Operation Lobos 1

Operation Lobos (Operação Lobos), also known as Operation Wolves, was a Brazilian-centered 12-country multinational operation to target the operations of a TOR onion service known as Baby Heart. Additional objectives and targets of the joint operation were the deanonymization of the TOR host servers, TOR administrators, and TOR users associated with the target website and several other targeted websites/chat-sites that were alleged to contain or be used to traffic illegal images of child sexual abuse materials (CSAM) and other categories of legal nude and non-nude images of persons under 18. As of February 2024, the complete list of target websites/chat-sites involved in this operation has not been released by any government; however, the primary targets appeared to be the following: Baby Heart, Hurt-meh, Boyvids 4.0, Anjos Prohibidos (BR)/Forbidden Angels, and Loli Lust. Court documents have indicated that there were at least two other websites/chat-sites that were targeted; however, the names of the websites/chat-sites have not been made public.

For information on the named operations associated with the searches, seizures, prosecution, and litigation of the leads generated from Operation Lobos 1, see the country specific summary below.

Investigative history
The multinational joint investigation (Operation BabyHeart) that led to Operation Lobos was started as early as August 2015, when the Onion Service Bulletin Board Baby-Heart was originally brought online.
 * October 2016 Sworn testimony by HSI agent Greg Squire states that the U.S. joined the joint investigation at this time. Describing it as HSI Boston, HSI Philadelphia, and law enforcement abroad.
 * March 2017, Australian Police purportedly relayed information to Portugal's Judiciary cybercrime unit "UNC3T."
 * May 2017, Australian police sent UNC3T more information obtained from the arrest and seizure of another suspect in Australia.
 * May 2017 HSI Special Agent Greg Squire conducted four searches in California in connection with Operation Babyheart. The tip was provided by a foreign law enforcement agency after the arrest (believed to be associated with the Portugal and Brazil arrest only 2 months prior) which led to 4 arrests.
 * Leading up to 20 June 2017, collaboration with the United States Immigration and Customs Enforcement provided criminal intelligence analysis by their experts, along with Europol and Interpol.
 * 20 June 2017, two of the board's administrators (Twinkle aka XXX and Forgotten) were arrested in Portugal and later sentenced on 23 January 2020. Twinkle was caught "in the act" of producing CSAM, and he then assisted the Portuguese law enforcement in apprehending Forgotten.
 * The arrest of Twinkle and Forgotten preceded the arrest and criminal complaint against another Baby Heart site administrator located in Recife/Pernambuco State (PE) of Brazil. This website administrator in Recife purportedly yielded an "award winning collaboration agreement/plea-deal" with the Brazilian Federal Public Prosecutor's Office, also known as the Ministerio Publico Federal (MPF). The administrator turned informant alleged to have an important relationship through the Tor web with the administrator of the Baby Heart Tor onion service (and other onion services). The existence and importance of the information about the Target Website server administrator were allegedly verified between the Brazilian MPF and the United States Federal Bureau of Investigation (FBI). At the time, the FBI alleged that this one person was maintaining 70% of all CSAM content on the Tor Network.  Fact-checking this statistic makes the statement of 70% improbable or misleading, as multiple press releases published subsequently, during, and after the operation of those specific onion services indicated numbers greater than 30% for any given set of services. An example is the statistical information provided by the U.S. government about the Korean site "Welcome to Video" (see Welcome to Video case).

Most of what is known about the operation was gathered as a result of Portuguese and later Brazilian authorities conducting press conferences and issuing press releases boasting about their success and participation in what Brazilian authorities described as an "unprecedented" joint operation with the United States (US) Federal Bureau of Investigation (FBI) and the United Kingdom's (UK) National Crime Agency (NCA).

Initial investigation

 * One tool used was Europol's Trace an Object (objects, backgrounds, and garments identified on the net in child abuse) with photos from social networks.
 * Another tool used to identify suspects was Portugal's Polícia Judiciária Scientific Police Force (LPC) by creating palmar impressions from the images, which included a view of the suspect's hands (the suspects never showed their faces in the uploaded images).
 * An arrest of one of the onion service administrators from Recife/PE, Brazil, yielded a plea deal whereby the administrator would act as an informant to obtain information about the server administrator.

