Child exploitation on the dark web: Inside the online crisis | #deepweb

Editor’s note: The following story contains discussions of online child sexual abuse material. If you or someone you know is the victim of digital abuse, the National Center for Missing & Exploited Children offers support and resources at 1-800-843-5678.

The father in Tennessee thought he knew what was going on behind his 13-year-old daughter’s bedroom door. She was playing video games on her Xbox, and her friends were messaging her on Discord, a popular chat app with a slogan that promises “all fun and games.”

Then he discovered who else was talking to her. And that’s when he called the police.

Grown men had been exploiting her online, the father told them. They’d been persuading her to send them nude pictures of herself.

When the investigators searched the girl’s devices, they saw one man had been talking to her since she was 12, and his messages had become increasingly sexual. He used an anonymous username on Discord — john90 — but was otherwise open about his identity with her: He was 33 years old and a schoolteacher.

The Tennessee investigators traced john90’s IP address and phone number to Brookline. After a special agent contacted a detective there in January 2025, they discovered the man’s number matched one given by the victim of a bike theft five years earlier. And that report led them to John Magee Gavin.

Gavin, who went by “Magee,” lived on the edge of Coolidge Corner, in a condo he shared with his wife. He went to a Crossfit gym and competed in Spartan races to raise money for veterans and the Animal Rescue League of Boston. And, for work, he taught science to teenagers at Boston’s Josiah Quincy Upper School. He’d previously been a sixth-grade teacher at the Pacific Rim Charter School in Hyde Park, a paraprofessional in Brookline Public Schools, a ski instructor, a camp counselor, and a tutor.

In February, police executed a search warrant on Gavin’s Discord account and found sexual chats he’d been having with approximately 20 minors, ranging in age from 12 to 17. They lived across the US — Georgia, Texas, Florida, and elsewhere — as well as in Canada and the United Kingdom. Hundreds of messages showed him asking the girls about their sexual experience, engaging in online masturbation sessions, and persuading them to send him photos and videos of themselves performing sexual acts.

In some instances, Gavin messaged the minors while he was in class. In at least one chat, he shared fantasies about having sex with a freshman girl who would say hello to him in the halls at school.

For generations, trying to keep children safe from sexual exploitation meant knowing where they were and who they were with. Parents and guardians lined up chaperones, enforced curfews, and warned about stranger danger. The threats were in the physical world. Today, they’re everywhere online, on children’s laptops, their gaming systems, and the phones they carry in their pockets.

Here in Massachusetts, State Police received more than 23,000 CyberTipline reports about child exploitation in 2025, a 77 percent increase in a single year. And experts believe that still vastly underreports the problem, because encrypted chats on Facebook Messenger, WhatsApp, and other platforms obscure the true volume of what’s taking place online.

The tips from people like the father in Tennessee arrive in such volume that state prosecutors have run out of people to deal with them and are hiring retired police officers to try and keep up. Agents are so overwhelmed that they’ve been forced to triage cases to focus on the worst offenders: people in positions of trust, organizers of online forums, and perpetrators who are actively abusing children, including infants and toddlers.

Investigators say they’re facing a “tidal wave” of child sexual abuse material online, and it keeps leading them to people like Gavin.

Early on the morning of Feb. 7, days after reading Gavin’s Discord logs, Brookline police pulled up to his condo building with a search warrant. Inside, they found clothing he’d been wearing in pictures he’d sent victims – a sleeveless shirt from a Spartan race, a pair of white Adidas, a suit he wore to school decorated with images of Christmas ornaments. They seized his iPhone and laptop for forensic analysis.

They arrested Gavin that same day, and he would ultimately plead guilty to federal charges of coercion and enticement of a minor, receipt of child pornography, and possession of child pornography.

It took four months for investigators to complete a search of the files on Gavin’s iPhone, which like other Apple products is known for its strong security features. They found approximately 94 photos and 53 videos depicting children naked or being sexually abused, including one of a 5-year-old being raped. Some of the files were stored in a hidden vault on his phone designed to look like a calculator app.

“The contents of his laptop may reveal even more,” prosecutors wrote in a mid-July court filing, but they couldn’t yet know for sure. Gavin’s MacBook was proving to be even harder to crack than his iPhone — experts at the FBI’s Regional Computer Forensic Laboratory were still working on it.

Gavin was a longtime educator, prosecutors added, one whose career path had brought him “into contact with hundreds, if not thousands of children who live in the Boston area.”

They hadn’t found evidence that Gavin physically abused children within his orbit, they acknowledged. But these days an online predator’s orbit can encircle the globe.

Since the advent of photography, people have shared sexually explicit pictures of children. Postal inspectors were long on the front lines, tracking pedophile rings through the US Mail. Then came the internet.

By the early 1980s, federal agents were already finding pedophile networks on the nascent web. Gradually, those perpetrators moved from sending files by email, to using private chatrooms, to deploying anonymous browsers and encryption that now make it all but impossible to identify users and track their activities. Social media and online gaming gave them new ways to anonymously connect with children. All the while, reports of online abuse steadily climbed.

To this smoldering crisis, the COVID pandemic added lighter fluid.

