Home » Featured » Teen Avoids Jail After Downloading 4,500 Child Abuse Photos
Click Here To Hide Tor

Teen Avoids Jail After Downloading 4,500 Child Abuse Photos

At age 15, Corey Ewels used the darknet to download almost 4,500 pictures of child abuse, prosecutor Jeremy Evans told Grimsby Crown Court. Police raided Ewels’ Abbey Road, Grimsby home on January 20, 2015. One year passed before investigators analyzed the computer seized from house of the so-called “wizz kid.” Ewels, one of the youngest the court had ever seen for child abuse crimes involving the darknet, told the court that he had downloaded the pictures before her had turned 15.

Jeremy Evans tried to explain onion routing and the Tor Browser to the court. His explanation likely made little difference as Ewels had already admitted he had searched for and downloaded the illegal pictures. Evans said that Ewels used a “computer within a computer” to access the darknet where he had found the “indecent images of children.” Evans called the darknet a set of hidden layers inaccessible by regular search engines. Ewels made “use of the dark web to uncover this material,” Evans said. He said the “computer within a computer” served as a “trapdoor” for darknet access.

Police investigators may not have simply waited a year to access the computers, as information revealed by the prosecutor indicated. They found themselves unable to recover any data when they conducted what should have been a simple forensic data recovery. The investigators needed to access the “trapdoor” to find out what Ewels had stored within it. And they could not. So according to the prosecutor, the police reached out to the The National Technical Assistance Centre (NTAC). NTAC specializes in assisting government agencies with data interception and data recovery.

A discussion on a popular image board focuses on what Ewels did that landed him in court for downloading child abuse content. He used Tor through a virtual machine. All of the PlayPen users—unless they managed to use a clearnet proxy—used Tor as well. Ewels could have been identified by using an outdated version of the Tor browser and leaving NoScript in the “off” position. His arrest occurred in 2015. Since Tor shipped with NoScript off, he may have forgotten to turn it back on. He could have downloaded anything that “phoned home,” so to speak. Even something as simple as the locktime file that law enforcement uploaded to Hansa marketplace that automatically pinged a law enforcement server when opened. (There is no reason any locktime file should be a .xlsx file. It should not even be a downloadable file for that matter.)

Why did the police need a year to break into the virtual machine? Why did they require help from the UK’s data recovery specialists? The encryption is either awful and effectively worthless or great and next to impenetrable.

Ewels pleaded guilty to a combined total of six counts of possessing indecent images of children and possessing extreme pornography. Judge Graham Robinson allowed the now 18-year-old to avoid prison by sentencing him two years of supervision without access to computers.


  1. It sounds like he was using tails with an encrypted partition which took them 12 months to crack, that’s my guess anyway. It still doesn’t explain how they knew to look for him, I doubt it was a “phone home” method as tails would/should block anything from routing outside of Tor. No place is safe for the nonce brigade it would appear.

    • BShaver

      Or he could have been using a windows VM and LEA wasn’t sure how to access the data inside the VM safely so they sent it off to be looked at. Police forces all over are overwhelmed and the backlogs can get pretty rediculous.

    • another anon

      Tails uses Luks to encrypt the persistant volume, so was his weak password brute forced or is luks just not that full-proof anymore?

      Also its interesting how someone manages to download 4.5k photos and not get their hands on any videos. Personally photos just dont do it for me.

    • Could Little Snitch prevent a phone home approach?

  2. I believe he probably downloaded some pictures which allowed them to phone home. If he used tails etc or kept them on an encrypted drive on his computer but look at them after he unlocked his encrypted drive in his normal os then it’s a real possibility that phone home happened to him.

    Alternatively perhaps meta data time stamps were able to pin point him if he at one stage or another went through a compromised entry node seeing as the actual site was already under LE control they would be capable of putting 2 and 2 together especially if he didn’t use an ISP and didn’t hide his tor usage from his isp they won’t be able to see all of that and make a pretty solid guesstimate.

    These are my thoughts, I am probably wrong but who knows.

