Painting the Landscape of Internet Crimes Against Children with Interpretive Tooling

CaseLinker · Report #5 · Final Report

Technical Briefing · 10 Pages · Open Source

Painting the Landscape of
Internet Crimes Against Children
with Interpretive Tooling

A ten-page visual briefing on sixteen years of U.S. ICAC enforcement - the problem, the institutions, the data, and what the record reveals at scale.

What This Briefing Contains

The problem, a high level overview

20+ million CyberTips in 2024. Sextortion up 192%. AI-generated CSAM growing 10x in a single year. This briefing starts with the numbers - then shows the institutions, the technology, and the enforcement record behind them. Not to overwhelm. To orient.

II.

What CaseLinker does and what it found across 5,000+ cases

5,086 public ICAC case reports. 50 sources. 61 task forces. 20 structured case studies across four technological eras - from AOL chatrooms to AI-generated material. What investigators actually did. What worked. What the pattern looks like from the outside.

III.

An open platform built for the people doing this work

Every tool, visualization, cluster interface, triage model, case study, landscape analysis, LLM interface, and underlying dataset have been made available. Built so the next researcher, policymaker, or computer scientist doesn't have to start from zero.

CaseLinker at a Glance

5,000+

Public ICAC case reports processed

Distinct sources across U.S. task forces and federal agencies

52,000+

Structured features extracted

Open analysis tools - visualization, clustering, triage, LLM, and more

Briefing Contents - 10 Pages

The Problem - Definition, scale, and six primary exploitation vectors

The Arms Race - Criminal infrastructure vs. enforcement capability

The Ecosystem - ICAC Task Force Program, NCMEC, DOJ CEOS

CaseLinker - Architecture, pipeline, sources, and credentials

The Framework - 10-dimensional analysis across every case

The 20 Case Studies - Selection methodology and era distribution

Era I & II Findings - P2P and social media enforcement record

Era III & IV Findings - Platform proliferation and generative AI

Aggregate Findings - Patterns visible only at scale

What This Enables - Use cases, open tools, and what comes next

Mrinaal Ramachandran Graduate Student · University of Massachusetts Amherst · Independent Research

github.com/mrinaalr/CaseLinker · HRPO #7668 · MIT License

CaseLinker Report #5 · Page 1 of 10

Internet Crimes Against Children

Definition, scale, and the six primary vectors of online exploitation

An interconnected, inter-disciplinary problem
with federal-state-local enforcement, platform involvement,
and continuous technological evolution spanning thirty plus years

I. Definition & Enforcement Structure

Internet Crimes Against Children (ICAC) encompasses everything from the possession, production, and distribution of child sexual abuse material (CSAM), to online grooming and enticement, to sextortion and hands-on contact offenses where digital evidence establishes the investigative record. These are not isolated incidents. These are crimes facilitated, scaled, and often coordinated through shared digital infrastructure.

The United States federal response is organized through the ICAC Task Force Program, a federal-state-local network administered by OJJDP. Investigations are typically conducted at the state and local level, coordinated through regional task forces and the National Center for Missing and Exploited Children (NCMEC). FBI and HSI join on cases involving organized networks or international scope. Prosecution flows through state attorneys general, U.S. Attorney offices, and DOJ CEOS depending on case complexity and jurisdiction.

Task Forces

61 regional units

Agencies

5,400+ across all 50 states

Reporting Backbone

NCMEC CyberTipline

Federal Prosecution

DOJ CEOS

The U.S. framework operates alongside a broader ecosystem. Interpol, Internet Watch Foundation, and ECPAT International coordinate global cross-border efforts, while platforms are legally required to report CSAM to NCMEC under 18 U.S.C. § 2258A. Non-profits play a pivotal role: Thorn builds detection tools, the Tech Coalition drives platform accountability, C3P maintains global hash infrastructure, Project VIC International delivers victim identification tooling directly to ICAC task forces, and many more contribute to advocacy, policy, and survivor support. This briefing focuses on the U.S. ICAC enforcement record.

