Draft content added
Since 2011, we have monitored commercial child sexual abuse websites that conceal illegal imagery unless accessed through specific technical conditions. Typically, this involves visiting the site via a link from another website where a particular referrer or cookie is required, and in some cases both. When accessed directly, these sites display legal content, often adult pornography, making the criminal material harder to identify and investigate.
Disguised websites are particularly challenging to detect and action, requiring specialist technical expertise and investigative experience. Analysts report that these sites typically take at least twice as long to access and assess as standard websites. The IWF continues to play a leading role in this area, sharing knowledge and providing training to partners including other hotlines and law enforcement agencies.
Due to their concealed nature, illegal content on disguised websites often remains live for longer. This underlines the importance of sustained investigative work and information sharing, which enables other agencies to identify and act against sites that may otherwise appear lawful.
Disguised websites have also continued to exploit top-level domain hopping to avoid detection and remain online.
URLs of disguised sites are reported to us every day. When we load these URLs in a browser, we are usually met with a disguise rather than the site’s real content – which is child sexual abuse imagery (CSAM). Common disguises include adult pornography pages, fake 'website maintenance’ notices, or redirections to legitimate, unrelated websites.
We recognise the signs and behavioural patterns that indicate a webpage may be disguising CSAM. Once we establish that a site is using a disguise, the next step is to use our knowledge and tools to bypass the disguise and gain access to the site’s illegal content.
The true content on these sites is extremely harmful. They often display multiple images or GIFs of child sexual abuse as part of an advertising model intended to showcase CSAM. They typically depict children of all ages, genders and ethnicities being sexually abused, and increasingly, they depict AI-generated CSAM.
We consider these commercial websites. Continued clicking through such a network of websites can not only generate revenue, but eventually lead to a payment page where users are prompted to purchase access. Disguised sites seemingly operate as interconnected groups, linking to and referring traffic between one another, all ultimately directing users towards a final monetisation point.
Webpages on disguised sites appear to entice clicks; the harmful text and indecent phrases encourage bad actors to click. Often, any interaction on the page, even a single click, can open a new site containing further illegal material, rapidly generating numerous additional websites and exposing large volumes of CSAM. We suspect that these clicks could be monetised, meaning a bad actor somewhere is benefiting from online users’ appetite for more and more CSAM.
We see these sites disappear and reappear using new domains. Many systems automate domain and hosting changes, enabling operators to keep their platforms accessible at apparent relatively low cost. As a result, we encounter the same networks repeatedly as they shift domains and hosting providers to avoid disruption.
These disguised sites reveal themselves to be a persistent, profit-driven network that constantly shifts domain and referral pathways to remain online. They expose high volumes of CSAM and entice users to see more, whilst constantly revictimising the children they expose.