April 23 2007


April 23 2007



It a way, a conversation between two children overheard just at a ball hockey game. “I didn’t get any the candy this week,” a woman in Edmonton heard a nine-year-old girl say to her younger that brother. “You don’t suck Daddy’s peepee,” the six-year-old replied. Shocked, the woman told the children, “Don’t be talking like that!” “Well, that’s the truth,” the children said, rather matter-of-factly. The woman put in a call to Children’s Services, and a child abuse investigation was launched. The two siblings gave a full disclosure that their father, Mark Langham (not his real name), had been sexually molesting them, along with two other children under the age of 12.

When Langham went to pick up his stepchildren from school that day, in May 2005, he was told Children’s Services had come for them—and he realized he had been caught. “I knew right away,” he says. “I knew exactly what had happened.” Langham was taken into custody for alleged child abuse. But when police found a computer at his house hooked up to a webcam, that opened up a new avenue of inquiry: Internet offences. They called in Det.

Randy Wickins, assigned to the province’s new Integrated Child Exploitation unit, which brought together the RCMP and local forces. The police laid out for Wickins what they had.

“Let me at it,” he said eagerly, drawing up a search warrant for the computer. On site, he did a quick preview of the hard driveenough to see hundreds of child abuse images, including pictures of Langham’s children. “We knew we had a fairly significant investigation,” Wickins says. “But we had no concept of the size of it.”

“UNBELIEVABLE. I WAS JUST brought to a new world.” Mark Langham remembers vividly the moment when he first clicked on a website promising illicit pictures of children. “I just couldn’t believe my eyes. It was instant

hard-on. That’s when I started building my fantasies.” Langham had not had a run-in with the law since he was a teenager—at 18, he got 90 days’ jail time for assaulting his four-yearold niece; within a year, while still on probation, he abused two boys under eight and was sentenced to 21 months behind bars. He sought treatment and settled down with a woman who already had two young children. “I believed in treatment but it didn’t work,” he says. “Well, actually it worked, but I chose not to follow it. I made the wrong choice.”

He had discovered that the Internet provides the child sexual offender with the “three A’s” he needs to thrive: Anonymity, Acceptance and easy Access. Together the Internet’s possibilities propelled Langham, as they do so many other child abusers, to places he might never otherwise have reached. “Everything that happens on the Internet is the ‘X factor,’ escalating in all ways and not just in numbers,” says Drew Oosterbaan, the chief of the Child Exploitation and Obscenity Seetion for the Department of Justice in Washington, D.C. “The Internet didn’t create pedophiles, but I fear that it is creating more aggressive pedophiles.”

Langham made the fateful decision that he would tell the police about his secret online network of fellow pedophiles. “It wasn’t an attempt to cleanse my soul,” he insists. “I’ve done all this harm; now maybe I’m going to start to change something.” That was the beginning of an international probe that would push police into new technological frontiers, cracking computer codes and infiltrating a high-security Internet underground that spanned several continents.

It was midnight by the time Det. Randy Wickins got back to the police station and walked into his first meeting with Big_ Daddy6l9, Langham’s nickname in the Internet chat rooms he frequented.

“I want a colour TV and cigarettes,” the prisoner said. “And can you get me on Oprah?”

“I’ll work on that,” the Edmonton police officer replied, pretty sure he could handle the first two requests but dubious about becoming a TV agent.

Wickins told him up front that there were no deals on the table. (Langham, now in his early thirties, pleaded guilty to 16 counts of sexual assault and child pornography charges. In July 2005 he was sentenced to 14 years—an unusually long punishment in Canada.) Langham gave the cop access to his buddy list on his MSN and Yahoo! instantmessage accounts, information that would soon prove instrumental in tracking fellow abusers in the U.S. and the U.K. He also told the investigator about a series of secret rooms accessed through a powerful file-sharing software called WinMX.

WinMX was one of the more robust and popular peer-to-peer programs that allowed Internet junkies to easily trade music, videos and chat. The crackdown on illegal downloads by the recording industry led the company that made WinMX to shut down its official Web page, but an ardent group of supporters kept it going, building patches and improvements and effectively driving the program to the dark fringes of the Web. In the hundreds of “rooms” hosted and controlled by secretive administrators, Web surfers could do and say as they wanted. In each room, you could see what other members had stored on their shared folders on their hard drives, select what you wanted and download it.

