Global Dark Web Crackdown Explained: How Operation Alice Took Down 373,000 Sites

Authorities from 23 countries have shut down a vast network of dark web websites in one of the largest cybercrime operations to date.

More than 373,000 websites linked to scams involving illegal content and cybercrime services have been affected, exposing hundreds of suspects and revealing how widespread fraud is almost a complete industry.

Key takeaways

• Authorities from 23 countries coordinated Operation Alice, targeting a massive dark web fraud network
• A single operator ran over 373,000 .onion domains offering fake illegal services
• Investigators identified 440 customers, many now under investigation
• The operation highlights the rise of cybercrime-as-a-service (CaaS) and large-scale fraud
• Law enforcement successfully traced cryptocurrency payments and infrastructure

What happened in Operation Alice?

On March 9, 2026, authorities from 23 countries launched a coordinated effort, called Operation Alice, led by German investigators and supported by Europol.

The investigation targeted one of the largest known dark web fraud networks and resulted in the shutdown of more than 373,000 websites. Law enforcement agencies identified hundreds of people connected to the operation and seized key infrastructure, including servers and electronic devices.

How did the dark web scam work?

The operator built a vast network of legitimate-looking .onion websites (Dark Web domains) while advertising illegal content and cybercrime services. These platforms promoted access to stolen sensitive data, compromised systems and many other criminal offerings, all payable in cryptocurrency.

In reality, the operation functioned as a large-scale fraud scheme. Users paid relatively small amounts—typically between €17 and €215—for so-called “packages” that promised access to exclusive material. The websites displayed previews to build credibility, but no actual content was ever delivered.

Who was behind the network?

Investigators traced the entire operation back to a single individual, a 35-year-old man based in China. Despite the size of the network, he maintained centralized control over the infrastructure, which at its peak included hundreds of servers.

Authorities estimate that he generated more than €345,000 in profit from approximately 10,000 customers worldwide. German authorities have issued an international arrest warrant, and efforts to locate and apprehend him are ongoing.

Even though customers did not receive the promised material, many still became subjects of criminal investigations, especially when CSAM (child sexual abuse material) content is involved. Law enforcement agencies consider attempts to purchase illegal content a criminal act, whether the transaction is completed or not.

“By paying for CSAM, the customers themselves became suspects, even though they never received the material. Investigators assessed that individuals seeking access to exclusive –and, therefore, severe– child sexual abuse material could represent high-value targets and provide important intelligence for law enforcement worldwide,” said the authorities.

Authorities identified 440 customers worldwide, with ongoing investigations targeting many of them.

How did authorities take it down?

The success of Operation Alice relied on international cooperation and investigative techniques, particularly in tracking cryptocurrency transactions. By correlating data from multiple sources, they were able to map the network, find the operator and connect users to specific activities.

FAQ

What was Operation Alice?

Operation Alice was a global law enforcement effort targeting a large-scale dark web fraud network, resulting in the shutdown of over 373,000 websites.

Were the websites real?

No. The websites were fraudulent and designed to collect payments without delivering any content or services.

Why were customers investigated?

Because attempting to purchase illegal content is itself a criminal offense, even if the transaction does not result in delivery.

Is the dark web anonymous?

The dark web offers a degree of anonymity, but it is not absolute. Law enforcement agencies can track activity using advanced investigative techniques.

What is cybercrime-as-a-service (CaaS)?

Cybercrime-as-a-service refers to platforms that offer hacking tools, stolen data, or unauthorized access as services to other criminals.