of normal traffic received by the Target Tor Onion Service and the periods in which the DDOS attack was occurring. The increase in the volume of traffic during the DDOS attacks was a method of corroborating the suspicion that the Target Onion Service was being operated by a server at the Target Address.^[4]^[5]
Wire taps of the Target Suspect's phone calls also corroborated the suspicion that he was the Target Server's administrator. His dialogues between him and the ISP regarding the internet service issues were intercepted and recorded. The DDOS Attack resulted in the Target Tor Onion Service Target Website being inaccessible by users for the duration of the attack as the flood of data exceeded the bandwidth allotted to that internet account.
8 March 2019 the electricity to the Target Address was shutdown.
12 March 2019 The First exploratory search of the Target Address in the absence of the inhabitant, which in Brazil is regarded as unprecedented, was conducted. The warrant authorized the installation of surveillance cameras, and an inline keylogger and mouse logger as well as the copying of all data from electronic equipment. However, the installation of surveillance cameras was not performed. Computers, flash drives, internal and external hard drives and other media were all copied for later analysis.
5 June 2019 A Second Exploratory search was conducted of the Target Address (in the absence of the inhabitant), in which law enforcement successfully installed the keyloggers in two keyboards. This technique was the expertise of the NCA, whereby the Law Enforcement agents could obtain the login and passwords to the computers, server and Tor Onion services/Target Website(s)/Chat-sites the next time the administrator logged in. Law enforcement also took this second opportunity to make a complete copy of the server's hard drive for future examination. The electricity to the Target Address was again turned off and then on, which would force the system administrator to type in all of his logins and passwords to restart the system.

Seizure and arrest[edit]

6 June 2019 The arrest of the Server Administrator, Lucas Batista, and the seizure of the operational server occurred.

Dissemination and sharing of the seized devices, media and data[edit]

The information seized (which included 2,042,408 alleged files of CSAM) was shared with the FBI and NCA. Additional information such as the server administrator's emails, bank statements, tax statements, UBER transactions and destinations, mobile phone data, and surveillance logs from the outside of his residence were used to corroborate the crimes.

Legality[edit]

The initial crimes cited by Brazil Authorities in order establish the validity of the investigation under the Brazilian Criminal Code were:

sale, dissemination, production and storage of child pornography under Article Nos. 240, 241, 241-A and 241-B of the ECA (Estatuto da Criança e do Adolescente (Child and Adolescent Statute)^[4]^[5] and
rape, including the vulnerable under Article Nos. 213 and 217-A^[4]^[5]

During the time the Tor Onion services were active, starting in early March 2019, the NCA and their partners conducted Traffic Analysis under the Targeted Equipment Interference (TEI) warrants 91-TEI-0147-2019 and 91-TEI-0146-2019^[6] Despite the notification to the United States on 16 September 2019, that "at no time was any computer or device interference with in the United States" and that the "UK did not access, search or seize any data from any computer in the United States", there are legal challenges to these statements that as of February 2024 have not been resolved. TEI warrants vs. TE warrants differ in the judiciary approval for interference of Target Devices. (see UK NCA's Operation Venetic)

U.S. Legal challenges[edit]

In a citing the Silver-Platter issues a half dozen people charged in the U.S. have filed motions to suppress all evidence obtained from what they believe were illegal search warrants. U.S. case law prohibits the federal government from receiving "tips" and relying on them for the purposes of obtaining a search warrant if the U.S. government was sufficiently involved in the spying/sting operation and did not obtain a prior warrant for the initial spying.

"Although the Fourth Amendment and its exclusionary rule generally do not apply to the law enforcement activities of foreign authorities acting in their own country, the concepts do apply where 
 (1) the conduct of foreign officials in acquiring the evidence is so extreme that it shocks the judicial conscience, and second, 
(2) where U.S. cooperation with foreign law enforcement officials may implicate constitutional restrictions." United States v. Valdivia, 680 F. 3d 33, 51 (1st Cir. 2012); United States v. Getto, 729 F.3d 221, 228 (2d Cir. 2013).

This is part of the ongoing controversy regarding the Five Eyes.

