Operation Alice: How Police Took Down 370,000+ Dark Web Sites

Imagine a criminal marketplace so vast it spans hundreds of thousands of hidden websites. Now picture that entire network being a police trap. That’s exactly what happened in a recent international sting operation that crippled a major dark web fraud scheme.

The Five-Year Honeypot Operation

For nearly five years, a platform called “Alice with Violence CP” operated on the dark web. It advertised child sexual abuse material (CSAM) and cybercrime-as-a-service offerings like stolen credit card data. Thousands of customers worldwide flocked to it, paying in Bitcoin for illegal content.

There was just one problem: none of it was real. The entire operation was a sophisticated scam designed to swindle criminals out of their money. What the customers didn’t know was that law enforcement had been watching the entire time.

German authorities, leading what they called Operation Alice, turned this criminal enterprise into one of the largest honeypots in cyber policing history. From March 9-19, they finally pulled the trigger, dismantling the entire network.

Unmasking the Criminal Customers

While the sites were fake, the criminal intent of the customers was very real. This presented a unique opportunity for investigators. As would-be buyers provided email addresses and made Bitcoin payments for non-existent content, they were essentially handing police their digital fingerprints.

International cooperation through Europol allowed authorities to identify 440 individuals who attempted to purchase illegal material. Over 100 of these cases are now under active investigation. When children were believed to be in immediate danger, police moved swiftly.

In one August 2023 case, Bavarian police searched the home of a 31-year-old father who tried to buy €20 worth of CSAM. He was subsequently convicted. These targeted interventions demonstrate how digital investigations translate into real-world protection.

The Mastermind Behind the Fraud

Police traced the operation to a 35-year-old Chinese national who had been running the scheme since 2019. His technical setup was staggering: over 373,000 .onion sites distributed across 287 servers, with 105 of those servers located in Germany alone.

Between February 2020 and July 2025, he advertised his fake wares through more than 90,000 different onion domains. Customers could purchase “packages” ranging from €17 to €215, supposedly containing anywhere from a few gigabytes to several terabytes of illegal material.

The profits were substantial. Investigators estimate he made over €345,000 from approximately 10,000 duped customers worldwide. An international arrest warrant has now been issued for his capture.

Global Law Enforcement Collaboration

Operation Alice wasn’t a solo effort. Twenty-two countries participated in the takedown, including the United States, United Kingdom, Ukraine, Switzerland, Sweden, Spain, Italy, France, Canada, Australia, and Belgium. This level of international coordination is becoming increasingly crucial in fighting borderless cybercrime.

The success follows another major victory against dark web CSAM platforms. Last year’s Operation Stream, also led by Bavarian authorities with Europol support, took down the Kidflix platform. That operation identified 1,393 suspects worldwide from over 1.8 million registered users.

Unlike Alice with Violence CP, Kidflix actually distributed real child abuse material. The contrast between these two operations shows law enforcement’s evolving strategies: sometimes they dismantle genuine criminal platforms, other times they turn fraudulent ones into intelligence-gathering tools.

What does this mean for the future of dark web policing? The message is clear: even in the most hidden corners of the internet, criminal activity leaves traces. And international law enforcement is getting better at following those traces back to their source.

When a Morning Run Becomes a Security Breach

Imagine starting your day with a brisk jog on the deck of a nuclear-powered aircraft carrier. The sea air, the rhythmic sound of your footsteps—it’s a unique way to stay fit. For one French Navy officer aboard the Charles de Gaulle, that routine run turned into a major security lapse. He logged his workout on Strava, the popular fitness app, and in doing so, publicly broadcast the warship’s precise location as it sailed toward the Middle East.

French newspaper Le Monde first broke this story, but it’s far from an isolated case. Fitness tracking apps have repeatedly created privacy nightmares, especially for military personnel. Remember when Strava data revealed the locations of secret U.S. military bases a few years back? Or when journalists tracked French President Emmanuel Macron’s movements by finding the public Strava accounts of his security detail? This latest incident proves the problem hasn’t gone away.

Why Strava Poses Such a Persistent Threat

Here’s the core issue: Strava accounts default to public. Every time you record a run, cycle, or swim, the app can map your exact route for anyone to see. For most users, that’s harmless—sharing a neighborhood jog with friends. For military members, it’s a different story entirely. That map data can reveal patterns, bases, and movements that should remain confidential.

