German authorities, backed by Europol and law enforcement partners in 23 countries, launched Operation Alice against a major dark web fraud network built around the platform "Alice with Violence CP". Investigators said a 35-year-old man in the People’s Republic of China operated more than 373,000 onion domains that falsely advertised child sexual abuse material and cybercrime-as-a-service, took payment in Bitcoin, and failed to deliver the promised content. The investigation began in mid-2021 and examined activity spanning November 2019 through July 2025.
Between 9 and 19 March 2026, authorities shut down more than 373,000 dark web sites, seized 105 servers and multiple electronic devices, and identified the alleged operator along with 440 customers worldwide. Officials estimate the scheme generated more than EUR 345,000 from roughly 10,000 customers, while German authorities issued an international arrest warrant and said investigations continue against more than 100 individuals. Europol added that the operation also supported child protection efforts, including immediate interventions where children were found to be at risk and intelligence development on suspects seeking severe CSAM.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
A French cybersecurity startup executive was implicated in the Alice with Violence CP investigation and is due to appear before the Nanterre judicial court in early September 2026. His lawyer said the three cryptocurrency transactions at issue were test purchases made about four years earlier for research purposes, and investigators reportedly found no evidence he downloaded or possessed illicit content.
Authorities said evidence from Operation Alice could support the prosecution of about 600 offenders and users linked to the fraudulent dark web network. The update expanded the expected enforcement impact beyond the previously disclosed 440 identified customers and more than 100 ongoing investigations.
German authorities issued an international arrest warrant for the suspected operator, who investigators said earned more than EUR 345,000 from about 10,000 customers worldwide. Authorities also said investigations remain ongoing against more than 100 individuals.
Between 9 and 19 March 2026, authorities shut down over 373,000 onion domains tied to the fraudulent network and seized 105 servers along with multiple electronic devices. The takedown was part of coordinated action by 23 countries.
During the operation, investigators identified the suspected operator and 440 customers worldwide connected to the network. Europol said the case also generated child protection interventions and intelligence on suspects seeking severe CSAM.
On 9 March 2026, German authorities, supported by Europol and partners from 23 countries, launched Operation Alice targeting one of the largest fraudulent dark web platform networks. The action focused on the operator of “Alice with Violence CP.”
German authorities opened an investigation in mid-2021 into the fraudulent dark web platform network later linked to a 35-year-old man based in the People’s Republic of China. The probe ultimately examined activity spanning November 2019 through July 2025.
The platform network known as “Alice with Violence CP” began activity by November 2019, advertising child sexual abuse material and cybercrime-as-a-service offerings and taking Bitcoin payments without delivering the promised content.
6 references tracked. Mallory keeps watching after this page renders.
zdnet.fr
Open sourceitpro.com
Open sourceeuropol.europa.eu
Open sourcedatabreaches.net
Open sourcetherecord.media
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.