When German investigators first began examining a dark web platform known as “Alice with Violence CP” in 2021, the case appeared to center on a familiar feature of the hidden internet: a site cloaked by onion domains, cryptocurrency payments and the promise of illicit anonymity. Over time, however, the investigation expanded into something much larger — a sprawling network of fraudulent dark web sites that, according to authorities, advertised child sexual abuse material and cybercrime services on an extraordinary scale.
By March 2026, the case had evolved into what Europol and German authorities described as a major international operation. Over a 10-day period, from March 9 to March 19, law enforcement agencies in 23 countries took part in what they called Operation Alice. The effort, initially directed at identifying the operator of the platform, ultimately led investigators to more than 373,000 dark web sites, the identification of 440 customers around the world and the seizure of 105 servers, along with electronic devices including computers, mobile phones and storage media.
FutureCrime Summit 2026 Calls for Speakers From Government, Industry and Academia
The scale of the operation reflected not only the scope of the infrastructure involved, but also the changing nature of illicit commerce on the dark web. According to investigators, the sites in question did not actually deliver what they advertised. Instead, they operated as a vast fraud system, using the language and imagery of serious criminal material to extract payments in Bitcoin from users who believed they were purchasing access to illegal content or cybercrime tools.
That structure placed the case at the intersection of several law-enforcement priorities at once: child protection, cybercrime, cryptocurrency tracing and cross-border policing.
From One Platform to Hundreds of Thousands of Hidden Sites
Investigators say the inquiry began in mid-2021 with the platform “Alice with Violence CP,” but over nearly five years German authorities uncovered what they described as a far broader architecture. A single suspect, they say, operated more than 373,000 onion domains — hidden sites accessible through specialized browsing tools designed to obscure the location of both users and website operators.
From February 2020 to July 2025, according to authorities, more than 90,000 of those sites were used to advertise child sexual abuse material. The offerings were presented as purchasable “packages” that users could supposedly obtain by submitting an email address and paying in Bitcoin. The packages were priced between 17 euros and 215 euros and claimed to provide anywhere from a few gigabytes to several terabytes of material.
But investigators say the sites were fraudulent. The material was advertised and previewed, yet never delivered. Alongside those offerings, the operator also promoted cybercrime-as-a-service products, including purported credit card data and access to foreign systems. Here too, authorities said, the objective was the same: to persuade customers to pay for criminal services that would never arrive.
That dual structure — exploiting demand for both abuse material and cybercrime tools — gave the network unusual breadth. It was not simply a dark web marketplace in the conventional sense. Authorities describe it instead as a kind of criminal deception machine, one that monetized illicit intent itself. Customers were paying not only for promised content or access, but also for the belief that the hidden internet would protect them from scrutiny.
The Operator, the Customers and the Reach of the Investigation
German authorities identified the suspected operator as a 35-year-old man based in the People’s Republic of China. They say he made more than 345,000 euros in profit from roughly 10,000 customers worldwide who attempted to purchase what he advertised. At its peak, investigators estimate, he controlled a network of as many as 287 servers, 105 of them located in Germany. An international arrest warrant has been issued.
For law enforcement, however, the investigation did not end with the suspected operator. Europol said that international cooperation made it possible to identify 440 customers who had used the service. Because of the nature of their purchases, authorities opened additional investigations into them, and more than a hundred of those individuals remain under active scrutiny.
That part of the operation reflects an important feature of this kind of investigation: even in cases where illegal material was not delivered, an attempted purchase can itself become the basis for suspicion and prosecution. Investigators viewed those customers as significant targets, not only because they sought access to abusive material, but also because they might provide intelligence about broader offending networks.
One example cited by authorities came from Bavaria. In August 2023, investigators searched the home of a 31-year-old father who had transferred 20 euros to buy a package described as containing 70 gigabytes of child sexual abuse material. He was later convicted. The case illustrated the way Operation Alice moved outward — from server infrastructure and cryptocurrency tracing to individual users and, in some instances, child-protection interventions.
A Case Built on Infrastructure, Anonymity and Cryptocurrency
At the heart of the investigation was a familiar dark web equation: anonymity technology, large-scale hosting and digital payments. Onion domains are designed to conceal both location and identity, making them a persistent challenge for investigators. In this case, authorities say, that concealment was multiplied across hundreds of thousands of sites, creating an infrastructure so broad that it could function almost like an automated criminal ecosystem.
Cryptocurrency made the model viable. Europol said its specialists played a central role in tracing Bitcoin payments and producing intelligence for the countries involved. In dark web investigations, the ability to follow digital money has become increasingly important, not only for identifying operators but also for reconstructing the size and direction of criminal demand. Here, officials say, that financial analysis was crucial to linking the suspect to the network and to understanding the volume of attempted purchases.
The investigation also demonstrated the practical importance of international coordination. Twenty-three countries took part, including Germany, the United Kingdom, the United States, Canada, Australia and several European partners. Europol facilitated information exchange, provided analytical support and coordinated the broader response. In a case spanning multiple jurisdictions, language systems, legal frameworks and technical environments, such coordination was not peripheral; it was the operation.
Catherine De Bolle, Europol’s executive director, said the case sent a message about the reach of international law enforcement cooperation. But the operational significance was broader than that statement alone. Dark web systems are often resilient because they are distributed. Operation Alice was an attempt to respond in kind — with distributed enforcement.
Beyond Enforcement, a Focus on Victims and Prevention
Although the operation centered on servers, domains and suspects, authorities also emphasized the child-protection dimension of the case. Europol said that throughout the years of investigation, officers acted immediately whenever they identified children believed to be in danger, taking steps to protect them.
That emphasis matters because investigations involving child sexual abuse material are not solely about digital evidence or criminal marketplaces. Each image or video, as Europol pointedly reminded the media, reflects an actual act of abuse. The agency urged journalists to avoid the term “child pornography,” arguing that it obscures the violence and coercion inherent in the material and falsely suggests consent or legitimacy.
The case also unfolded alongside Europol’s wider efforts on child protection. This week, the agency said, it released new photos to its “Stop Child Abuse – Trace an Object” platform, which asks the public to help identify objects seen in cold cases of child sexual abuse. Europol also pointed to Help4U, a digital platform launched in late 2025 for children and teenagers facing sexual abuse or online harm.
Those initiatives highlight a tension that has become more visible in recent years: the dark web is often portrayed as a realm of technical sophistication, yet its consequences are intensely human. Operation Alice was, in one sense, a cyber investigation into fraudulent sites, hidden servers and cryptocurrency payments. In another, it was an attempt to reach the people behind the screens — the operator, the customers and, above all, the children whose abuse was used as bait, threat or evidence in a criminal economy.
What the investigation ultimately revealed was not just the scale of one network, but the way modern illicit systems can combine fraud, abuse and technology into a single architecture. Hidden websites, fake packages, Bitcoin transactions and cross-border infrastructure may give such operations the appearance of abstraction. But the people harmed by them remain painfully real.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