As everyday life pulled inward, and kids were moved online for school and socialization, abusers pounced. Between 2019 and 2023, the number of online abuse incidents reported to the CyberTipline of the National Centers for Missing & Exploited Children more than doubled, to 36.2 million a year. Those tips accounted for some 104 million pictures and videos depicting the rape or abuse of a minor, each digital file representing a crime scene — many of them located in children’s own homes.

“The world has come to people’s doorsteps in a way that was not previously available,” said Luke Goldworm, the assistant US attorney in Massachusetts who prosecuted the Gavin case.

Digital devices aren’t going away. One in four 8-year-olds now has a cellphone, Common Sense Media recently found, and the time children spend playing video games has climbed 65 percent in the last four years. And wherever kids go online, predators follow.

They entice children to share illicit pictures and videos. They record themselves committing violent acts, sometimes even livestream them. And increasingly, they use AI to manipulate images to create more child sexual abuse material.

Then they bring those files to shadowy corners of the internet — private forums on the so-called dark web, the encrypted, anonymized bowels of the digital world accessible only through specialized browsers like Tor. It’s there, among hackers and scammers and others evading the spotlight, that predators share and trade those pictures with fellow collectors like baseball cards.

“A lot of people who have an interest in this have been able to find peers or other people who share similar interests in this really kind of dark, depraved ecosystem, ” said Stacie B. Harris, who until recently served as counsel to the Senate Judiciary Committee. “It normalizes the behavior. And so some of the escalation that we saw in the past that happened very slowly, it’s happening much more quickly now.”

Last year, the FBI opened more than 7,000 cases of online child exploitation, according to bureau statistics, a 15.6 percent increase from 2024; they made just under 3,100 arrests, up 17.5 percent from the year before.

For the most part, these abusers aren’t the stereotypical strangers in white vans. Massachusetts State Police Deputy Superintendent Dan Tucker said the state has issued warrants for pediatricians, EMTs, teachers, and lawyers.

“There’s no telltale sign of an individual who is out there who is looking at or disseminating child pornography,” he said. “So it’s very scary.”

So are the trends that investigators are seeing on the rise: “sextortion” by people who conceal their identities. Children coerced to make images of themselves, or to commit acts of self-harm. And videos of ever more sadistic violence perpetrated upon ever-younger kids.

And now, artificial intelligence is making the problem even worse.

AI tools can be used to undress images of fully-clothed people and to create videos of abuse that look so real they might as well be. These tools are routinely being released to the public without critical guardrails in place, as a recent scandal over the ability of X’s AI chatbot, Grok, to “nudify” people showed. In January, after a worldwide backlash, Elon Musk relented and geoblocked the app in locations where creating such images is illegal.

Still, in January, the UK-based Internet Watch Foundation said the number of reports it has received of photo-realistic AI videos has increased by more than 26,000 percent in the past year.

AI tools, the researchers found, are basically “child sexual abuse machines,” which mean offenders don’t even need physical access to a child to create images of them, just a picture they could simply pull off the internet.

“If you’re out there thinking that this could never happen to me,” said Greg Squire, a Homeland Security Investigations agent based in New Hampshire who has spent 20 years pursuing these cases. “Just wait.”

In most of the country, it’s illegal to use AI to make abuse images, but not in Massachusetts, which is one of just five states with no such laws. In general, advocates say, this state has fallen behind national standards mandating prevention and screening efforts that help keep kids safe.

To investigators like Tucker, something has to give. The backlog of horrors is growing far faster than law enforcement can pursue the predators behind them. Before being promoted to Deputy Superintendent earlier this year, Tucker lead the State Police Cyber Crime Unit, a team of 20 investigators and forensic specialists in the state’s Division of Investigative Services. It’s still not enough.

“I could give you the entire Massachusetts State Police and we’re not even gonna come close to catching up,” Tucker said. “The only way we’re catching up is if you shut the internet off.”

For the 12-year-old girl in Tennessee, the road to exploitation ran through an everyday item: her Microsoft Xbox.

“As a parent, realizing that danger entered my child’s life through something so common and trusted is a pain I will carry forever,” the victim’s father said in a statement to the court. “Their bedroom, the place where they slept, played, and should have felt completely safe became the place where that safety was shattered.”

Discord is just one path, though. Today, offenders lurk on Roblox, the online game platform that 97 million kids use monthly, direct message potential victims on Snapchat, TikTok, and Instagram, and communicate on messaging apps like Kik, a service used by 15 million users a month that a convicted child molester once described as a “predator’s paradise.”

Predators toggle between platforms as easily as we swipe between apps, said Tom Farrell, the director of Core Technology at UK-based advocacy group Child Rescue Coalition. They might share photos in a dark web chatroom, trawl Discord, or work to persuade a potential victim to move their conversation to a platform where messages are encrypted. They can access these dark web browsers and apps on their smartphones pretty much anywhere.

“It’s not like you have to sit in a darkened room and do it,” Farrell said.

While Australia and European countries have pushed for and enacted stronger safeguards, the United States has largely left tech companies to police themselves, with relatively few legislative or legal measures to help stem the tide. That’s in part because a powerful piece of law — Section 230 of the Communications Decency Act — protects companies from liability for material published by third parties on their platforms, be it hate speech or child abuse.