II. Scale of the Problem

20M+

CyberTips received by NCMEC in 2024 alone - averaging more than 50,000 reports per day. More than 113,500 reports of possible child sex trafficking in 2025, 93% of which were made by online companies.

192%

Increase in enticement reports to NCMEC in 2024 (546,000) and $33.5M losses from extortion/sextortion reported to FBI IC3 in 2024, 59% increase.

93%

CSAM victims depicted in INHOPE member hotlines are aged 3-13. In 2024, 21% of imagery assessed by IWF was classified as the most severe category of abuse.

10×

Increase in AI-generated CSAM reports in a single year - 4,700 in 2023 to 67,000 in 2024. NCMEC received more than 30,000 reports of users attempting to generate CSAM by uploading images and using text prompts

"Every one of those reports lands on a desk. A human being has to decide what to do with it."

NCMEC analysts review incoming CyberTips, routing them by jurisdiction and urgency to the right task force. Investigators open files, assess the evidence, and build cases among a backlog of hundreds of potential tips. Forensic experts examine devices with terabytes of CSAM. At every step, a person is making a judgment call under volume pressure that never stops growing. And at the end of every one of those files is a child.

III. Six Primary Exploitation Vectors

Grooming

Building trust and emotional connection with a child to facilitate exploitation. Online enticement reports increased 300% between 2021 and 2023 and an additional 192% from 2023 to 2024.

Sextortion

Using threats, coercion, or blackmail to force children into producing sexual content. 90% of victims are boys aged 14–17.

CSAM

Production, distribution, and possession of child sexual abuse material. 104 million+ files related to CSAM were reported by registered Electronic Service Providers in 2023.

AI-Generated CSAM

Synthetic child sexual abuse imagery produced using generative AI - an emerging, rapidly scaling threat with limited legal precedent.

Online Luring & Social Engineering

Offenders manipulating children through gaming platforms, social media, messaging apps, and anonymous communication channels - often using false identities, emotional trust, coercion, or calculated tactics to isolate and exploit victims.

Criminal Networks & Trafficking

Organized groups financing, coordinating, and scaling exploitation across jurisdictions - often targeting hundreds of victims simultaneously.

CaseLinker Report #5 · Page 2 of 10

The Technology Landscape

The arms race between criminal infrastructure and enforcement capability - 2010 to 2026

Criminal Infrastructure

Peer-to-Peer Networks

Limewire, BitTorrent, and Ares enabled mass CSAM distribution through decentralized file sharing. Magnet links replaced direct file URLs, obscuring origin.

Dark Web & Tor

Hidden services enabled anonymous CSAM communities, cryptocurrency payment, and coordination across jurisdictions with minimal exposure.

Encrypted Messaging

Signal, Telegram, and end-to-end encrypted platforms created forensic dead-ends. Group chats became a home for organized distribution and offender communities.

Social Media Platforms

Instagram, Snapchat, Discord, and Facebook Messenger became primary grooming surfaces. Disappearing content and direct messaging lowered detection risk.

Virtual Reality

VR platforms introduced new grooming vectors - avatar-based interaction with minors in immersive, difficult-to-monitor environments.

Generative AI

Diffusion models and LLMs enabled synthetic CSAM at scale, AI-assisted grooming scripts, and deepfake exploitation material. Rapidly evolving in capability and risk.

Cloud Storage & Steganography

Offenders used mainstream cloud platforms and concealment techniques to store and share material across device seizures.

Enforcement Capability

P2P Investigative Tools

Specialized software allowed undercover officers to identify IP addresses sharing known CSAM hashes across peer-to-peer networks in real time.

PhotoDNA & Hash Matching

Microsoft's PhotoDNA enabled perceptual hashing of known CSAM, allowing platforms to detect and report material without human review of content.

NCMEC CyberTipline

Mandatory reporting pipeline for electronic service providers. 20M+ tips in 2024. Routes to task forces by jurisdiction for triage and investigation.

