Online Child Sexual Abuse & Exploitation – IOCTA 2023
Cybercrime, in its various forms, represents an increasing threat to the EU, including online child sexual exploitation. Offenders continue showing high levels of adaptability to new technologies and societal developments, while constantly enhancing cooperation and specialisation. Cybercrimes have a broad reach and inflict severe harm on individuals, public and private organisations, and the EU’s economy and security.
PPHS created this article by extracting pertinent information relevant to the online child sexual abuse and exploitation from the Europol’s Internet Organised Crime Threat Assessment (IOCTA). PPHS would like to congratulate the work of all those who have contributed to the IOCTA, and we will continue to support future actions through the ongoing initiatives.
PPHS supports the whole-system response needed to counter and prevent CSAE; we are already deeply engaged in projects such as Prevent & Protect Through Support and the ARICA. The CYCLOPES cybercrime practitioners’ network, which PPHS coordinates, will also focus on the connected topics from the start of 2024.
In the article below, you will learn about the IOCTA report, which focuses on the fight against cybercrime. We then move on to explaining what online child abuse and sexual exploitation is, describing the main methods and technologies used by perpetrators. We also focus on the issue of re-victimization, both offline and online, suffered by victims of child sexual abuse. To summarise the article, we provide a list of key findings. This list helps us understand the challenges that law enforcement and we as a society face in fighting this type of crime.
The Internet Organised Crime Threat Assessment (IOCTA) is a strategic analysis report that provides an assessment of the latest online threats and the impact of cybercrime within the EU. The report provides a law enforcement centric view of the threats and developments related to cybercrime, in order to inform decision-makers at strategic, policy and tactical levels in the fight against cybercrime, with a view to updating the operational focus for EU law enforcement authorities.
The IOCTA is chiefly informed by operational information shared with Europol by EU Member States and third partners, combined with expert insights and open-source intelligence. The following analysis is based on a set of indicators established by Europol, focusing on developments related to criminal actors and networks, criminal processes, infrastructure used, financial transactions, and the impact on society. This ninth edition of the IOCTA appears in an updated format. The current summary presents the main overarching findings concerning the different typologies of cybercrime, namely cyber-attacks, online fraud schemes, and online child sexual exploitation (OCSE). It is accompanied by a series of spotlight articles covering each of these crime areas in-depth.
You can find the full report on the Europol website. Below, we focus solely on OCSE.
Methods of Online Child Sexual Exploitation
In recent years, the threat of online child sexual exploitation has been further increasing in terms of quantity and severity. Offenders of all crime areas continue to take advantage of legal and criminal privacy services to mask their actions and identities as their knowledge of countermeasures increases.
- Virtual Private Networks (VPNs) are the most common services cybercriminals use to shield communication and Internet browsing by masking identities, locations and the infrastructure of their operations. They cater to child sexual exploitation offenders and any other cybercriminal who is in need of masking their illicit activities online. VPN providers host a number of proxies, which users can route their traffic through, in order to conceal their actual location (IP) and content of their traffic. While VPN services are not illegal, some of them are designed for and advertised to criminals.
- Phishing can also have different manifestations, depending on the mean of communication exploited. Common alternative manifestations are smishing (SMS phishing) and vishing (voice phishing).
- Impersonation is a technique widely used by criminals involved in child sexual exploitation and online fraud schemes, in order to deceive victims. Child sexual exploitation offenders make extensive use of social media to engage with their victims, interacting with them, often behind a false identity.
The central commodity of this illicit economy is stolen data. Child sexual exploitation offenders groom victims in order to obtain sensitive information that can be then exploited for extortion purposes. Data theft is a core threat as stolen data can be used in a wide array of criminal activities, including commodification, access to systems, espionage, extortion and social engineering.
Same victims, multiple offences
Cybercrime is often interlinked, presenting a concatenated set of criminal actions that often results in the same victim being targeted multiple times. This is particularly apparent in child sexual exploitation offences, malware attacks and online fraud schemes. For instance, investment frauds are in some cases linked to other types of frauds, such as romance scams (i.e. pig butchering) and therefore re-victimising the target. Following the theft of the investments and the realisation of the fraud, criminals often contact their victims posing as lawyers or law enforcement agents offering help to retrieve their funds, in exchange for a fee.
Victims of child sexual exploitation suffer re-victimisation both offline and online. Hands-on abusers often perpetrate their offences for a significant amount of time and, in several cases, encourage other offenders to abuse the victim as well. The depiction of sexual abuses on children results in their repeated victimisation. The child sexual abuse material (CSAM) produced by offenders is in fact shared at many levels, from closed communities of trusted perpetrators to large communities on online forums. The receivers of this imagery in most cases share it further, resulting in the same CSAM being encountered by investigators over many years and the same victim being impacted.
Ransomware groups make use of forums on the clear and dark web to recruit new affiliates, pentesters, company insiders. Ransomware leak sites have also been identified as places where affiliates are being recruited. Similarly, child sexual exploitation offenders make extensive use of these types of forums to digitally meet like-minded individuals, enhance their criminal knowledge, exchange and consume CSAM.
Dark web forums are also an important source for gathering information on operational security (OpSec). Users give recommendations on how to avoid detection and identification in dedicated forum discussions. Guidelines and tutorials on topics such as fraud methods, child sexual exploitation, money laundering, phishing and malware are widely distributed. Furthermore, manuals and FAQs are available on how to operate on a dark web marketplace and to conduct illicit trades.
Europol’s mission is to support EU Member States and cooperation partners in preventing and combating all forms of serious international and organised crime, cybercrime and terrorism. In 2013, Europol set up the European Cybercrime Centre (EC3) to strengthen the law enforcement response to cybercrime in the EU and thus to help protect European citizens, businesses and governments from online crime. EC3 offers operational, strategic, analytical and forensic support to Member States’ investigations. At the level of operations, EC3 focuses on cyber-dependent crime, child sexual exploitation, illicit trade on the dark web and alternative platforms as well as online fraud schemes including payment fraud.
We remain committed to adding value in this domain and are keen to continue cooperation with experts across Europe. If you want to engage the PPHS team about these issues, please reach out.
Europol (2023), Internet Organised Crime Threat Assessment (IOCTA) 2023, Publications Office of the European Union, Luxembourg.