To catch a predator admin: the power of OSINT


This #OpChildSafety investigation began on March 12th, 2024, when one of my threat researchers from W1nterStorm, whom I shall refer to by the alias CR-2 (Confidential Researcher), discovered a Facebook group called 'Modeling 4 Kidz' that was not what it appeared to be. This was the same Facebook group where CR-2 initially uncovered the CSAM (Child Sexual Abuse Material) network we named Hydra.

This was a group designed to attract men and women with the same vile mindset. Among the many threads, a user named JoeHaze shared a link to his private WhatsApp community. It was a thread amid a tangled yarn, and CR-2 decided to follow it to see where it led.

What she discovered was among some of the worst CSAM she had ever encountered.

ADVERTISEMENT

It’s things like this that make me wonder why the world doesn’t prioritize protecting children. It’s as though the thought never occurred, and if the thought is there, the effort is nominal at best.

I also can’t help but wonder why big tech companies are taking subscription money from CSAM market operators and providing them platforms to pursue their depraved interests uninterrupted.

Following the thread

Upon following the link, CR-2 knew she had stumbled upon a CSAM marketplace, where ‘JoeHaze’ was its admin, operating under the alias ‘FunnyUncle.’ But where secrecy and money were his primary currencies, he wasn't particularly savvy at maintaining an anonymous online presence.

The more CR-2 looked into his online behaviors, it became apparent that his OPSEC was terrible, and for that we were glad. Furthermore, the man was cocky and boasted openly about his illicit exploits.

On the popular messaging platform WhatsApp, users' phone numbers are only visible to community administrators and to other users who have saved you as a contact. CR-2 then began adding users to the profile she uses for investigations. This allowed her to uncover the phone numbers of over a dozen users engaged in this underground CSAM marketplace.

Suddenly, our investigation was disrupted after an unknown cyber vigilante hiding in FunnyUncle’s community posted a comment that unmasked their role and reason for being there.

It was then that FunnyUncle immediately closed the community down and moved his marketplace elsewhere. Unfortunately, this happens all the time, and is extremely destructive of other investigative initiatives. This is against everything we stand for, and is conduct that literally aids the enemy.

ADVERTISEMENT

Whenever a hunter deliberately alerts the enemy to raise red flags, or whether someone from within their own community alerts the admin and other members that they are the subject of an investigation, the end result is the same.

However, it was also during this time that our team had fully exhausted our investigation into the Hydra network and forwarded our data to the necessary authorities and reporting organizations.

Due to US law enforcement's complete disinterest, the UK's National Crime Agency's brazen refusal to provide even a modicum of follow-up, the Internet Watch Foundation's (IWF) scathing rebuke, and the National Center for Missing and Exploited Children's (NCMEC) dead silence, our efforts were met with significant resistance.

The IWF Hotline’s reply to our report made it very clear that they cannot use outside help. This means that they will not analyze reports of this nature. Additionally, the IWF assumed our researchers were actively looking for CSAM and that we were breaking the law, regardless of our intent. The message ended with a resounding finale, emphasizing that the IWF does not carry out investigative work. This is something we missed, as it is not mentioned on the page continuing their reporting template.

The IWF’s rebuke took the wind out of our sails because none of our reports contained illegal images or other forms of prohibited media – just data. Nevertheless, the IWF’s false accusation and ominous warning, despite CR-2 having witnessed and observed crimes being committed against children, proved to us that 'If you see something, say something' doesn’t apply to all crimes being witnessed.

Furthermore, I wanted to learn more from the NCMEC, to better understand how they triage the reports they receive. I sent them an email inquiring about setting up an interview, but they declined to respond.

Therefore, we took a long hiatus to recover from what felt like a major loss. Then on September 11th, which was half a year later, I remembered the WhatsApp numbers CR-2 had collected.

We began to follow the thread once again.

OSINT tools that matter

Whenever you have a phone number and need to determine who it’s registered to, I use Intelius, a public records database. The problem with public records databases is that it’s often difficult to determine if the information is current or accurate. They can contain a lot of false-positives, which is why every relevant data point has to be researched.

ADVERTISEMENT

The phone number on file certainly belonged to our investigative subject, but the records didn’t reflect anything current. At that moment, using public records databases was a dead-end.

The good news is, when it comes to OSINT, you get what you pay for. That is why I use OSINT Industries for my real-time threat investigations. When I searched for the same number, I was presented with a bountiful supply of information I had never seen before.

What I love about this investigative tool is how it creates simple graphical maps that show each relationship and how it’s all interconnected. I spend less time having to eliminate false-positives and more time actually working with useful information.

Our subject had subscribed to this same phone number with Microsoft, Apple, WhatsApp, Telegram, CashApp, Paypal, TrueCaller - the list goes on. The information was rich and easy to export. Even better, he had subscribed to these services using his actual name,

‘Joseph Jaeger Hayes.’

Several of these accounts also had the same exact display picture used by FunnyUncle’s WhatsApp profile. It was then we knew beyond a reasonable doubt that we were searching for Joseph Jaeger Hayes aka ‘JoeHaze’ , from Tallahassee, Florida.

After harvesting all relevant information from the report, CR-2 performed the public records search, now armed with the specific identifiers extracted from OSINT Industries, and came up with a positive match.

Following the report to the bitter end

As our investigation came to a close, we knew everything about Joseph Hayes. He was divorced, with a young daughter between them. We knew he operated on Telegram and the dark web. We knew which groups he ran and how he obtained CSAM for distribution.

But even if we managed to obtain a mirror image of what’s on his phone or computer, I realized that in the end it wouldn't even matter if groups and organizations like our own can have no audience with the FBI, even when heinous crimes against children are being committed in full view of the public.

ADVERTISEMENT

I am a former blackhat computer hacker, and spent 11 years in prison for hacking. I have good reason not to trust law enforcement. But for this, I set my differences aside. As I explained at BSides in Vilnius, Lithuania earlier this May, hackers aren’t law enforcement. We can’t kick down these people’s doors and arrest them.

There are no repercussions, unless law enforcement themselves are leading the investigation. And since we’re not FBI agents, our reports are just tossed into the queue, while we hopefully await for the NCMEC to triage the severity of our report. When you see the very child predators you reported a year ago continue to operate undisturbed, you have every reason to believe that the reporting system is ineffective.

I wrote up a factual report with the attached evidence, and sent it off to a person with a contact at Interpol. This same report is being sent off to the Tallahassee police department tonight.

What happens from there is anybody’s guess.

But the question remains, why isn’t the world protecting children? Why do applicable federal and state laws offer any protections for ordinary citizens who stumble upon CSAM? Moreover, why aren’t governments pressuring big tech companies to prioritize the detection and reporting of CSAM on their platforms?

The day may come when the entire city of Tallahassee receives a text message containing a notification alerting them to Joseph Hayes and informing them about what he’s been doing.

This includes his local school district. His employer. His entire family tree. His local news. After all, I am still pretty tech savvy, amid an army of parents who will do anything to protect their kids.

OpChildSafety is the cause to fight for. If we don’t, no one will.

ADVERTISEMENT