For years, lawmakers have tried to chip away at Section 230’s liability protections as they relate to child exploitation. They’ve filed bill after bill, seeking to revamp sentencing guidelines to better include online abuse and to empower child victims to sue tech platforms. But few of those efforts have gained any traction, rebuffed by critics who argue that more oversight could threaten free speech and digital privacy protections.

“There is nothing about Section 230 that prevents law enforcement from going after people who are breaking the law,” said David Greene, senior counsel for the Electronic Frontier Foundation, an advocacy group that promotes free speech on the web. “What it does do is provide some protection for intermediaries to relieve them of the burden of scouring all the user-generated content to make sure that it doesn’t run afoul of some law.”

Some also argue that the tech companies are helping to protect the public from the prying eyes of the government, an increasingly important tool amid mass deportations, crackdowns on civil rights, and the suppression of free speech. (Journalists, including those at the Globe, regularly use encrypted messaging services to privately communicate with sources.)

“I don’t want to live in a world where the police and giant online corporations can, at will, read anything they want to that I exchange with other people,” said Riana Pfefferkorn, a policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence. She’s studied online child exploitation and says tech companies need to do more to guard against material appearing online, but she maintains encryption is critical.

“People have the fundamental right to have their communications be private,” she said.

But Kristen Setera, a spokesperson for FBI Boston, said encryption “erodes our access to digital evidence and priority threat information” on devices that have been seized during investigations.

“We continue to ask industry to design, implement, secure, and control for itself the capability to decrypt information when presented with a lawful court order,” Setera said. “Victims of crime may be deprived of justice when evidence for their case is out of reach due to warrant-proof encryption.”

Some state regulators have had a bit more success pushing for reforms.

New Mexico won a $375 million settlement against Meta in March, after claiming the company failed to protect children from “sexual abuse and online solicitation.” And in February, West Virginia’s attorney general sued Apple, alleging the tech giant knowingly allowed its iCloud online storage platform to host illicit images of children. Apple also faces a $1.2 billion class action lawsuit by national advocacy group The Heat Initiative — which claims Apple failed to implement effective safety measures and policies in its products.

The company has said it always prioritizes safety and privacy, offers parental controls, and is constantly developing new protections for children. Companies such as Discord, Roblox, Kik, and others have also pointed to age restrictions, tools meant to stop strangers from connecting with kids, and other safeguards. Surveys, however, generally show parental controls are relatively little understood and underused.

But emerging technologies are moving faster than laws can adapt or regulators can hope to keep up, said Yiota Souras, who handles legal affairs for the National Center for Missing & Exploited Children, the nation’s nonprofit clearinghouse for all cybertip reports involving exploited children. The tech companies themselves need to be part of the solution, she said, but they have shown relatively little appetite for that.

“There is no safety by design,” she said. “There are no guardrails to development or marketing. Child safety issues are often not paramount or fundamental in the creation of these tools, and there’s a rush to market.”

As encryption software has advanced, there’s growing concern that those who trade in child sexual abuse material are using it to make their actions even more invisible than they once were — to the point that even tech companies can’t see what’s happening in their own encrypted messaging apps

Experts say this concern is already appearing in the data. For a quarter-century, the number of CyberTips reported to the National Center for Missing & Exploited Children grew steadily. Then, last May, a strange thing happened. The center issued its report for 2024, the year after Meta had rolled out end-to-end encryption on its widely used Messenger app. And the number of CyberTips reported plunged to 20.5 million, a 43 percent drop from the year before. (Tech companies attribute some of the decline to their “bundling” related reports.) Despite the surge in AI-driven images, that number remained about the same last year.

This might appear to be cause for celebration. It isn’t.

With Meta “enacting end-to-end encryption, now they can no longer screen their own platform for child sexual abuse material,” said Lindsay Hawthorne, of the Boston-based child advocacy group Enough Abuse. Hawthorne said predators try to persuade children they find on social media and gaming apps to move their conversations to encrypted messaging, “so it can’t be tracked and the messages can’t be saved and subpoenaed.”

Layers of encryption software act as a shield for offenders, blocking investigators from accessing chats, hard drives, or entire devices. And that poses a near impossible challenge, said Bjørn-Erik Ludvigsen, a Norwegian police chief who has spent decades working with Interpol’s Crimes Against Children specialist group.

He compares it to a store that sells heroin and hand grenades, but puts a sign on the door that says “No police allowed.” That would never be tolerated in the physical world, he said, but it’s essentially what’s happening online.

“We just allow these companies to do whatever they want, set their own rules,” Ludvigsen said. “We shouldn’t.”

The largest database of child sexual abuse material operates out of an anonymous building in an anonymous office park in Fairfax, Va. There are no signs outside that identify it as the Homeland Security Investigations Cyber Crimes Center, the US government’s biggest forensic laboratory fighting child exploitation on the web.

Michael Prado, who led the center before retiring in April, gave visitors a tour last August. Teams of experts do a lot of everything — investigate cases, analyze digital devices of alleged perpetrators, and train law enforcement on how to solve these crimes. Prado calls the center “a one-stop shop for combatting child exploitation for both national and international law enforcement.”

Prado’s been doing this work for more than 20 years, but he has never seen anything like this.

