Tansa collaborated with white hat hackers to find the real operator of apps in which illegal sexually explicit images are bought and sold.

(Illustration by qnel)

I have been investigating the true identity of the person who operates the app “Album Collection,” a platform for buying and selling child sexual abuse images and sexually explicit images taken without the subject’s consent. 

In the previous article, I reported that the company “Eclipse Incorporated,” which Album Collection listed on its website, was most likely a shell company registered in Hawaii. The individual named as head of operations, “William Leal,” also seemed to be a fictitious person.

Album Collection is, at first glance, a seemingly ordinary app for exchanging photos and videos. Its promotional material claims that the app can be used to share precious memories, such as photos and videos taken on school trips or with family.

In reality, however, the app is being used to trade child sexual abuse material and illegal sexually explicit images, and Album Collection’s operator has made buying and selling “sexual products” the central pillar of their business.

Could the operator be hiding their identity with a shell company in order to avoid being held responsible for their involvement in the crimes taking place in the app?

Suspecting as much, I, along with two anonymous white hat hackers calling themselves Cheena and Retr０, began an investigation to find out who was really running the app. All the information we obtained is from open-source data, available to anyone.

Through our investigation, we found an individual we believe to be Album Collection’s operator, based on key clues we found in two similar apps. The two additional apps were also trading illegal sexually explicit images.

I’ll explain our investigative process in detail. 

Composition of the operator we discovered

“Photo Capsule” appeared frequently in files

One day during our investigation, I was contacted by Retr０: “I got the APK file for Album Collection, so I’ll analyze it.”

An APK (Android Application Package) file contains information about a given app that can be used on Android-based operating systems. When developing an app for Android, it is necessary to produce an APK file as the finished product.

Retr0 noticed the name “Photo Capsule” appeared repeatedly in Album Collection’s APK file.

The following image is from the actual data. The yellow highlighted area has the words “Photo Capsule,” which were frequently found in the file’s library and variable names. This indicated that Album Collection may have been created using a lot of information from an existing app called Photo Capsule.

Data found in Album Collection’s APK file

Another app with a similar mechanism and promotional blurb

I wondered whether there was an app named Photo Capsule.

After a search, I found an app called “Shashin Capsule,” which is Japanese for Photo Capsule. It had exactly the same mechanisms as Album Collection: Photos and videos were shared using passwords. The rules were also the same, such as a 120-hour time limit that can be set without the need for a paid key, and that the photos and videos were stored on the server for 14 days.

The app wasn’t currently available, but I found a description and promotional blurb from 2015. It was very similar to Album Collection.

Album Collection

 

Album Collection is an easy way to send and receive photos and videos.

Up to now, uploading photos and videos one at a time has been quite a hassle, hasn’t it?!

With this app, you can send a large number of photos at once!

And since you can upload with a password, security’s no problem!

 

It’s simple to use:

1. Set a password and send (upload) your photos.

2. Enter the password and receive (download) the photos.

This is all you need to do for easy sharing!

 

You can easily share photos and videos of graduation trips and school trips just by sharing the password!

Share your precious family photos and memories easily!

Easily share photos and videos with your girlfriend or boyfriend!

Photo Capsule

 

Share photos and videos easily!

This app allows you to send a large number of photos at once, even if you used to send them in small batches by email or Line [a messaging app commonly used in Japan].

 

It is super simple to use:

1. Set a secret password and send photos.

2. Enter the secret password and receive the photos.

That’s all there is to it!

 

It’s a great way to share photos of your graduation trip or school trip with everyone!

You can also keep precious memories of your family!

You can also exchange photos with your partner!

There are many ways to use it.

Share large volumes of photos with friends, family, and partners!

No membership registration! No login required!

You can earn points and use them to earn a bit of money!

The Google search results for Photo Capsule+ and Album Collection were almost identical in their wording and placement.

Photo Capsule is now renamed Photo Capsule+.

It’s common practice to change only part of an app’s name or information and continue to use it. If an issue arises from illegal sexually explicit images being traded, the information can be changed, and the app can be relaunched as a “different” app. This method also allows apps to pass Google and Apple’s review process to be listed in their stores.

Child sexual abuse images are still being traded openly on Photo Capsule+.

Passwords to open folders containing such images are posted to a message board on Photo Capsule+’s website. The promotional messages accompanying passwords on the message board are mostly cryptic descriptions and situations alluding to child sexual abuse.

I found posts indicating that folders contained child sexual abuse images through words such as “L [Lolita] girl” to describe young female children and “child to child (siblings).” 

Same identifier as Movie Container

We found one more application related to Album Collection, called “Movie Container.”

Movie Container used the same Google Analytics identifier as Album Collection, which we found on the latter’s website. 

Google Analytics is a tool used to analyze website traffic. It provides a variety of information, including what kind of users are visiting the site and which pages are most frequently viewed.

Google Analytics provides important information for the operator to know how the site is doing. If the identifiers are the same, it means the same person is managing the site.

Movie Container was a frequently used application several years ago and was also a hotbed for buying and selling sexually explicit images taken without the subject’s consent and child sexual abuse images.

Creating multiple, similar apps

Up to this point, we had found that Album Collection had something in common with both Photo Capsule and Movie Container.

So, did Photo Capsule and Movie Container have anything in common between themselves?

We dug into these apps’ past information.

Information can be deleted or rewritten online, but there are services that store previous versions. Even if inconvenient information has been erased, it can still be traced.

And, there was a common point.

We found that both Photo Capsule and Movie Container listed the same company and representative listed as their operator. Album Collection had points in common with Photo Capsule and Movie Container. It was likely that this was also the operator of Album Collection.

All three apps were platforms for trading child sexual abuse images and illegal sexually explicit images. My guess is that this operator created a series of apps to prevent the problem from being discovered.

Name of Operator: Max Payment Gateway Services Pte. Ltd.

Representative: Keisuke Nitta

The office of “Max Payment Gateway Services Pte. Ltd.” was listed as being in Singapore. “Keisuke Nitta” appeared to be a Japanese name.

Who was he?

In this article, I explained the relationship between the applications, as shown in the figure below. We continued our investigation.

To be continued.

(Originally published in Japanese on Sept. 28, 2023.)

Uploaded and Re-Uploaded: All articles