Cellebrite & Digital Forensics

Mobile device extraction, deleted file recovery, and app artifact analysis have become licensed investigative tools across ICAC task forces.

Magnet Forensics

AXIOM and related platforms enabled cross-device analysis, timeline reconstruction, and cloud artifact recovery for complex multi-device cases.

CAID & Child Rescue Coalition

The Child Abuse Image Database and CRC tools expanded known-hash libraries and provided intelligence on active P2P offenders across jurisdictions.

Open Source Intelligence (OSINT)

Investigators and analysts use publicly available social media, domain records, image metadata, and digital footprints to identify suspects and build cases through open-source data.

Undercover Operations

Online undercover investigations, platform cooperation, and coordinated sting operations remained primary vectors for contact offense arrests.

The enforcement record shows a consistent pattern: investigators adapt to each new platform surface, develop technical capability, and establish legal precedent, while offenders migrate to the next emerging technology. CaseLinker traces this co-evolution across 5,086 case reports spanning 2010 to 2026.

CaseLinker Report #5 · Page 3 of 10

The Enforcement Ecosystem

The institutional architecture behind U.S. Internet Crimes Against Children investigations

Regional ICAC Task Forces across all 50 states

5,400+

Law enforcement agencies participating in the Task Force Program

20M+

CyberTips routed through NCMEC in 2024 alone

States with active ICAC task force coverage and federal coordination

OJJDP

Office of Juvenile Justice and Delinquency Prevention. Federal administrator of the ICAC Task Force Program. Provides funding, training standards, and program oversight to all 61 task forces.

ICAC Task Forces

61 regional units organized around a lead agency with participating local, county, and state partners. Responsible for investigation, arrest, prosecution support, and community outreach within their jurisdiction.

NCMEC CyberTipline

National Center for Missing and Exploited Children. Mandatory reporting destination for electronic service providers. Routes tips to the appropriate task force by IP geolocation for triage and action.

DOJ CEOS

Child Exploitation and Obscenity Section. Federal prosecution arm for the most complex ICAC cases - cross-jurisdictional rings, dark web operations, and cases requiring federal authority or international coordination.

State Attorneys General

State-level prosecution of ICAC cases. Attorneys General offices in most states maintain dedicated units - Georgia, Idaho, Texas, Vermont, and others are primary CaseLinker sources.

Platform Cooperation

Electronic service providers are legally required under 18 U.S.C. § 2258A to report apparent CSAM to NCMEC. Voluntary cooperation beyond legal minimums varies significantly by platform.

The Traditional Investigation Pipeline

Platform Detection
Hash match / report

→

CyberTipline
NCMEC routing

→

Task Force Triage
Priority assignment

→

Investigation
Digital forensics

→

Arrest & Referral
State or federal

→

Prosecution
AG / DOJ CEOS

→

Conviction
Public record

· Enforcement Outcomes - FY2024 National Results

203,467

Investigations conducted by ICAC task forces in FY2024

12,600+

Offenders arrested by ICAC task forces in FY2024

46,000

Law enforcement officers and prosecutors trained in FY2024

$39.9M

Federal funding supporting the ICAC Task Force Program in FY2024

Source: OJJDP Internet Crimes Against Children Task Force Program, FY2024.
State-level data varies - Indiana ICAC reported 30,000 CyberTips in 2025, up 38% from 2024. Silicon Valley ICAC (2024): 429 arrests, 68 children rescued from ongoing abuse, 88 child survivors identified.

CaseLinker Report #5 · Page 4 of 10

CaseLinker

An open-source system for cross-case analysis of Internet Crimes Against Children reports

I. What It Is

CaseLinker ingests publicly available, redacted ICAC case reports - press releases, annual reports, and court-adjacent documents - and transforms them into structured feature vectors for cross-case pattern analysis. It is not a database. It is an interpretive research infrastructure.

Built by a graduate student in Computer Science at UMass Amherst, operating independently under an HRPO determination and designed specifically for this field. No private data. No identifiable victim information. Every record is derived from documents already in the public domain.