Technology makes it easier than ever to create and share horrific images, Prado said. And now generative AI means that before investigative teams can start working to find a child that’s being victimized, they first must determine if that child is even real.

Perpetrators are increasingly taking images off social media profiles, or taking photos in amusement parks or playgrounds, and then using generative AI to “put these children into very sexually explicit and very graphic images or videos,” Prado said. One longtime offender, who had evaded detection for years, was found producing AI-generated abuse images from photos he’d taken of children at Disney World.

Prado strode down the hall from his office to the center’s Victim Identification Laboratory, considered the “lab of last resort” by other agencies trying to investigate complicated cases. A sign with bold red letters was affixed to its heavy wooden door: EXAMINATION OF GRAPHIC MATERIAL IN PROGRESS.

Inside, there were no overhead lights, just a dark warren of computers bathed in an eerie blue glow. A half-dozen workstations were arranged around the perimeter of the room, each with its own array of screens. There was an electric kettle and a tidy stack of mugs, but no family photos, and all the computer monitors are dark.

Before a visitor can even enter, all the terminals must be turned off. It’s illegal for civilians to see any of the material the investigators study here.

When the door is closed, the specialists in this room have a uniquely brutal task: They spend hours poring over photo and video stills intercepted online, looking for ways to identify and rescue the children being abused in them.

Victim ID agents are remarkably good at what they do. Even an obscure detail can lead to a breakthrough — a highway sign in the background of a photo, the sound of a bird unique to a particular place. One especially challenging case arrived here after eluding Interpol for months. Prado’s team solved it in two hours.

Standing at the high-top table in the center of the lab, one of the agents walked visitors through their work, including how investigators have to infiltrate chat rooms on the dark web to understand the habits of online offenders. In these forums, abusers share tips on using encryption and other tools to avoid detection, he said. To gain access, abusers often need to show that they’re able to produce new abuse images themselves – which typically means having access to a child in the real world.

Given the scale of the internet, child exploitation is not the obscure, niche obsession it might seem. Prado said that if even 0.5 percent of the adult male population engages in it — an estimate he thinks is low — that would still amount to hundreds of thousands of people in the US alone.

“The general public still thinks that this is a very one off, infrequent, anomalous behavior,” said Prado, who recently joined Snap as the director of law enforcement operations. But the general public is wrong. “A significant portion of the population is engaged in this activity on a routine basis.”

They’re neighbors, colleagues at work, elders in churches. And sometimes, they’re science teachers lurking in an Xbox in a teen’s bedroom.

On March 12, John Magee Gavin arrived at the federal Moakley Courthouse in Boston for his sentencing hearing. It had been a year since his arrest. He’d lost his job. His wife had divorced him. He’d given up co-ownership of their Brookline condo.

Prosecutors and Gavin’s attorney had already agreed to recommend a 10-year sentence in federal prison — the mandatory minimum required under the law — followed by five years’ probation. In a statement to the judge, one of the victims in the photos wrote about the horrors of knowing pictures of her that Gavin had collected from the web “will follow me my whole life until the internet dies.”

Fifteen of Gavin’s friends and family submitted letters on his behalf, asking US District Judge F. Dennis Saylor IV for leniency. They said he’d been bullied and socially awkward as a child. His brother wrote that Gavin had been the best man at his wedding, and, in his core, “embodied goodness.” They wrote of Gavin’s post-arrest efforts at therapy and rehabilitation. “Please do not throw my son away,” his mother pleaded.

Gavin’s attorney, Tracy Miner, reminded the judge that his interactions with victims, while serious, only took place on the web.

“Mr. Gavin never tried to meet with any of these girls. He never paid them, he never threatened them,” she said. “It was all online.”

That didn’t matter, argued Assistant US Attorney Goldworm. The victims were real-life children.

“They’re not dots and pixels, ones and zeroes,” Goldworm said. “They’re someone’s daughter, granddaughter, sister, niece, and friend. And these crimes steal their innocence. It robs them of the safety all children should feel in their own home.”

Calling in via Zoom to read a victim impact statement, the father from Tennessee underscored the damage. His teenager was in therapy, struggling to regain some sense of safety and trust in adults. He said he was reminded of a line from “Harry Potter and the Prisoner of Azkaban.”

“It was ‘as though all the happiness had gone from the world,’” he said. “As a parent, knowing I cannot take this pain away from my child is one of the hardest realities I will ever face.”

Even 10 years in prison paled next to the lifetime of trauma he feared his child would endure, he said. “The sentence will end but their trauma will not.”

Saylor sentenced Gavin to 10 years, the mandatory minimum.

While he was appalled by Gavin’s crimes, the judge said, he was also deeply disturbed at the role technology played in facilitating them. He wondered aloud why tech companies both provided such easy access to children and allowed images to stay on the web. And he asked why they weren’t doing more to “prevent and respond” to instances of abuse.

“I don’t understand it, I don’t think I ever will. I wish I had a magic wand to make all this go away,” he mused. “The images, as everyone knows, stay out there forever.”

Records show Gavin is serving his sentence at Federal Medical Center Devens, a prison in Ayer that provides sex offender treatment.

Meanwhile, 15 months after being seized by police, Gavin’s MacBook remains in FBI custody. They’re still working to crack it.