The operation start

 * Under the terms of a judicially authorized warrant and through the information obtained from the informant, the Brazilian authorities worked with the FBI to obtain the Internet Protocol (IP) address for the server.
 * A subpoena to the Internet Service Provider (ISP) associated with the suspect IP address was issued, and the ISP provided the physical street address and account information associated with the IP address. The physical address, also known as the target address given, was an address in Recife, PE, Brazil.

First traffic interception and analysis

 * A warrant was granted to intercept the data stream between the ISP and the suspect's target physical address.
 * The intercepted data was monitored with support from the United Kingdom's National Crime Agency (NCA) as part of Project Habitance. They confirmed that 85.53% of the internet traffic corresponded to TOR traffic. The fact that 374 terabytes (PB) of data flowed through the connection for the duration of the analysis gave law enforcement the suspicion that the target was a TOR server node or Tor relay node.

Judicial authorizations from first interception
The information obtained from the first period of data interception was used to obtain an additional series of warrants.
 * Wiretaps on the telephone communications associated with the address and individuals associated with the target address
 * Search and seizure warrant for the email provider associated with the individuals that were associated with the target address.
 * Search and seizure warrant for the target address residence
 * A special covert search and surveillance warrant that allowed for recording devices to be installed within the residence to capture passwords entered by the server administrator.
 * Controlled action?

Target address search, wiretap, and second traffic interception and analysis

 * The second period of interception used a deanonymization technique developed by the FBI. Law enforcement commenced a denial-of-service attack on the Target Tor Onion Service and monitored the intercepted traffic. By pulsing the DDOS attack, the joint task force was able to distinguish between the periods of normal traffic received by the Target Tor Onion Service and the periods in which the DDOS attack was occurring. The increase in the volume of traffic during the DDOS attacks was a method of corroborating the suspicion that the Target Onion Service was being operated by a server at the Target Address.
 * Wiretaps of the target suspect's phone calls also corroborated the suspicion that he was the target server's administrator. His dialogues between him and the ISP regarding the internet service issues were intercepted and recorded. The DDOS attack resulted in the Target Tor Onion Service Target Website being inaccessible by users for the duration of the attack as the flood of data exceeded the bandwidth allotted to that internet account.
 * 8 March 2019, the electricity to the target address was shut down.
 * 12 March 2019, the first exploratory search of the target address in the absence of the inhabitant, which in Brazil is regarded as unprecedented, was conducted. The warrant authorized the installation of surveillance cameras, an inline keylogger, and a mouse logger, as well as the copying of all data from electronic equipment. However, the installation of surveillance cameras was not performed. Computers, flash drives, internal and external hard drives, and other media were all copied for later analysis.
 * 5 June 2019, a second exploratory search was conducted of the target address (in the absence of the inhabitant), in which law enforcement successfully installed the keyloggers on two keyboards. This technique was the expertise of the NCA, whereby the law enforcement agents could obtain the logins and passwords to the computers, servers, and Tor Onion services/target website(s)/chat-sites the next time the administrator logged in. Law enforcement also took this second opportunity to make a complete copy of the server's hard drive for future examination. The electricity to the target address was again turned off and then on, which would force the system administrator to type in all of his logins and passwords to restart the system.

Seizure and arrest

 * 6 June 2019, the arrest of the server administrator, Lucas Batista, and the seizure of the operational server occurred.

Dissemination and sharing of the seized devices, media and data
The information seized (which included 2,042,408 alleged files of CSAM) was shared with the FBI and NCA. Additional information, such as the server administrator's emails, bank statements, tax statements, UBER transactions and destinations, mobile phone data, and surveillance logs from outside of his residence, was used to corroborate the crimes.