“Oh my god, I just went bonkers,” Langham says of when he first discovered WinMX. He had seen plenty of pictures of child abuse, but never the variety and amount of videos that filled the WinMX vaults. As “Big_ Daddy6l9,” he began hanging around in several of the rooms dedicated to incest, as well as one labelled “KiddyPics & KiddyVids (Adult Chat).” What was special about “the guys” in his WinMX club, he soon discovered, was that many of its members abused children live while online, streaming the torture for others to watch on a webcam. It didn’t take long for Langham—equipped with a latemodel webcam and with access to two children he could exploit at will—to move up in the ranks and become one of the room administrators. “I wanted to get the high status,” he says. “It gave me a sense of belonging—now I had lots of friends. Hundreds of friends. I know it probably sounds pretty sick, but this is what I lived for. It was my ultimate glory.”

Realizing the case now had potential targets worldwide, the Edmonton detective contacted the RCMP’s still-fledgling National Child Exploitation Coordination Centre (NCECC). Over the summer, Wickins continued his meetings with Langham, but he was growing increasingly concerned that leads needed to be followed quickly. On Sept. 8, he decided to move on his own to test how solid Langham’s allegations were. BigDaddy said that he would often meet his friends in the WinMX room, then exchange live video feeds through Yahoo! or MSN instant chat. At the top of Langham’s Yahoo! buddy list, Wickins found the username AÍ9572.

Why is that contact name familiar? he asked himself.

Then he remembered that in Langham’s collection he had seen numerous files labelled “af9572daughter 1,” “af9572daughter2” and so on. Wickins drew in a breath: he realized the girl in those pictures was associated with the mysterious man on Langham’s buddy list. With the password that Langham had provided, Wickins logged on, blocked all of BigDaddy’s other buddies and waited for AÍ9572 to respond. Within minutes, the man connected and fired up his webcam. “Where you been?” he asked Big_ Daddy6l9, and Wickins invented a story about a broken webcam. In the video feed he was receiving, Wickins could see a girl

around 12 years old walk-

ing around in a pink nightie. For 11 minutes, the two men chatted—long enough for Wickins to grab an IP address from Af9572’s webcam transmission.

“Gotta go,” wrote Af9572, suddenly ending the chat.

“I’m bouncing off my chair,” recalls Wickins, excited that he had captured the man’s IP address, which indicated that he was talking to someone in the U.K. “Great, we got this guy.”

But it would quickly turn darker.

Moments later, Af9572 was back online. This time, the girl was right close to the camera. The man’s hand came into the frame; he lifted her clothing and exposed her buttocks and underwear. “I’m thinking, ‘Oh my god, what’s happening here?’ ” says Wickins.

The man grabbed her hips and pulled her toward him. She got away briefly, and the man’s erect penis was exposed to the webcam.

“Nice—do you miss seeing this?” he said. Then he grabbed her again and pulled her onto his lap.

Wickins was alarmed. “My heart is pounding. I’m thinking, I can’t watch this. I can’t do this. I wasn’t looking at some movie. This was life—right now. This child was going to be raped in front of me.”

Wickins was shaking. He came up with an excuse—“Someone’s come home, got to go”—and terminated the connection. Still unnerved by what he had witnessed live on the webcam, the detective quickly drew up a complete report, including Af9572’s IP address, threw it on a CD and couriered it to the RCMP’s NCECC in Ottawa. By accepted protocol, they were tasked with passing on international leads to the proper authorities.

It was 10:30 p.m. London time when Paul Griffiths, a U.K. cop who had co-operated closely with the Canadians and the Americans in the past, got the call. He had been working long into the night on another case and was just two minutes away from leaving. The RCMP officer ran down the case with Griffiths and passed on the IP address. It took only a few hours the next morning for the IP trace to find that the computer used for the webcam transmission was located in London. The police raced to the house in the late afternoon. The 35-year-old man whom the London police found there readily admitted that he had been abusing his 12-year-old stepdaughter. Within months he would be given an indeterminate sentence on 16 counts of assault and pornography—meaning that his case would have to be reviewed before he was ever released.

Wickins hoped it would get better—and bigger—because the arrest of Mark Langham’s Internet buddy Af9572 showed something else. “I realized our source is right,” Wickins says. “Everything he was telling us was true.”