Editor’s note: The following story contains discussions of online child sexual abuse material. If you or someone you know is the victim of digital abuse, the National Center for Missing & Exploited Children offers support and resources at 1-800-843-5678.

The father in Tennessee thought he knew what was going on behind his 13-year-old daughter’s bedroom door. She was playing video games on her Xbox, and her friends were messaging her on Discord, a popular chat app with a slogan that promises “all fun and games.”

Then he discovered who else was talking to her. And that’s when he called the police.

Grown men had been exploiting her online, the father told them. They’d been persuading her to send them nude pictures of herself.

When the investigators searched the girl’s devices, they saw one man had been talking to her since she was 12, and his messages had become increasingly sexual. He used an anonymous username on Discord — john90 — but was otherwise open about his identity with her: He was 33 years old and a schoolteacher.

The Tennessee investigators traced john90’s IP address and phone number to Brookline. After a special agent contacted a detective there in January 2025, they discovered the man’s number matched one given by the victim of a bike theft five years earlier. And that report led them to John Magee Gavin.

Gavin, who went by “Magee,” lived on the edge of Coolidge Corner, in a condo he shared with his wife. He went to a Crossfit gym and competed in Spartan races to raise money for veterans and the Animal Rescue League of Boston. And, for work, he taught science to teenagers at Boston’s Josiah Quincy Upper School. He’d previously been a sixth-grade teacher at the Pacific Rim Charter School in Hyde Park, a paraprofessional in Brookline Public Schools, a ski instructor, a camp counselor, and a tutor.

In February, police executed a search warrant on Gavin’s Discord account and found sexual chats he’d been having with approximately 20 minors, ranging in age from 12 to 17. They lived across the US — Georgia, Texas, Florida, and elsewhere — as well as in Canada and the United Kingdom. Hundreds of messages showed him asking the girls about their sexual experience, engaging in online masturbation sessions, and persuading them to send him photos and videos of themselves performing sexual acts.

In some instances, Gavin messaged the minors while he was in class. In at least one chat, he shared fantasies about having sex with a freshman girl who would say hello to him in the halls at school.

For generations, trying to keep children safe from sexual exploitation meant knowing where they were and who they were with. Parents and guardians lined up chaperones, enforced curfews, and warned about stranger danger. The threats were in the physical world. Today, they’re everywhere online, on children’s laptops, their gaming systems, and the phones they carry in their pockets.

Here in Massachusetts, State Police received more than 23,000 CyberTipline reports about child exploitation in 2025, a 77 percent increase in a single year. And experts believe that still vastly underreports the problem, because encrypted chats on Facebook Messenger, WhatsApp, and other platforms obscure the true volume of what’s taking place online.

The tips from people like the father in Tennessee arrive in such volume that state prosecutors have run out of people to deal with them and are hiring retired police officers to try and keep up. Agents are so overwhelmed that they’ve been forced to triage cases to focus on the worst offenders: people in positions of trust, organizers of online forums, and perpetrators who are actively abusing children, including infants and toddlers.

Investigators say they’re facing a “tidal wave” of child sexual abuse material online, and it keeps leading them to people like Gavin.

Early on the morning of Feb. 7, days after reading Gavin’s Discord logs, Brookline police pulled up to his condo building with a search warrant. Inside, they found clothing he’d been wearing in pictures he’d sent victims – a sleeveless shirt from a Spartan race, a pair of white Adidas, a suit he wore to school decorated with images of Christmas ornaments. They seized his iPhone and laptop for forensic analysis.

They arrested Gavin that same day, and he would ultimately plead guilty to federal charges of coercion and enticement of a minor, receipt of child pornography, and possession of child pornography.

It took four months for investigators to complete a search of the files on Gavin’s iPhone, which like other Apple products is known for its strong security features. They found approximately 94 photos and 53 videos depicting children naked or being sexually abused, including one of a 5-year-old being raped. Some of the files were stored in a hidden vault on his phone designed to look like a calculator app.

“The contents of his laptop may reveal even more,” prosecutors wrote in a mid-July court filing, but they couldn’t yet know for sure. Gavin’s MacBook was proving to be even harder to crack than his iPhone — experts at the FBI’s Regional Computer Forensic Laboratory were still working on it.

Gavin was a longtime educator, prosecutors added, one whose career path had brought him “into contact with hundreds, if not thousands of children who live in the Boston area.”

They hadn’t found evidence that Gavin physically abused children within his orbit, they acknowledged. But these days an online predator’s orbit can encircle the globe.

Since the advent of photography, people have shared sexually explicit pictures of children. Postal inspectors were long on the front lines, tracking pedophile rings through the US Mail. Then came the internet.

By the early 1980s, federal agents were already finding pedophile networks on the nascent web. Gradually, those perpetrators moved from sending files by email, to using private chatrooms, to deploying anonymous browsers and encryption that now make it all but impossible to identify users and track their activities. Social media and online gaming gave them new ways to anonymously connect with children. All the while, reports of online abuse steadily climbed.

To this smoldering crisis, the COVID pandemic added lighter fluid.