Legality
The initial crimes cited by Brazilian authorities in order to establish the validity of the investigation under the Brazilian Criminal Code were:
 * sale, dissemination, production and storage of child pornography under Article Nos. 240, 241, 241-A and 241-B of the ECA (Estatuto da Criança e do Adolescente (Child and Adolescent Statute) and
 * rape, including the vulnerable under Article Nos. 213 and 217-A

During the time the Tor Onion services were active, starting in early March 2019, the NCA and their partners conducted traffic analysis under the Targeted Equipment Interference (TEI) warrants 91-TEI-0147-2019 and 91-TEI-0146-2019 Despite the notification to the United States on 16 September 2019, that "at no time was any computer or device interference with in the United States" and that the "UK did not access, search or seize any data from any computer in the United States," there are legal challenges to these statements that, as of February 2024, have not been resolved. TEI warrants vs. TE warrants differ in the judiciary approval for interference of target devices. (see UK NCA's Operation Venetic)

U.S. legal challenges
Citing the Silver-Platter issues, a half dozen people charged in the U.S. have filed motions to suppress all evidence obtained from what they believe were illegal search warrants. U.S. case law prohibits the federal government from receiving "tips" and relying on them for the purposes of obtaining a search warrant if the U.S. government was sufficiently involved in the spying/sting operation and did not obtain a prior warrant for the initial spying.

"Although the Fourth Amendment and its exclusionary rule generally do not apply to the law enforcement activities of foreign authorities acting in their own country, the concepts do apply where (1) the conduct of foreign officials in acquiring the evidence is so extreme that it shocks the judicial conscience, and second, (2) where U.S. cooperation with foreign law enforcement officials may implicate constitutional restrictions." United States v. Valdivia, 680 F. 3d 33, 51 (1st Cir. 2012); United States v. Getto, 729 F.3d 221, 228 (2d Cir. 2013)." This is part of the ongoing controversy regarding the Five Eyes.

The server administrator
Lucas Batista Santos was arrested on 6 June 2019 in Sao Paula Brazil for his work in maintaining the servers for the Tor Onion Services Baby Heart, Hurt-meh, Boyvids 4.0, Anjos Prohibidos (BR)/Forbidden Angels, and Loli Lust. According to the FBI, more than 1,839,831 users were registered across the five sites.

Country-specific summary
The second phase of Operation Lobos 1 in Brazil was called Operation Lobos Phase 2, or just Operation Lobos 2, and dealt with the arrest and judicial proceedings of the suspects associated with the findings from Operation Lobos 1. Most, if not all, of the participating countries also had a named operation that dealt with the leads provided by Operation Lobos. The names of the operation in each country has not been published as of February 2024, however, many of the people alleged to have visited the sites have been prosecuted in the years following as a result of a lead or a tip from a foreign law enforcement agency.


 * The United States received hundreds of leads from the NCA in August and September 2019, however, as of 20 February 2024, only 38 individuals have been searched, resulting in only 27 arrests. Two of the persons arrested died in custody, and one person who was convicted has since appealed and won the appeal to overturn the conviction, with only 13 convictions having been achieved thus far. There are still five awaiting trial and two awaiting appeal.
 * Brazil – As of 3 December 2021, Brazil had executed 106 search and seizure warrants in connection with Operation Lobos in 55 cities across 20 states. According to a government press release, 18 arrests were "made in the act." Most of the searches were for residences, but some were for workplaces. 68 of the search and seizures resulted in arrests, or about 62% of the searches. The number of convictions is still outstanding.
 * Germany also received a list of leads; however, their lack of court transparency laws may limit the available knowledge that will ever be available as to how many leads they received or who they were.

Participating law-enforcement agencies
"The operation was the result of a collective work of police forces from Brazil, the United States, the United Kingdom, Australia, Canada, New Zealand, Germany, Portugal, Italy, Norway, France and Austria" 


 * Australia:
 * Australian Federal Police (AFP)
 * Queensland Task Force Argos of the Queensland Police Service
 * Austria
 * Brazil – Federal Police of Brazil
 * Canada – Toronto Police Service
 * Europol
 * France:
 * French National Police – Police National – (OCLCTIC)
 * National Gendarmerie – French Gendarmerie Nationale – (C3N)
 * Interpol
 * Italy – Italian Polizia di Communicazioni
 * Germany – Federal Criminal Police Office (Germany) Bundeskriminalamt (BKA)
 * New Zealand
 * Norway
 * Portugal:
 * Cybercrime Combat Unit (UNC3T)
 * Portugal's Judicial Police Scientific Police Force (LPC)
 * United Kingdom:
 * National Crime Agency (NCA)
 * West Midlands Police
 * United States:
 * Homeland Security Investigations (HSI)
 * Federal Bureau of Investigation (FBI)