Reports #1-4

1. Initial release
2. Interpretable ML
3. Scaling
4. Framework

Ethics

This research does not contain private or identifiable information under federal regulations [45 CFR 46.102(f)(1), (2)].
UMass HRPO NHSR #7668.

License

MIT - fully open source

Deployment

Live on Railway, zero retention

II. Scale

5,086

Public ICAC case reports processed across U.S. task forces and agencies

Distinct sources - task force annual reports, AG offices, DOJ CEOS, NCMEC

52,169

Structured features extracted across the 10-dimensional analysis framework

Task forces represented across case corpus by explicit agency match. 2,864 unique law enforcement agencies represented.

III. The Pipeline - From Press Release to Analysis

Ingestion

Public case documents collected from 50 sources - AG offices, task force reports, DOJ CEOS releases

Parsing

Structured extraction of case metadata, charges, platforms, agencies, outcomes, and temporal markers

Feature Extraction

10-dimensional framework applied - 52,000+ features across offense, platform, demographics, and investigation type

04
Analysis
Cross-case clustering, triage scoring, similarity search, temporal trend analysis, and geographic distribution

Visualization

Interactive deployment - investigators, researchers, and policymakers explore patterns without touching raw case text

IV. Selected Sources

AZICACAnnual case reports - detailed case-level coverage

DOJ CEOSFederal prosecution releases - complex rings, dark web, cross-jurisdictional cases

NCMECCyberTipline publications and case summaries

Georgia BIA / CEACCGBI ICAC press releases - extensive state-level record

Kentucky State Police207 cases - largest single task force presence in corpus

Michigan State PoliceICAC Newsroom - structured press release archive

New Jersey AGICAC-related prosecution releases

+ 43 additional sourcesTX, VT, SC, IL, OH, PA, NY, LA, UT, WY, NC, SD, WA, MS, and more

CaseLinker Report #5 · Page 5 of 10

The 10-Dimensional Analysis Framework

Every case in CaseLinker is analyzed across ten structured dimensions - enabling cross-case comparison invisible in any single report

Offense & Severity Patterns

Charge type, severity classification, offense count, and the relationship between online and contact offenses in each case.

Platform Involvement

Which platforms appear in each case - as grooming surfaces, distribution channels, or communication infrastructure for offenders.

Victim Demographics

Age, gender, and vulnerability context where available in public records - structured to enable aggregate demographic analysis without identifying individuals.

Perpetrator Demographics

Age, occupation, and relationship to victim - including patterns of authority-position offending and multi-victim perpetrators.

Investigation Type

How the case originated - CyberTip, undercover operation, parental report, platform referral, or proactive P2P investigation.

Prosecutorial Outcomes

Charges filed, plea agreements, trial outcomes, and sentencing - enabling analysis of prosecution success rates by offense type and jurisdiction.

Agency Coordination

Which agencies participated - local, state, federal, international - and how coordination patterns correlate with case complexity and outcome.

Temporal Trends

Case distribution over time - surfacing how volume, offense type, and platform involvement have shifted across 2010–2026.

Geographic Distribution

Jurisdiction, task force, and state-level mapping - revealing geographic clustering and enforcement capacity variation across the U.S.

Report Similarity and Triage

Algorithmic triage scores by severity and investigative priority, and similarity clustering.

The 10-dimensional framework is the methodological core of CaseLinker. It enables the kind of cross-case, cross-jurisdiction, cross-era analysis that has never been systematically applied to public ICAC enforcement data - not because the data didn't exist, but because no structured pipeline existed to make it navigable. That is what this system presents.