As everyday life pulled inward, and kids were moved online for school and socialization, abusers pounced. Between 2019 and 2023, the number of online abuse incidents reported to the CyberTipline of the National Centers for Missing & Exploited Children more than doubled, to 36.2 million a year. Those tips accounted for some 104 million pictures and videos depicting the rape or abuse of a minor, each digital file representing a crime scene — many of them located in children’s own homes.

“The world has come to people’s doorsteps in a way that was not previously available,” said Luke Goldworm, the assistant US attorney in Massachusetts who prosecuted the Gavin case.

Digital devices aren’t going away. One in four 8-year-olds now has a cellphone, Common Sense Media recently found, and the time children spend playing video games has climbed 65 percent in the last four years. And wherever kids go online, predators follow.

They entice children to share illicit pictures and videos. They record themselves committing violent acts, sometimes even livestream them. And increasingly, they use AI to manipulate images to create more child sexual abuse material.

Then they bring those files to shadowy corners of the internet — private forums on the so-called dark web, the encrypted, anonymized bowels of the digital world accessible only through specialized browsers like Tor. It’s there, among hackers and scammers and others evading the spotlight, that predators share and trade those pictures with fellow collectors like baseball cards.

“A lot of people who have an interest in this have been able to find peers or other people who share similar interests in this really kind of dark, depraved ecosystem, ” said Stacie B. Harris, who until recently served as counsel to the Senate Judiciary Committee. “It normalizes the behavior. And so some of the escalation that we saw in the past that happened very slowly, it’s happening much more quickly now.”

Last year, the FBI opened more than 7,000 cases of online child exploitation, according to bureau statistics, a 15.6 percent increase from 2024; they made just under 3,100 arrests, up 17.5 percent from the year before.

For the most part, these abusers aren’t the stereotypical strangers in white vans. Massachusetts State Police Deputy Superintendent Dan Tucker said the state has issued warrants for pediatricians, EMTs, teachers, and lawyers.

“There’s no telltale sign of an individual who is out there who is looking at or disseminating child pornography,” he said. “So it’s very scary.”

So are the trends that investigators are seeing on the rise: “sextortion” by people who conceal their identities. Children coerced to make images of themselves, or to commit acts of self-harm. And videos of ever more sadistic violence perpetrated upon ever-younger kids.

And now, artificial intelligence is making the problem even worse.

AI tools can be used to undress images of fully-clothed people and to create videos of abuse that look so real they might as well be. These tools are routinely being released to the public without critical guardrails in place, as a recent scandal over the ability of X’s AI chatbot, Grok, to “nudify” people showed. In January, after a worldwide backlash, Elon Musk relented and geoblocked the app in locations where creating such images is illegal.

Still, in January, the UK-based Internet Watch Foundation said the number of reports it has received of photo-realistic AI videos has increased by more than 26,000 percent in the past year.

AI tools, the researchers found, are basically “child sexual abuse machines,” which mean offenders don’t even need physical access to a child to create images of them, just a picture they could simply pull off the internet.

“If you’re out there thinking that this could never happen to me,” said Greg Squire, a Homeland Security Investigations agent based in New Hampshire who has spent 20 years pursuing these cases. “Just wait.”

In most of the country, it’s illegal to use AI to make abuse images, but not in Massachusetts, which is one of just five states with no such laws. In general, advocates say, this state has fallen behind national standards mandating prevention and screening efforts that help keep kids safe.

To investigators like Tucker, something has to give. The backlog of horrors is growing far faster than law enforcement can pursue the predators behind them. Before being promoted to Deputy Superintendent earlier this year, Tucker lead the State Police Cyber Crime Unit, a team of 20 investigators and forensic specialists in the state’s Division of Investigative Services. It’s still not enough.

“I could give you the entire Massachusetts State Police and we’re not even gonna come close to catching up,” Tucker said. “The only way we’re catching up is if you shut the internet off.”

For the 12-year-old girl in Tennessee, the road to exploitation ran through an everyday item: her Microsoft Xbox.

“As a parent, realizing that danger entered my child’s life through something so common and trusted is a pain I will carry forever,” the victim’s father said in a statement to the court. “Their bedroom, the place where they slept, played, and should have felt completely safe became the place where that safety was shattered.”

Discord is just one path, though. Today, offenders lurk on Roblox, the online game platform that 97 million kids use monthly, direct message potential victims on Snapchat, TikTok, and Instagram, and communicate on messaging apps like Kik, a service used by 15 million users a month that a convicted child molester once described as a “predator’s paradise.”

Predators toggle between platforms as easily as we swipe between apps, said Tom Farrell, the director of Core Technology at UK-based advocacy group Child Rescue Coalition. They might share photos in a dark web chatroom, trawl Discord, or work to persuade a potential victim to move their conversation to a platform where messages are encrypted. They can access these dark web browsers and apps on their smartphones pretty much anywhere.

“It’s not like you have to sit in a darkened room and do it,” Farrell said.

While Australia and European countries have pushed for and enacted stronger safeguards, the United States has largely left tech companies to police themselves, with relatively few legislative or legal measures to help stem the tide. That’s in part because a powerful piece of law — Section 230 of the Communications Decency Act — protects companies from liability for material published by third parties on their platforms, be it hate speech or child abuse.