Results[edit]

The server administrator[edit]

Lucas Batista Santos was arrested on 6 June 2019 in Sao Paula Brazil^[7] for his work in maintaining the servers for the Tor Onion Services Baby-Heart, Hurt-meh, Boyvids 4.0, Anjos Prohibidos (BR)/Forbidden-Angels, and Loli Lust. According to the FBI, more than 1,839,831 users were registered across the five sites.

Country-specific summary[edit]

The second phase of Operation Lobos 1 in Brazil was called Operation Lobos Phase 2 or just Operation Lobos 2, which dealt with the arrest and judicial proceedings of the suspects associated with the findings from the Operation Lobos 1. Most, if not all, of the participating countries also had a named operation that dealt with the leads provided from Operation Lobos. The names of the operation in each country has not been published as of February 2024, however, many of the people alleged to have visited the sites have been prosecuted in the years following as a result of a lead or a tip from a foreign law enforcement agency.

The United States received hundreds of leads from the NCA^[8] in August and September 2019,^[9] however as of 20 February 2024 only 38 individuals have been searched resulting in only 27 arrests. 2 of the persons arrested died in custody, 1 person who was convicted has since appealed and won the appeal to overturn the conviction, with only 13 convictions having been achieved thus far. There are still 5 awaiting trial and two awaiting appeal.
Brazil – As of 3 December 2021 Brazil had executed 106 search and seizure warrants in connection to Operation Lobos in 55 cities across 20 states. According to government press release, 18 arrests were "made in the act". Most of the searches were of residences, but some were of workplaces. 68 of the search and seizures resulted in arrests, about 62% of the searches. The number of convictions is still outstanding.^[7]
Germany also received a list of leads, however their lack of court transparency laws may limit the available knowledge that will ever be available as to how many leads they received or who they were.

Participating law-enforcement agencies[edit]

"The operation was the result of a collective work of police forces from Bazil, the United States, the United Kingdom, Australia, Canada, New Zealand, Germany, Portugal, Italy, Norway, France and Austria"^[10]

Australia –
- Australian Federal Police (AFP)^[4]^[5]
- Queensland Task Force Argos of the Queensland Police Service^[11]
Austria^[4]^[5]
Brazil^[4]^[5] – Federal Police of Brazil^[11]
Canada^[4]^[5] Toronto Police Service^[11]
Europol^[1]^[11]
France^[4]^[5] – Gendarmerie^[11]
- French National Police – Police National – (OCLCTIC)
- National Gendarmerie – French Gendarmerie Nationale – (C3N)
Interpol^[1]^[11]^[2]
Italy^[4]^[5] Italian Polizia di Communicazioni^[11]
Germany^[4]^[5]
- Federal Criminal Police Office (Germany) Bundeskriminalamt (BKA)^[11]
New Zealand^[4]^[5]
Norway^[4]^[5]
Portugal –
- Cybercrime Combat Unit (UNC3T)^[1]
- Portugal's Judicial Police Scientific Police Force (LPC)^[1]
United Kingdom
- National Crime Agency (NCA)^[4]^[5]^[11]
- West Midlands Police
United States^[4]^[5]
- Homeland Security Investigations (HSI)^[1]^[11]
- Federal Bureau of Investigation (FBI)^[4]^[5]

References[edit]