· Example of a Fully Extracted Case Record tbi_icac_2024_017 : highest coverage score across 5,086 cases

TBI ICAC · Operation Protecting Tomorrow · 2024

tbi_icac_2024_017

Victim Count

Evidence

264,000 images

Min. Victim Age

11 years

Platforms

Instagram, Snapchat, social media

Investigation

Undercover + CyberTipline

Perpetrators

10 individuals, ages 28–53

Severity: sexual_abuse, under_12, multiple_perpetrators · Topics: multi_state, CSAM, family · Locations: Tennessee, Alabama, Murfreesboro, Texarkana, Rutherford County

Agencies Involved (23)

Tennessee Bureau of Investigation, ICAC Task Force, FBI, Homeland Security Investigations, NCMEC, United States Secret Service, and 17 county sheriff's offices and police departments across TN, AL, TX, and MI

10 Dimensions Populated

Offense severity · Evidence Volume · Platform vectors · Victim demographics · Perpetrator demographics · Investigation type · Prosecution status · Agency coordination · Temporal markers · Geographic NER ·

Prosecution outcome reflects charges filed during booking at arrest stage.
Source: https://tbinewsroom.com/2024/05/20/tbis-operation-protecting-tomorrow-yields-arrests-identifies-two-dozen-child-online-sexual-exploitation-sextortion-victims/

CaseLinker Report #5 · Page 6 of 10

The 20 Case Studies

How 20 cases were selected from 5,000+ - the stratification logic and selection methodology

I. Selection Methodology

From a corpus of 5,086 case reports, 20 structured case studies were selected through a stratified methodology designed to maximize analytical coverage across technological eras, offense types, platform surfaces, geographies, and investigation approaches.

No case was selected for severity or notoriety. Cases were selected because they illuminate something about how the crime, the technology, or the enforcement response worked at a particular moment - and what that reveals about the broader pattern.

Era representation: Five case studies per technological era - ensuring longitudinal coverage from 2010 through 2026.

Platform diversity: Cases span P2P, social media, encrypted messaging, gaming, VR, and AI-assisted platforms.

Geographic distribution: Multiple states and jurisdictions represented, including federal CEOS cases.

Investigation type: Mix of CyberTip-origin, undercover investigations, proactive P2P, large scale operations, and platform referral cases.

Analytical value: Each case must illuminate something about the co-evolution of exploitation and enforcement that aggregate statistics cannot.

II. Five Analytical Dimensions Per Case

Dimension A

Platform Context

Which platforms were used, how, and why they enabled this particular offense.

Dimension B

Perpetrator Methodology

How the offender operated - grooming approach, technical methods, individual or group involvement.

Dimension C

Investigative Approach

How investigators identified, built, and executed the case. What tools and authorities were used.

Dimension D

Prosecutorial Outcome

Charges, plea, trial, and sentencing - what the legal record shows about how the system responded.

Dimension E

Relationship to the Technological Era

What this case reveals about the broader landscape of its moment - and what it predicts about what came next.

III. Distribution Across Four Technological Eras

Era I

Early Internet & Peer-to-Peer

2010–2014

case studies

P2P networks, toddler found in neglect, undercover stings, new statutes

Era II

Social Media & Mobile-First

2015–2018

case studies

Multiple platforms, large scale operations, trafficking rings, familial DNA searches

Era III

Platform Proliferation

2019–2022

case studies

GPS embedded data, VR kidnapping, gaming platforms, CyberTip-driven child recovery

Era IV

Generative AI

2023–2026

case studies

AI-generated CSAM, organized networks, Snapchat CyberTips, legacy messenger services

CaseLinker Report #5 · Page 7 of 10

Era I & II Findings

What the case record reveals about exploitation and enforcement across the P2P and social media eras

Era I - Early Internet & P2P (2010–2014)

P2P as the dominant vector. Peer-to-peer file sharing networks were the primary infrastructure for CSAM distribution. Investigators developed proactive identification techniques - matching IP addresses sharing known hash values - that drove the majority of arrests.

Hash matching established as standard. PhotoDNA and known-hash libraries became the foundation of illicit material detection. Cases in this era frequently originated from platform CyberTip reports triggered by hash matches.

Multi-device complexity emerged early. Offenders maintained large collections across multiple devices and external drives. Digital forensics capacity - and investigator training - became the limiting factor in prosecution throughput.

Digital evidence revealed offline harm. CyberTip-origin investigations began surfacing contact offenses and in-home abuse that would have gone undetected without mandatory platform reporting. The correlation between online distribution and hands-on offending was only beginning to emerge as a systematic pattern.

Prosecution rates were high. Cases originating from proactive P2P investigation had strong forensic chains and consistent conviction outcomes. The evidence - IP logs, file manifests, device contents - was difficult to contest.

Era II - Social Media & Mobile-First (2015–2018)

Platform surface expanded dramatically. Facebook, Snapchat, and Instagram became new grooming infrastructure. Direct messaging, disappearing content, and pseudonymous accounts lowered detection risk for offenders significantly.

Multi-platform exploitation emerging. Offenders increasingly used multiple platforms simultaneously to target specific victims or broaden reach at scale. Communication, grooming, coercion, and file distribution began fragmenting across separate services, complicating detection and investigative reconstruction.

Platform reporting displaced parental discovery. A significant portion of Era II arrests originated from NCMEC rather than parental discovery of inappropriate contact - a pattern that persists and accelerates in later eras.

Platform cooperation became uneven. Some platforms proactively reported; others required legal process. The gap between voluntary cooperation and legal minimums became a visible enforcement challenge.

Task force operations scaled. Task forces developed structured undercover protocols and coordinated, multi-warrant operations for clearing CyberTips. Single-case pursuit continued alongside initiative-driven enforcement targeting the most active offenders.

· Key Case Study Callouts

Era I - Case Study

When the cybertip opened the door

AOL flagged an AIM user who sent an abusive image, prompting an NCMEC CyberTip and an AZICAC warrant in the Phoenix area. Execution of the warrant surfaced not only CSAM, but also a fifteen-month-old found in severe neglect.

Era II - Case Study

Three platforms to reach one child

2017 Los Angeles case where YouTube, a children's gaming platform, and a separate file-upload service combined into a single coercion pipeline. Surfaced through platform-side reporting to NCMEC rather than family discovery.

Era II - Case Study

Illinois AG seventy-ninth arrest under Operation Glass House

The seventy-ninth Illinois AG arrest under Operation Glass House, charging dissemination and possession of child sexual abuse material; the initiative publicly prioritized the most active traders of violent material involving infants and toddlers.

CaseLinker Report #5 · Page 8 of 10

Era III & IV Findings

Platform proliferation, generative AI, and the investigative challenges enforcement is still navigating

Era III - Platform Proliferation (2019–2022)

Offender actions left increasing digital forensic trails. Era III cases show offenders moving across gaming, chat, and mobile platforms while investigators relied on metadata, device preview, and embedded traces to reconstruct what the platforms themselves would not reveal.

VR and platform shifts continue to evolve grooming. The Oculus kidnapping case demonstrates that avatar-based platforms present genuine physical safety risks - not just digital harm - when offenders use them to establish real-world access to victims.

Possession cases increasingly surfaced previously unknown hands-on offenses. Era III investigations showed that videos and images recovered in possession cases often contained embedded forensic data, including GPS metadata, that could identify where abuse occurred and redirect investigations towards unreported hands-on offenses.

Enforcement shifted toward scale. As CyberTip volume grew, task forces moved from individual case pursuit toward coordinated multi-warrant operations. Clearing queues of possession leads routinely surfaced contact offenses and children living with offenders. Statewide initiatives and multi-agency sweeps became an operational strategy for working through mounting caseloads.

Sextortion emerged as a mass-scale offense. Financially motivated sextortion - organized groups targeting teenage boys - scaled dramatically. Overseas criminal networks operate with near-impunity across jurisdictions, scaling financial sextortion at volume; domestic cases more often reflect grooming and exploitation dynamics with a different but persistent enforcement challenge.

Era IV - Generative AI (2023–2026)

AI-generated CSAM as a distinct legal challenge. The Idaho prosecution under 18-1507C represents the first structured enforcement response to AI-generated material in the state. Legal frameworks are still forming - and varying significantly by state.

Organized ring complexity increased sharply. Era IV cases more frequently involved multi-offender networks coordinating across platforms - one surface for recruitment, another for distribution, another for payment.

Volume pressure on investigators is acute. More than 20.5 million CyberTips in 2024 against an investigative infrastructure built for a fraction of that volume. Triage is now the critical bottleneck.

AI is straining every layer of enforcement. Hash-matching fails on synthetic content, legal frameworks are still forming, investigators cannot always determine if material depicts a real child or synthetic material, and offenders are raising AI as a defense. Every layer of the pipeline is catching up in real time.

Both sides are adapting and the old methods never went away. Statutes are being drafted, prosecutors are building novel legal arguments, and investigators are developing new technical approaches for AI material. However, P2P, social media grooming, sextortion networks, and encrypted messaging remain active vectors. Each new era adds complexity without replacing what came before. Offenders layer methods, and so does enforcement.

· Key Case Study Callouts

Era III - Case Study

Oculus VR Kidnapping Case

A VR platform used to establish contact with a minor that led to a physical kidnapping. Demonstrates that avatar-based environments present real-world physical risk - not just digital harm - when monitoring is absent.

Era IV - Case Study

Discord CSAM Server Investigation

A structured CSAM distribution network operating across Discord servers - demonstrating how gaming-adjacent platforms have become an accessible infrastructure for organized exploitation rings and communities in the modern era.

Era IV - Case Study

Idaho AI-CSAM Prosecution (2024)

First major prosecution under Idaho's visual representation statute (18-1507C). Establishes the legal and investigative framework for AI-generated CSAM cases - and the evidentiary challenges that remain unresolved.

CaseLinker Report #5 · Page 9 of 10

Aggregate Findings

What 5,086 public ICAC case records reveal when analyzed together - patterns invisible in any single case, jurisdiction, or year

31%

of CSAM possession cases carry a contact or hands-on signal

Nearly 1 in 3 cases where someone possessed or distributed material also contained evidence of direct physical abuse. This is a number that dismantles the argument that possession is a victimless offense.

Based on 3,327 cases tagged possession + CSAM. Contact signal: hands_on topic or charge/narrative text (rape, assault, sexual contact, molestation). n=570 narrative or charging signal, n=467 explicit topic match.

81%

of all cases involve CSAM as a primary entry point

4,098 of 5,086 cases involved CSAM. 467 (11.4%) of those involved production or recorded abuse that was traded or distributed (production or created-media language).

distinct platforms appear across the corpus

43.3% of all cases touch one of the top three surfaces. Concentration is high - a small number of surfaces account for the majority of documented exploitation vectors (social media, online, chat).

I. Pictures for the Landscape

CSAM possession was the stable baseline. It appeared in 81% of cases across all eras. Platform shifts changed where material moved, not whether it moved. Possession enforcement remained the primary entry point into the corpus throughout.

Contact offenses emerged from possession cases. 31% of possession-tagged cases carried a contact or hands-on signal. CyberTip-driven investigations into distribution also routinely surfaced additional hands-on abuse and children living with offenders, creating a direct link between online enforcement and physical victim rescue.

Investigations take many forms. Of reports with a characterized investigation type, 492 originated from undercover operations, 485 from online investigations, and 51 from proactive operations. 2,403 cases did not explicitly state how the investigation began. From large-scale distribution network takedowns to next-day child rescue operations, the enforcement record reflects a wide range of investigative approaches across all four eras.

Cases involving hands-on abuse tend to span multiple platforms. Across the full corpus, cases with the hands_on tag averaged 1.00 distinct platforms. That rate increases to 1.28 within the possession and CSAM cohort. Cases with two or more named platforms showed the hands_on tag at nearly double the rate of single-platform cases (28% vs 15%). When abusers escalate to in-person contact, the digital footprint tends to be wider.

II. What the System Reflects and What It Cannot

This is a corpus of public records, not a census. CaseLinker reflects what agencies chose to publish, what platform and offense details were explicitly mentioned, and features that the system was able to extract. High-output states with transparent reporting practices dominate the record.

Every report represents a success. These 5,000+ records are cases where law enforcement was able to identify, investigate, arrest, or otherwise act, whether that means a prosecution, a CyberTip referral, or a child rescue. What the corpus cannot show is equally important: cases where encryption prevented evidence collection, platforms that do not appear because they do not report, and investigative dead ends that never became press releases. Statistics on agency efficiency, platform involvement, and offender capabilities should be interpreted alongside the full knowledge base of ICAC enforcement, not only what CaseLinker can surface through successful public records.

Aggregate statistics are orientation, not conclusion. Press releases underreport contact elements, methodology, and platform specifics by design. The deeper findings live in the case studies, the structured dimensions, and the patterns that only emerge through sustained engagement with the record.

Verification and traceability remain essential. Statistical claims made by the system require external validation before operational deployment. CaseLinker's audit tab, reliance on deterministic extraction over black-box AI, and transparent sourcing standards hope to bridge these limitations.

III. Platform Concentration Across Corpus - Named Platforms by Frequency

1,185

Online / Unspecified

Dominant modality across all eras. Most press releases do not name a specific platform.

533

Social Media

Generic social media label. Concentrated in Era III and IV grooming cases.

210

Kik Messenger

Pseudonymous messaging with limited cooperation. Persistent from Era II-IV in the enforcement record.

180

Snapchat

Disappearing content lowered detection risk. High presence in enticement and grooming cases.

166

Facebook / Meta

Persistent from Era II through Era IV. Mandatory reporting under 18 U.S.C. § 2258A and platform scale make Facebook cases among the most traceable in the corpus.

CaseLinker Report #5 · Page 10 of 10

What This Enables

Who CaseLinker is built for - and what becomes possible when the enforcement record is made legible at scale

I. Audiences & Use Cases

ICAC Investigators & Task Force Commanders

Cross-jurisdiction comparison of successful investigations. Pattern identification across offense types, platforms, and investigation approaches. Officer training and triage scoring of CyberTips based on patterns across previously investigated and prosecuted cases. A searchable record of what has worked - and how.

Researchers & Forensic Psychologists

Long-horizon systemic analysis of how internet-mediated exploitation has evolved. A structured dataset for empirical research on enforcement effectiveness, platform responsibility, and offender methodology - built on public records.

Policymakers & Legislative Staff

An evidence base for technology policy, platform regulation, and enforcement resource allocation - grounded in the actual record of what cases look like, how they are investigated, and how enforcement succeeds.

Computer Scientists & Technologists

A domain entry point into one of the most technically complex and consequential problems in digital safety - with a structured dataset, an open pipeline, and a clear map of where technical contribution is actually needed.

II. Open Tools - Available Now

Visualization

Interactive case corpus exploration across all 10 dimensions

Clustering

Algorithmic case family identification across the full corpus

Triage

Random Forest classifier - 93%+ accuracy - for case priority scoring

Case Studies

All 20 structured case studies with full analytical dimensions

Full-text and structured search across 5,000+ case records

Landscape

Era-based platform analysis and enforcement trend visualization

LLM Interface

Natural language querying of the case corpus - zero data retention

Audit Trail

Full methodology transparency - every extraction decision documented

III. What Comes Next

The CaseLinker series closes with this report. The research continues. Open records work is underway to extend the corpus with state-prosecuted cases. Parallel research directions - platform harm analysis, exploitation lifecycles across the corpus, and kill chain documentation - are under active development. The enforcement record is not finished being written. Neither is the work of making it visible.

Live Deployment

https://CaseLinker.up.railway.app
Live on Railway

Source Code & Data

github.com/mrinaalr/CaseLinker
MIT License - fully open

Research & Contact

end-child-exploitation.com
mrinaalr.github.io/website