For years, lawmakers have tried to chip away at Section 230’s liability protections as they relate to child exploitation. They’ve filed bill after bill, seeking to revamp sentencing guidelines to better include online abuse and to empower child victims to sue tech platforms. But few of those efforts have gained any traction, rebuffed by critics who argue that more oversight could threaten free speech and digital privacy protections.

“There is nothing about Section 230 that prevents law enforcement from going after people who are breaking the law,” said David Greene, senior counsel for the Electronic Frontier Foundation, an advocacy group that promotes free speech on the web. “What it does do is provide some protection for intermediaries to relieve them of the burden of scouring all the user-generated content to make sure that it doesn’t run afoul of some law.”

Some also argue that the tech companies are helping to protect the public from the prying eyes of the government, an increasingly important tool amid mass deportations, crackdowns on civil rights, and the suppression of free speech. (Journalists, including those at the Globe, regularly use encrypted messaging services to privately communicate with sources.)

“I don’t want to live in a world where the police and giant online corporations can, at will, read anything they want to that I exchange with other people,” said Riana Pfefferkorn, a policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence. She’s studied online child exploitation and says tech companies need to do more to guard against material appearing online, but she maintains encryption is critical.

“People have the fundamental right to have their communications be private,” she said.

But Kristen Setera, a spokesperson for FBI Boston, said encryption “erodes our access to digital evidence and priority threat information” on devices that have been seized during investigations.

“We continue to ask industry to design, implement, secure, and control for itself the capability to decrypt information when presented with a lawful court order,” Setera said. “Victims of crime may be deprived of justice when evidence for their case is out of reach due to warrant-proof encryption.”

Some state regulators have had a bit more success pushing for reforms.

New Mexico won a $375 million settlement against Meta in March, after claiming the company failed to protect children from “sexual abuse and online solicitation.” And in February, West Virginia’s attorney general sued Apple, alleging the tech giant knowingly allowed its iCloud online storage platform to host illicit images of children. Apple also faces a $1.2 billion class action lawsuit by national advocacy group The Heat Initiative — which claims Apple failed to implement effective safety measures and policies in its products.

The company has said it always prioritizes safety and privacy, offers parental controls, and is constantly developing new protections for children. Companies such as Discord, Roblox, Kik, and others have also pointed to age restrictions, tools meant to stop strangers from connecting with kids, and other safeguards. Surveys, however, generally show parental controls are relatively little understood and underused.

But emerging technologies are moving faster than laws can adapt or regulators can hope to keep up, said Yiota Souras, who handles legal affairs for the National Center for Missing & Exploited Children, the nation’s nonprofit clearinghouse for all cybertip reports involving exploited children. The tech companies themselves need to be part of the solution, she said, but they have shown relatively little appetite for that.

“There is no safety by design,” she said. “There are no guardrails to development or marketing. Child safety issues are often not paramount or fundamental in the creation of these tools, and there’s a rush to market.”

As encryption software has advanced, there’s growing concern that those who trade in child sexual abuse material are using it to make their actions even more invisible than they once were — to the point that even tech companies can’t see what’s happening in their own encrypted messaging apps

Experts say this concern is already appearing in the data. For a quarter-century, the number of CyberTips reported to the National Center for Missing & Exploited Children grew steadily. Then, last May, a strange thing happened. The center issued its report for 2024, the year after Meta had rolled out end-to-end encryption on its widely used Messenger app. And the number of CyberTips reported plunged to 20.5 million, a 43 percent drop from the year before. (Tech companies attribute some of the decline to their “bundling” related reports.) Despite the surge in AI-driven images, that number remained about the same last year.

This might appear to be cause for celebration. It isn’t.

With Meta “enacting end-to-end encryption, now they can no longer screen their own platform for child sexual abuse material,” said Lindsay Hawthorne, of the Boston-based child advocacy group Enough Abuse. Hawthorne said predators try to persuade children they find on social media and gaming apps to move their conversations to encrypted messaging, “so it can’t be tracked and the messages can’t be saved and subpoenaed.”

Layers of encryption software act as a shield for offenders, blocking investigators from accessing chats, hard drives, or entire devices. And that poses a near impossible challenge, said Bjørn-Erik Ludvigsen, a Norwegian police chief who has spent decades working with Interpol’s Crimes Against Children specialist group.

He compares it to a store that sells heroin and hand grenades, but puts a sign on the door that says “No police allowed.” That would never be tolerated in the physical world, he said, but it’s essentially what’s happening online.

“We just allow these companies to do whatever they want, set their own rules,” Ludvigsen said. “We shouldn’t.”

The largest database of child sexual abuse material operates out of an anonymous building in an anonymous office park in Fairfax, Va. There are no signs outside that identify it as the Homeland Security Investigations Cyber Crimes Center, the US government’s biggest forensic laboratory fighting child exploitation on the web.

Michael Prado, who led the center before retiring in April, gave visitors a tour last August. Teams of experts do a lot of everything — investigate cases, analyze digital devices of alleged perpetrators, and train law enforcement on how to solve these crimes. Prado calls the center “a one-stop shop for combatting child exploitation for both national and international law enforcement.”

Prado’s been doing this work for more than 20 years, but he has never seen anything like this.