On Nov. 17, Wickins forwarded to his friend Paul Krawczyk, one of the hard-nosed investigators in Det. Sgt. Paul Gillespie’s Child Exploitation Section at Toronto’s Sex Crimes Unit, the email addresses from Langham’s buddy lists. Five days later, he showed Krawczyk how to enter the WinMx chat rooms, specifically the one called “KiddyPics & KiddyVids.” On Nov. 28, the Toronto cops were ready to begin surveillance on the room. Some of the most active participants— administrators and busy traders named Chevman and MOH, for Master of Horsemen—were immediately apparent. “We were trying to get a feel for the players, see who the regulars were,” says Toronto Det. Const. Scott Purches, who had joined Krawczyk on the case.

“You could tell the organization was different from what we’d ever seen,” says Purches. Many websites and chat rooms favour and, in fact, thrive on anonymity: you go in, trade your stuff and get out. But WinMX was like a seedy bar where the regulars all knew one another’s names—or at least their Web nicknames. Two days after the Toronto cops entered the secret chat room, an international connection to another case kicked the WinMX investigation into high gear. While Krawczyk and Purches were roaming through WinMX, at a nearby desk Det. Const. John Menard had been keeping up his forays into the Freenet. Back in August, he had come across a collection of 83 explicit abuse photos of a six-year-old, known as the “Ellen” series. There were enough clues in the pictures to indicate that they were from the U.K., so on a trip to Europe in early October for some Interpol training, Scott Purches passed on the images to Paul Griffiths.

Griffiths started going through the series, but suddenly stopped when he got to the

10th picture. “I see an ashtray, and it’s actually from a brewery that’s about 10 miles from my house in Manchester,” he said. The pictures were recent, and the girl was young enough to be in primary school, so police began circulating a cropped photo of her to school officials in the area. On the first morning of their canvassing, one headmaster immediately recognized her, and it was not long before police were banging on the door of her TRUSTED father’s home.

The case could have ended there if not for the intervention of Toronto’s Child Exploitation Tracking System (CETS). By now, the database software program that had been developed by Microsoft was in operation in eight RCMP branches across Canada, at the provincial police forces in Ontario and Quebec and at 19 municipal police forces. So on Nov. 30, it was a matter of course for the Toronto squad to enter in the details of the U.K. bust. Det. Const. Warren Bulmer was keying in some of the details of words that had been found on pieces of paper that had been placed next to the naked girl in the Ellen series when CETS found a match.

“Wait a second, this is the same thing,” he said out loud to the room.

“What?” asked Paul Krawczyk, as he made his way over to Bulmer’s screen.

In one of the pictures, next to the girl’s genitals, a piece of paper read “KiddyPics & KiddyVids 2005.” There were also photos of the girl asleep, holding a message to someone named Chevman. In other images of her wearing just her underwear, the name Chevman was on her right thigh, the abbreviation MOH on the left.

“Holy shit!” Krawczyk exploded when he saw the pictures. “Those guys are from the chat room we just logged on to a couple of days ago.”

CETS had connected the Web pictures of the six-year-old girl being abused in England with the WinMX room that the Toronto police were monitoring. “This put it up a notch, because now we knew for certain that people in that room were creating child porn series on demand with real kids,” concludes Krawczyk. “This was more than your average chat room. We started covering it 24/7”

The “KiddyPics & KiddyVids” chat room was difficult to infiltrate, run by a tightly knit group of administrators. Each member used a nickname and a complicated system to shield the digital signature of his IP address. The top administrator was named GOD—an acronym for Galactic Overlord Duplicate. He was assisted by another 31 administrators, including Chevman, Master of Horsemen and—if the handle was any indication—at least one woman, who went by the name Humble Duchess. Other regulars were Acidburn, Lumberjack and Lord Vader. Among the items they had for trade: an image of an 18-month-old girl with her genitals exposed; a nine-minute video showing a girl of about 10 forced into sexual acts; a five-minute video depicting two girls enduring physical abuse. The police faced a delicate dilemma: if they moved too soon against a major WinMX player—and they could hardly stand by if they knew he was actively abusing a child—would they lose the chance to arrest the others and save more children?