The French Armed Forces confirmed the officer’s actions violated their security protocols. “This behavior does not comply with current guidelines,” a spokesperson told Le Monde, adding that sailors receive regular reminders about operational security. While President Macron had already announced the carrier’s deployment, broadcasting its real-time coordinates is an entirely different level of exposure. It gives away tactical information that could be exploited.

What This Means for Your Digital Footprint

You might think, “I’m not in the military, so this doesn’t affect me.” Think again. Every piece of data you share publicly creates a digital footprint. That morning run map shows where you live, where you work, and the routes you take daily. For someone with malicious intent, that’s a goldmine of information.

How many people actually check their privacy settings on these apps? Most just download, sign up, and start tracking. The convenience overshadows the risk. Yet with a few simple clicks, you can switch your account to private mode, share activities only with approved followers, or disable map sharing entirely. It’s a small effort for significant protection.

Balancing Fitness and Security in a Connected World

Technology promises to make our lives easier and healthier. Fitness apps motivate us, track our progress, and connect us with communities. But they also collect and display astonishing amounts of personal data. The Strava incident aboard the Charles de Gaulle serves as a stark reminder: our digital and physical worlds are now inextricably linked.

Security isn’t just about strong passwords and antivirus software anymore. It’s about understanding what our devices and apps reveal about us. For military organizations, this means continuous training and strict enforcement of digital policies. For everyday users, it means taking a moment to review app permissions and privacy settings. That quick check might just prevent your next workout from becoming tomorrow’s headline.

FBI Takes Down Handala’s Digital Platforms

Two websites operated by the pro-Iranian hacktivist group Handala have been seized by the FBI. The action came just days after the group publicly claimed responsibility for a destructive cyberattack targeting the American medical technology corporation Stryker.

Visitors to the sites, which Handala used to publicize its hacks and dox individuals, were met with a stark law enforcement banner. The notice stated the domain was used to support malicious cyber activities coordinated with a foreign state actor. TechCrunch verified the seizure by checking the sites’ nameserver records, which now point to FBI-controlled servers.

The Department of Justice and FBI did not immediately comment on the specific reasons for the takedown. The language on the seizure notice, however, leaves little doubt about the U.S. government’s assessment.

Handala’s Response and Ongoing Campaign

How did the group react? In posts on its official Telegram channel, Handala acknowledged the website seizures. The group framed the move as a “desperate attempt to silence our voice” and a sign that its actions were causing fear among its targets.

“The pursuit of justice cannot be stopped by taking down a website,” the hackers wrote, vowing that their movement would persist. The group’s account on the social media platform X was also recently suspended.

Handala’s activities surged following the October 7, 2023, Hamas attacks. The group is widely believed to have ties to the Iranian regime. Its attack on Stryker, a company with over 56,000 employees, was claimed as retaliation for a U.S. missile strike on an Iranian school.

The Destructive Stryker Hack

What made the Stryker attack so severe? Handala reportedly breached an internal administrator account, gaining extensive access to the company’s Windows network. This access included Stryker’s Intune dashboards—tools designed for remotely managing employee laptops and mobile devices.

With control of these dashboards, the hackers possessed a dangerous capability: the power to remotely wipe data from company and employee devices. They allegedly used this access to carry out destructive actions, forcing Stryker into a major recovery effort.

As of this week, Stryker confirmed it is still working to restore its computers and internal network in the wake of the intrusion. The company had signed a $450 million contract with the U.S. Department of Defense last year to supply medical devices.

Disruption and Future Threats

While the website takedown represents a clear setback for Handala, experts caution it is unlikely to be a permanent solution. Nariman Gharib, a U.K.-based Iranian activist and cyber-espionage investigator, called the seizures good news but warned of continued activity.

“Their organizational and management structure is currently disrupted,” Gharib told TechCrunch. He suggested group members could now face greater physical risk, similar to other Iranian cyber operatives.

However, he noted that future leaks from the group could simply be published through media outlets aligned with Iran’s Islamic Revolutionary Guard Corps (IRGC). The digital conflict, it seems, has merely entered a new phase.