Operation Alice shuts down 373,000 fake dark web sites in global child protection crackdown

An international law enforcement operation has shut down more than 373,000 dark web sites tied to a fraud network that advertised illegal abuse material and cybercrime services. The action, called Operation Alice, was led by German authorities with support from Europol and ran from March 9 to March 19, 2026.

Authorities say the sites did not actually deliver the illegal material they advertised. Instead, investigators found a scam network that used previews and fake listings to trick buyers into handing over email addresses and Bitcoin payments. Europol says around 10,000 users were deceived, generating about EUR 345,000, or roughly $400,000, for the operator.

The investigation began in mid-2021 and focused on a dark web platform called “Alice with Violence CP.” Europol says a 35-year-old suspect based in China ran more than 373,000 onion domains and that German authorities have issued an international arrest warrant.

What Operation Alice uncovered

Investigators say the network did more than advertise fake abuse material. Europol says the same infrastructure also promoted cybercrime-as-a-service offerings, including stolen credit card data and access to compromised systems.

That widened the case from a single dark web platform into a much larger criminal ecosystem. Over time, the investigation identified 440 customers in 23 countries, and authorities are still pursuing more than 100 of those cases.

Operation Alice by the numbers

Source: Europol and follow-up reporting.

How the scam worked

Europol says the sites offered fake “packages” priced between about EUR 17 and EUR 215, with promised data volumes ranging from a few gigabytes to several terabytes. Buyers paid in Bitcoin and received nothing.

That matters because even though the material was never delivered, the buyers still attempted to purchase illegal abuse content. Europol and related reporting make clear that investigators are treating those attempts seriously, both because they show criminal intent and because they financially supported the network.

Why the takedown stands out

The scale of the infrastructure stands out. Europol says the suspect operated 287 servers at the network’s peak, with 105 of them located in Germany, and those servers have now been seized.

The timeline also shows how long the network operated. Europol says the suspect advertised abuse material and cybercrime services from February 2020 to July 2025, using more than 90,000 onion domains across 32 platforms to reach buyers.

What happens next

The operator remains the main target, but the case has expanded well beyond that. Europol says the operation started by focusing on one platform operator and later uncovered hundreds of customers through international cooperation.

Authorities are still investigating many of those users. That means Operation Alice looks less like a completed takedown and more like the start of a broader enforcement push tied to both child protection and cybercrime. This is an inference based on Europol’s statement that more than 100 investigations are still ongoing.

Broader child protection work

Europol says the operation fits into a wider child protection effort. The agency highlighted its Help4U support platform, launched in November 2025, and its “Stop Child Abuse – Trace an Object” initiative, which asks the public to help identify objects seen in abuse material that could lead investigators to victims and offenders.

FAQ