^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ "Research on Portuguese pedophiles is an international 'case study'". DN.pt. Global Media Group. Diário de Notícias. 23 January 2020. Retrieved 28 October 2022.
^ ^a ^b "International collaboration leads to arrest of child sexual abuser in Portugal". Interpol News and Events. Interpol news. 23 January 2020. Retrieved 28 October 2022.
^ Saunokonoko, Mark (18 February 2020). "Exclusive: Elite Aussie unit helps catch elusive paedophile 'Twinkle' who ran darknet child abuse website 'Babyheart'" (Web). 9news. 9News. Retrieved 28 October 2022.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ ^o ^p ^q ^r ^s ^t ^u ^v ^w "Resumo Lobos" (PDF). aNPR. Retrieved 28 October 2022.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ ^o ^p ^q ^r ^s ^t ^u ^v ^w "Resumo Lobos Court Translation" (PDF). aNPR. Retrieved 19 February 2024.
^ "Exhibit B – TEI Warrant Notification". Courtlistener. Free Law Project. 16 September 2019. p. 6. Archived from the original (PDF) on 1 February 2021. Retrieved 19 February 2024.
^ ^a ^b "PF arrests 25 people and rescues three minors in operation against child pornography in 20 states and in the Federal District". 3 December 2021. Retrieved 28 October 2022.
^ "NCA Intelligence Report" (PDF). Courtlistener.com. Free Law Project. 1 February 2021. pp. 2–6. Retrieved 2 February 2024.
^ Kooharian, Stephanie M (12 December 2022). "Affidavit in Support of Complaint and Arrest Warrant" (PDF). Courtlistener.com. Bridgeport, Connecticut: Free Law Project. p. 7. Retrieved 20 February 2024.
^ Suzana Souza (3 December 2020). "The Federal Police arrested 25 people and rescued three minors in an operation against child pornography in 20 states and the Federal District" (html). G1 (in Portuguese). Globo Comunicação e Participações S.A. Globo. Retrieved 20 March 2024. The operation was the result of a collective work of police forces from Brazil, the United States, the United Kingdom, Australia, Canada, New Zealand, Germany, Portugal, Italy, Norway, France and Austria.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j "How International Collaboration Led to Arrest of Child Sexual Abuser in Portugal". Europol Newsroom. Europol. 23 January 2020. Retrieved 28 October 2022.

[Twinkle_Sentencing_DN-1] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ "Research on Portuguese pedophiles is an international 'case study'". DN.pt. Global Media Group. Diário de Notícias. 23 January 2020. Retrieved 28 October 2022.

[Interpol_news_twinkle_arrest-2] "International collaboration leads to arrest of child sexual abuser in Portugal". Interpol News and Events. Interpol news. 23 January 2020. Retrieved 28 October 2022.

[9news_twinkle-3] Saunokonoko, Mark (18 February 2020). "Exclusive: Elite Aussie unit helps catch elusive paedophile 'Twinkle' who ran darknet child abuse website 'Babyheart'" (Web). 9news. 9News. Retrieved 28 October 2022.

[:ResumoLobos-4] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ ^o ^p ^q ^r ^s ^t ^u ^v ^w "Resumo Lobos" (PDF). aNPR. Retrieved 28 October 2022.

[:ResumoLobos_Court_Translation-5] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ ^o ^p ^q ^r ^s ^t ^u ^v ^w "Resumo Lobos Court Translation" (PDF). aNPR. Retrieved 19 February 2024.

[NCA_TEI_warrants-6] "Exhibit B – TEI Warrant Notification". Courtlistener. Free Law Project. 16 September 2019. p. 6. Archived from the original (PDF) on 1 February 2021. Retrieved 19 February 2024.

[PF_Arrests_globo-7] "PF arrests 25 people and rescues three minors in operation against child pornography in 20 states and in the Federal District". 3 December 2021. Retrieved 28 October 2022.

[Delaney_NCA_report-8] "NCA Intelligence Report" (PDF). Courtlistener.com. Free Law Project. 1 February 2021. pp. 2–6. Retrieved 2 February 2024.

[100s_complaint-9] Kooharian, Stephanie M (12 December 2022). "Affidavit in Support of Complaint and Arrest Warrant" (PDF). Courtlistener.com. Bridgeport, Connecticut: Free Law Project. p. 7. Retrieved 20 February 2024.

[10] Suzana Souza (3 December 2020). "The Federal Police arrested 25 people and rescued three minors in an operation against child pornography in 20 states and the Federal District" (html). G1 (in Portuguese). Globo Comunicação e Participações S.A. Globo. Retrieved 20 March 2024. The operation was the result of a collective work of police forces from Brazil, the United States, the United Kingdom, Australia, Canada, New Zealand, Germany, Portugal, Italy, Norway, France and Austria.

[europol_news_twinkle_arrest-11] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j "How International Collaboration Led to Arrest of Child Sexual Abuser in Portugal". Europol Newsroom. Europol. 23 January 2020. Retrieved 28 October 2022.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]