Technology makes it easier than ever to create and share horrific images, Prado said. And now generative AI means that before investigative teams can start working to find a child that’s being victimized, they first must determine if that child is even real.

Perpetrators are increasingly taking images off social media profiles, or taking photos in amusement parks or playgrounds, and then using generative AI to “put these children into very sexually explicit and very graphic images or videos,” Prado said. One longtime offender, who had evaded detection for years, was found producing AI-generated abuse images from photos he’d taken of children at Disney World.

Prado strode down the hall from his office to the center’s Victim Identification Laboratory, considered the “lab of last resort” by other agencies trying to investigate complicated cases. A sign with bold red letters was affixed to its heavy wooden door: EXAMINATION OF GRAPHIC MATERIAL IN PROGRESS.

Inside, there were no overhead lights, just a dark warren of computers bathed in an eerie blue glow. A half-dozen workstations were arranged around the perimeter of the room, each with its own array of screens. There was an electric kettle and a tidy stack of mugs, but no family photos, and all the computer monitors are dark.

Before a visitor can even enter, all the terminals must be turned off. It’s illegal for civilians to see any of the material the investigators study here.

When the door is closed, the specialists in this room have a uniquely brutal task: They spend hours poring over photo and video stills intercepted online, looking for ways to identify and rescue the children being abused in them.

Victim ID agents are remarkably good at what they do. Even an obscure detail can lead to a breakthrough — a highway sign in the background of a photo, the sound of a bird unique to a particular place. One especially challenging case arrived here after eluding Interpol for months. Prado’s team solved it in two hours.

Standing at the high-top table in the center of the lab, one of the agents walked visitors through their work, including how investigators have to infiltrate chat rooms on the dark web to understand the habits of online offenders. In these forums, abusers share tips on using encryption and other tools to avoid detection, he said. To gain access, abusers often need to show that they’re able to produce new abuse images themselves – which typically means having access to a child in the real world.

Given the scale of the internet, child exploitation is not the obscure, niche obsession it might seem. Prado said that if even 0.5 percent of the adult male population engages in it — an estimate he thinks is low — that would still amount to hundreds of thousands of people in the US alone.

“The general public still thinks that this is a very one off, infrequent, anomalous behavior,” said Prado, who recently joined Snap as the director of law enforcement operations. But the general public is wrong. “A significant portion of the population is engaged in this activity on a routine basis.”

They’re neighbors, colleagues at work, elders in churches. And sometimes, they’re science teachers lurking in an Xbox in a teen’s bedroom.

On March 12, John Magee Gavin arrived at the federal Moakley Courthouse in Boston for his sentencing hearing. It had been a year since his arrest. He’d lost his job. His wife had divorced him. He’d given up co-ownership of their Brookline condo.

Prosecutors and Gavin’s attorney had already agreed to recommend a 10-year sentence in federal prison — the mandatory minimum required under the law — followed by five years’ probation. In a statement to the judge, one of the victims in the photos wrote about the horrors of knowing pictures of her that Gavin had collected from the web “will follow me my whole life until the internet dies.”

Fifteen of Gavin’s friends and family submitted letters on his behalf, asking US District Judge F. Dennis Saylor IV for leniency. They said he’d been bullied and socially awkward as a child. His brother wrote that Gavin had been the best man at his wedding, and, in his core, “embodied goodness.” They wrote of Gavin’s post-arrest efforts at therapy and rehabilitation. “Please do not throw my son away,” his mother pleaded.

Gavin’s attorney, Tracy Miner, reminded the judge that his interactions with victims, while serious, only took place on the web.

“Mr. Gavin never tried to meet with any of these girls. He never paid them, he never threatened them,” she said. “It was all online.”

That didn’t matter, argued Assistant US Attorney Goldworm. The victims were real-life children.

“They’re not dots and pixels, ones and zeroes,” Goldworm said. “They’re someone’s daughter, granddaughter, sister, niece, and friend. And these crimes steal their innocence. It robs them of the safety all children should feel in their own home.”

Calling in via Zoom to read a victim impact statement, the father from Tennessee underscored the damage. His teenager was in therapy, struggling to regain some sense of safety and trust in adults. He said he was reminded of a line from “Harry Potter and the Prisoner of Azkaban.”

“It was ‘as though all the happiness had gone from the world,’” he said. “As a parent, knowing I cannot take this pain away from my child is one of the hardest realities I will ever face.”

Even 10 years in prison paled next to the lifetime of trauma he feared his child would endure, he said. “The sentence will end but their trauma will not.”

Saylor sentenced Gavin to 10 years, the mandatory minimum.

While he was appalled by Gavin’s crimes, the judge said, he was also deeply disturbed at the role technology played in facilitating them. He wondered aloud why tech companies both provided such easy access to children and allowed images to stay on the web. And he asked why they weren’t doing more to “prevent and respond” to instances of abuse.

“I don’t understand it, I don’t think I ever will. I wish I had a magic wand to make all this go away,” he mused. “The images, as everyone knows, stay out there forever.”

Records show Gavin is serving his sentence at Federal Medical Center Devens, a prison in Ayer that provides sex offender treatment.

Meanwhile, 15 months after being seized by police, Gavin’s MacBook remains in FBI custody. They’re still working to crack it.