The “KiddyPics” regulars were constantly trading security tips and technical know-how. Lord Vader, for example, explained the arsenal of sophisticated Web weapons he had amassed that would baffle most ordinary Internet

users: a 128MB encrypted router, Ghost Surf Pro and Cryptainer. What really stumped the police was the ability of the WinMX software to hide or mask the IP addresses of its users. Krawczyk figured that if he couldn’t find the suspects through their IP addresses, he would have to do it the good old-fashioned way. He focused on Chevman, one of the administrators who kept bubbling to the surface because of the large number of his postings. On a large whiteboard in the Toronto office of the Sex Crimes Unit, Krawczyk began to write down every clue he could glean from Chevman’s messages—“the trail of breadcrumbs,” as he called it. Krawczyk had spotted a note by Chevman that he “wish[ed] TiVO was in Canada,” which narrowed down the country. He made many references to snowy weather and mentioned going for supper around 6 p.m.—when it was already 8 p.m. in Toronto—so Krawczyk was fairly certain his target was in Alberta. The cops knew about Chevman’s cars, about the exact time of birth, date of birth and weight of his daughter’s premature baby and about his wife’s heart surgery.

From the start, the Canadians had farmed out leads to their colleagues in the U.K., Australia and the U.S. One of the first tips found its way to the Chicago branch of Immigration and Customs Enforcement (ICE)—a stroke of luck, because that city happened to have the largest cybercrimes ICE field office in the country. Ron Wolfhek, a veteran customs agent, headed the 17-person unit.

In December 2005, Wolflick and his team used the Canadian information to take down Acidburn, who turned out to be a 29-yearold resident of Bartlett, a Chicago suburb. From Acidburn, the ICE team got the name of one other WinMX member in the Chicago area, whom they arrested immediately, plus leads on about a dozen other people across the country. What the police still could not figure out was how the WinMX software was blocking the users’ IP addresses. The challenge of solving that mystery fell to a young cyber investigator named Brian Bone.

In most popular peer-to-peer trading software programs, computers “talk” to each other to exchange files. In that process, it is not hard for one user to read the IP address of the person sending the files. But WinMX somehow scrambled the IP code so that only the high-level administrators could see it. When the Toronto cops Paul Krawczyk and Scott Purches went to Chicago to assist in the takedown of Acidburn, they explained to their American colleagues how crucial it would be to get a fix on one of the room’s administrators, such as Chevman. “If we could find him, we would be able to break the case,” Krawczyk said.


All day the investigators huddled over the computers. “There has to be some way to do it,” Bone insisted. “My computer has to know who I am communicating with. The IP address is in there—we just have to find it.” At 10 p.m. they finally called it a night. Once at home, Bone got on his own computer and started playing with the program. He soon noticed that no matter how many times he logged on or off from the WinMX room, the hexadecimal digits after his user nickname—a numeral system in mathematics and computer science that uses the symbols 0 to 9 and A to F—remained the same. “The hex code stands for something and doesn’t change,” he concluded. “Somehow the hex code is matching the IP.”

Bone did some Web searches and eventually found a page in German that seemed to explain some of the WinMX patches. He clicked on one of the Web’s instant, if not always reliable, computer translation tools to read the text in somewhat garbled English. It was enough for him to decipher an important clue: the last four digits of the hex series represented the port number—the entry point the user’s computer used to communicate with the Internet. Then Bone realized that the numbers—grouped in series of four separated by a decimal point—might be backwards, with the least significant data first. If he reversed the order and read them right to left, then converted the hex code into regular digits—bingo, he had the IP address.


The next morning, the police logged on to WinMX from various computers in their office, and each time it worked. Then they tried it on the code coming up after Chevman’s name. The IP address for Chevman indicated that the administrator they had been after all this time lived in the city where the case had first started.

“It came full circle back to Edmonton,” says Randy Wickins.

Chevman, it turned out, was a 49-year-old clerk named Carl A. Treleaven whose wife worked in a local daycare.

By Jan. 14, the police were able to run an IP trace through the Shaw Internet provider in Alberta to come up with a street address. On Jan. 25, Paul Krawczyk and Scott Purches flew out to Edmonton to help Wickins with the arrest. At 7:30 the next morning, it was still dark as the officers waited in a surveillance van parked just outside the man’s simple bungalow. The stakes were high because the police did not want to simply arrest Treleaven; they wanted to take over his identity so they could infiltrate the group as a top administrator. To do that, they needed to nab him during those brief moments when he was online but temporarily away from his computer.