    • If he opened the images in any os that isn’t privacy focused then I guess the phone home option is possible. Would it not have been better to use an obsf4 bridge rather than a VPN? Although I’ve been told that if the bridge is compromised then all of your Tor usage can be watched leaving your real IP and hitting the hidden service whereas if you use no bridge and pass through a malicious exit node they still can’t see your real IP (without the use of timed correlation attack where possible via compromised service+node) so it’s hard to tell whats best. I’ve also read the big attack on Tor during 2014 was done via adding malicious bridges rather than exit nodes but that may be untrue. Any opinions?

      • fghjzhds

        Pictures can phone home too? I thought that was only possible for videos.

        • A thing

          It’s not that much about file format, more about program you open it with. One may exploit some application to execute code that makes home call. But sure, it’s way more straight forward to do it with video as some formats support downloading remote content.

  3. Hard to say how he got caught.

    If the site(s) he visited were datasharing with law enforcement, it is a possibility that law enforcement saw his username/pw/e-mail and identified him through those.

    Also, 4.5k images is a big deal, it’s bound to gather the attention of someone, somewhere.
    He did use Tails so a phone home of sorts probably didn’t happen, as mentioned.. but who knows for sure. Even on WIN10 this method is hard to pull off, if not impossible if you keep javascript off and noscript active.

    List of possible causes:
    -Honeypot site that read his username/pw and possibly e-mail
    -Correlation Attack?
    -Username/e-mail used on the clearnet identified him
    -Leaked something about himself in a conversation
    -Probably bragged about his deep web habits to someone

  4. This fucking low life scum back should be tied to a tree with barbed wire and saturated with kerosene so he could burn to death as slowly as possible.

    Fucking good work by the “Nonce Brigade” as fare as I am concerned.


    The Dark Net stands for FREEDOM not perverted sadism

    Any decent human being should assist in any way to dig these animals out including assisting the “Nonce Brigade” and bring them to justice, and that includes us.

    • 4times a stroke?

      LoL! Brah, you ok?

    • Freedomforall

      Darknet is for ALL not just a select self appointed few, you discriminatory retard that can’t spell.

    • @4Times

      You have some serious anger management issues.

    • Anonymous

      Apparently its not censorship if it is something you don’t like. Most child porn is made by children nowadays and during its heyday it was all softcore stuff made by smiling children that had their parents approval.

      The perverted sadism is rare but when it exists it get almost a total free pass by LEA. Most pedos don’t even like it if you was to inquire about it on forums and imageboards.

  5. tor was made by the us navy its only in the wild to hide the spies they knew it would create more kiddie porn trading but the spies mean more to them than little kids do

  6. It’s possible for an image to contain phone home software really? damn

  7. How else can u bring awareness?

  8. PlayPen was cracked by FBI 3-4 years ago. Then FBI upload trojan to forum and discovered IP-addresses of most users.

    • Frank Grimes

      Nope. Out of 150,000 members they got 1000 “good leads”, not arrests, LEADS. So yeah, get your facts straight. It always works this way, and it always will.

  9. 4TIMES. calm down. There is no place for crazy people either. Don’t go snapping on people. This kid is 15. FIFTEEN. Not 30. He is still a kid himself. It is obviously not a child’s fault for going down the road he chose. It’s his parent and his peers that he developed a sexual attraction to children.

    Get your fact together before condemning a child.

    • Exactly. Child porn isn’t ok, but people who enjoy it need help, not be punished. They never pressed a button to be a sickko, instead they developed uncontrollable urges through sometinhng.

  10. Let me guess. He probably used a Windows computer as his host to run a VM on it? SMH. They shouldn’t be calling him the wizz kid. In light of everything though they should probably take it easy on the kid. He does it again after 18 years old then I say throw the book at him.

  11. If the kid had used two VMs such like whonix then the only explanation is that he was subjected to a traffic correlation/timing attack. Although there is a possibility he mentioned identifiable stuff such as his name/address etc. It could be that he used an email account to register on the child porn site that he had registered on the open web; or had registered it on TOR but then accidentally logged into that email account on the open web.

  12. If it was a traffic correlation or timing attack that would not quite be enough for a court to grant any warrant for a raid/arrest due to the false positives. It would only allow law enforcement to monitor more closely until they have something concrete that WOULD be court warrant worthy though. Or am I wrong?

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *