On 11 March 2025, one of the biggest child sexual abuse material (CSAM) platforms, named Kidflix, was taken down in an international law enforcement effort dubbed Operation Stream. Kidflix launched in 2021 and hosted over 91,000 unique videos while it was active. The investigation into the platform started in 2022 and resulted in 79 arrests, 1,393 identified suspects and seizure of over 3,000 electronic devices. For more details, please read Europol’s press release. I bumped into this good news on 2nd April 2025, when, as usual, was going through publications on the BleepingComputer.
Kidlflix seizure banner. Taken from Europol’s PR
Now, you know, I am very interested in infostealers and data leaks, and for a long time was thinking that we could leverage the infostealer logs for identifying logins to CSAM related sites. Before submission of my infostealers related talk to BalCCon2k24 conference, I mentally outlined the structure of it into two parts. In the first part I’d talk about infostealers and in the second part I’d do some basic analysis of data exfiltrated from victims. Among other things, for the analysis parts I thought to myself that wouldn’t it be cool to show how many users of CSAM site were found. Pretty quickly I dismissed the idea, for a few reasons:
- To find the users of CSAM sites, I firstly needed to find addresses of such sites to use as keywords against the data-set. While theoretically I could find such sites for keyword population, but in practice I didn’t really want to be exposed to any such horrific materials. Frankly speaking, not worth doing it just to have an additional “cool” slide on the presentation.
- I didn’t have backing/blessing of a law enforcement or child protection agencies. Therefore, it would pretty troublesome to explain myself on how did I get the websites.
Amazingly enough, on the day when I submitted my talk to BalCCon2k24 conference, Recorded Future dropped an excellent report: “Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers” Recorded Future did exactly what I was thinking about, and they identified over 3,000 unique login credentials to CSAM sites. It is a superb investigation, I recommend reading the whole report.
Recently, I was chatting with Louis Hur, CEO of StealthMole, a company which provides dark web threat intelligence services. StealthMole surfaced recently, and took the OSINT community by storm, search for it on LinkedIn, a number of “OSINTers” are showcasing impressive use cases of the platform. Louis shared with me his post on findings related to Kidflix on StealhtMole platform, which identified 2,104 accounts from 36 counties. This reminded me of something I supposed to do…
You see, the bulk of this post was written in the beginning of April, and it was just sitting in my drafts. I just never finalized and pushed to publication. By now, you are wondering what this post is about. I did a thing, and you guessed it right, I did search for Kidflix login credentials and tried to make some basic analysis.
Now, I don’t have access to full infostealer logs, neither do I have time/resources/skills to collect full logs and parse/process them. What I have is a URL:Login:Password (ULP) data-set, which I occasionally deduplicate, clean and update with new data. And then I give mildly entertaining talks, such as on BalCCon2k24 or DisObey2025, about infostealers.
When the news about the taking down of Kidflix came, I decided to see if there are any findings in the ULP data-set. Remember when I told that I didn’t really want to search for web addresses of CSAM sites? Yeah, I figured that for this particular case, I don’t really need to actively search for URLs of CSAM platform, I can just search for the word “kidflix” in the data-set, then filter all the ULP lines where the URL starts with “kidflix”. And just like that, I identified a number of login credentials to the CSAM site. But, you’d ask, “what about your usual meaningless numbers”, let me provide ’em:
Unique Kidflix addresses (V3 onion): 18
Unique login credential pairs (login username/password): 1171
Unique login usernames: 989 (935 case-insensitive)
Unique email addresses used as login usernames: 54
Unique passwords: 863
Ha, passwords! Always wanted to analyse them. I tried to invoke an inner Jarkko Vesiluoma, but to no avail. Sadly, I am a version of Jarkko one would get from TEMU.
I searched for password analysis tools, tried some, and decided to use passwordSmelter, which is good enough, gives some stats on passwords. Below tables are results of the tool’s output, after I fed it passwords of Kidflix users.
This is of course a bit of a dumb investigation on passwords. What would be really cool is to compare password characteristics from this data-set to others. And personally, I’d be more interested in semantics of passwords. But, unfortunately, I don’t have enough time for a more in-depth analysis. Hope you liked the post and if you like to chat (or work on something together), feel free to contact me.
Password length
| Password Length | Count |
|---|---|
| 6 | 19 |
| 7 | 19 |
| 8 | 231 |
| 9 | 239 |
| 10 | 195 |
| 11 | 147 |
| 12 | 87 |
| 13 | 64 |
| 14 | 42 |
| 15 | 79 |
| 16 | 12 |
| Other | 37 |
Character sets
| Character Set | Count |
|---|---|
| mixedalphanum | 598 |
| all | 277 |
| loweralphanum | 156 |
| loweralphaspecialnum | 38 |
| numeric | 36 |
| loweralpha | 32 |
| Other | 34 |
Simple masks
| Mask | Count |
|---|---|
| Word+Number | 607 |
| Other | 204 |
| Word+Number+Symbol | 110 |
| Word+Symbol+Number | 65 |
| Number+Word | 55 |
| Word | 49 |
| Word+Number+Word | 45 |
| Number | 36 |
Top base words
| Base Word | Count |
|---|---|
| manchkin | 20 |
| david | 18 |
| genuine | 15 |
| mystuff | 12 |
| money | 10 |
| italpur | 10 |
| kar | 9 |
| lok | 9 |
| cademan | 9 |
| vermot | 9 |
| ameli | 8 |
| kidflix | 7 |
| fresco | 7 |
| elweon | 7 |
| qwert | 6 |
| syzz | 6 |
| maan | 6 |
| qweasd | 6 |
| amap | 6 |
| kib | 5 |
Top mutations
| Mutation | Count |
|---|---|
| password | 66 |
| password1 | 48 |
| password123 | 33 |
| password1234 | 24 |
| password113234 | 15 |
| password12 | 12 |
| password21 | 11 |
| password26 | 10 |
| password123lok | 9 |
| password786 | 9 |
| password123@ | 9 |
| password@123 | 9 |
| Kar123password | 9 |
| password2 | 8 |
| password69 | 8 |
| password100 | 7 |
| password5 | 7 |
| password0 | 6 |
| 1234password | 6 |
| password7 | 6 |
Top numbers
| Number | Count |
|---|---|
| 1 | 84 |
| 123 | 67 |
| 2 | 38 |
| 1234 | 37 |
| 3 | 34 |
| 7 | 29 |
| 5 | 28 |
| 8 | 25 |
| 9 | 23 |
| 12 | 23 |
| 4 | 22 |
| 6 | 21 |
| 0 | 17 |
| 113234 | 15 |
| 100 | 11 |
| 21 | 11 |
| 26 | 11 |
| 786 | 10 |
| 012 | 10 |
| 11 | 9 |
Top symbols
| Symbol | Count |
|---|---|
| @ | 133 |
| ! | 43 |
| . | 35 |
| # | 24 |
| _ | 23 |
| – | 21 |
| $ | 15 |
| * | 7 |
| ? | 6 |
| & | 5 |
| @@ | 4 |
| .. | 4 |
| ** | 3 |
| @/ | 3 |
| $# | 3 |
| { | 2 |
| ‘ | 2 |
| $$$-_ | 2 |
| — | 2 |
| .?#+ | 2 |
Advanced masks
| Mask | Count |
|---|---|
| ?u?l?l?l?l?l?l?l?d | 40 |
| ?u?l?l?l?d?d?d?d | 37 |
| ?u?l?l?l?l?d?d?d | 29 |
| ?u?l?l?l?l?d?d?d?d | 26 |
| ?u?l?l?l?l?l?d?d | 20 |
| ?u?l?l?l?l?l?l?d?d | 20 |
| ?u?l?l?l?l?l?l?d | 19 |
| ?u?l?l?l?l?d?d?d?d?d?d | 18 |
| ?u?l?l?l?l?l?d?d?d?d | 18 |
| ?u?l?l?l?l?l?d?d?d | 16 |
| ?u?l?l?l?l?l?l?d?d?d?s | 16 |
| ?d?d?d?d?d?d?d?d | 15 |
| ?u?l?l?l?l?l?l?d?d?d | 15 |
| ?l?l?l?l?d?d?d?d | 14 |
| ?l?l?l?l?l?d?d?d?d | 11 |
| ?l?l?l?l?l?l?d?d?d?d | 11 |
| ?l?l?l?l?l?l?d?d?d | 11 |
| ?u?l?l?l?l?l?l?l?d?d | 11 |
| ?u?l?l?l?l?l?l?l?l?d?d | 10 |
| ?l?l?l?l?l?l?l?l | 9 |
| Other | 805 |