“We knew what we could get—if the computer was still on,” says Wickins.

In the van, they had a partial view inside Treleaven’s home through a front window. They were also on the phone to John Menard back in Toronto; he was monitoring Chevman’s live online chats.

As Chevman typed in a message on his keyboard, Menard read it over the phone and Scott Purches repeated it out loud in the van: “Be right back—coffee time.”

That was the cue they were waiting for—a few precious minutes when Chevman was away from his screen. “Okay, go. He’s in the kitchen!” Randy’s excitement crackled over the police radio to the troops outside. Quickly, a decoy officer ran to the front door and rang the bell. The cops figured that Treleaven had two choices: answer the door, or run for the computer. Either way, the SWAT team was standing by.

“As soon as he opened the door, his life

changed forever,” says Wickins.

The cops burst in. Krawczyk rushed for the computer. At his doorstep, Treleaven was shaken, visibly distraught and sobbing.

“I just look at pictures,” Treleaven told officers tearfully. “I don’t want to hurt anybody.” Chevman was being disingenuous at best: his criminal record included convictions in 1986 and again in 1993 for indecent assault and gross indecency for attacks on young girls. Now, standing in his open doorway in the cold Alberta winter morning, Treleaven could feel his world crashing down around him.

“I know why you’re here,” he said, still sobbing, to the arresting officer.

“Why am I here today?” the cop asked.

“To put me in jail forever,” said the avid WinMX predator somewhat melodramatically. In Canada, he was looking at only a handful of years behind bars since there was no evidence—this time—that he’d committed any hands-on abuse. On his computer in the WinMX chat room, police found over 90 people waiting to download the more than 20 gigabytes of child abuse images that Treleaven had stored.

While Chevman cried to the arresting officers, a few feet away Paul Krawczyk was crouched over the man’s computer, hoping to pull off an updated, online version of the “bait and switch” con: he had to convince the hundreds of WinMX underlings—and, more important, the other top chat room administrators—that he was Chevman. “He was probably the most trusted person in the chat room,” Krawczyk says.

In Toronto and in Chicago, where the code cracker Brian Bone and other members of the ICE team were monitoring the room, they waited nervously, knowing that the next time Chevman logged in, it would be one of their officers typing in the words. “There was probably a good five minutes between Chevman’s departure and when Paul started typing, so it was one of those hold-your-breath moments,” says Bone.

“We had to make sure that once we took Chevman down, there wasn’t widespread panic in the room,” explains ICE’s Ron Wolfhek.

“We’re waiting with our fingers over the phone buttons, because if things went badly, we needed to make sure we got people deployed.” Deployed and ready to arrest the known targets in WinMX.

But there was no need to panic. In a few minutes, “Chevman” returned; his WinMX buddies assumed he had finished his coffee break, and no one raised any doubts. Later that day, Treleaven gave the police a four-hour interview—and also gave up his password as the room administrator. Over the next few hours, then days and weeks, Krawczyk kept going in as Chevman, unchallenged. “It was such a seamless takeover of him; there was no hiccup,” Krawczyk says.

It was the turning point in the investigation. Now, as Chevman, the cops had access to everyone’s IP addresses—in effect, the membership records of the “KiddyPics & KiddyVids” club. When someone entered the room—at any given time there were usually between 30 and 60 people online—the undercover cops could see his nickname, his IP address and how many files he was sharing.

From Jan. 26 until March 6—when the major takedown took place—Krawczyk and his team kept up the ruse. As police officers, they were not allowed to offer child pornography, so they had to come up with an excuse why Chevman was suddenly not in the trading business anymore. “Chevman” told his online pals that he had just repartitioned his hard drive and did not have easy access to his collection; he was waiting for tax-return money to buy a new drive.

“Chevman gave us a huge break,” says Krawczyk. “He came with the status. It was like purchasing the key to the room.” It was a key that would eventually help put dozens of people in jail, not just in Canada and the United States, but also in the Netherlands, Germany, Scotland, Denmark and Sweden. M

Excerpted from One Child At a Time: The Global Fight to Rescue Children from Online Predators by Julian Sher. Copyright © 2007 JournalismNet Enterprise Inc. Published by Random House Canada. Reproduced by arrangement with the Publisher. All rights reserved. For more Web tips on protecting your child, see www.macleans.ca.