Inside the Ecosystem of 'Rape and Murder': Mapping a Violent Dark Web Network

This case is an attempt to map the infrastructure and operational network of a violent dark web platform known as "Rape and Murder", using StealthMole's capabilities. This report provides a detailed and contextualized analysis of the site, which promotes and monetizes extreme sexual violence, snuff content, torture, necrophilia, and sadistic fetish material. It is part of a hidden underground of dark web communities dedicated to the sharing and consumption of the most violent and illegal content imaginable.

The platform claims to host over 3,000 images and videos featuring graphic acts of violence, including sexual assaults, beheadings, genital mutilation, suicide, and necrophilic acts. These materials are locked behind a paywall, requiring Bitcoin (BTC) payments to gain access. The scale and organization of this operation suggest that this is not a fringe site but a hub within a broader criminal infrastructure.

For individuals unfamiliar with this part of the dark web, it is important to understand that such platforms are not mere fantasy role-play forums but often serve as actual distribution points for real criminal content, some of which may involve human trafficking, live-streamed abuse, and child sexual exploitation.

Trigger & Initial Discovery

The investigation was initiated when I manually discovered the domain http://j*************************************************.onion/ while researching unrelated dark web material. The site's disturbing content prompted a deeper analysis to understand the platform's structure and criminal ecosystem. The resulting discovery unraveled a decentralized infrastructure involving over 25 mirrored domains, multiple cryptocurrency wallets, Telegram-based distribution, and Red Room livestream integration. Central to this ecosystem was a consistent actor identity using the alias m*******e across several encrypted email providers.

Upon accessing the site, I encountered a homepage presenting grotesque and violent visuals, reflecting a level of professional design uncommon among low-effort dark web sites. The operators claimed to host an exclusive database containing over 3,000 photos and videos. This material purportedly includes:

• Graphic sexual assaults
• Genital mutilation
• Cannibalism and necrophilia
• Beheadings and executions
• Torture of minors and adults

A call-to-action requested payments in Bitcoin to unlock full access. The payment portal, discovered at http://i***************.onion/order.html, listed a fee of 0.5 BTC (~$59,468) for unrestricted entry. BTC wallets were rotated frequently to avoid traceability.

The use of multiple encrypted email accounts, all under the handle m********e, suggested a deliberate attempt to maintain anonymity and continuity across platforms:

• m*******e@****.**g
• m*********e@********.com
• m*******e@*****.com
• m******e@******.net
• m*******e@s*******.pro

This identity repetition helped map other associated websites using StealthMole’s dark web tracking capability.

Infrastructure Expansion & Domain Network

The mapping of this platform's infrastructure revealed a deliberate and expansive approach to redundancy and persistence. Beginning with just one domain, I used StealthMole's Darkweb Tracker to trace additional .onion links through email reuse and content similarity. This led to the discovery of over 25 distinct domains, all pointing to the same core platform or slightly modified mirror versions.

Each domain typically had a unique Tor v3 address, and all of them shared nearly identical homepages, branding, and payment instructions. While the site layouts occasionally differed slightly, the messaging, imagery, and operational email handles remained constant. This indicates a unified control structure or a centrally maintained backend pushing content and updates to cloned frontends.

Examples of mirror domains:

• http://b*******************************************************.onion/
• http://r*******************************************************.onion/
• http://4*******************************************************.onion/
• http://f*******************************************************.onion/
• http://mr******************************************************.onion/

Such scale and consistency strongly suggest the use of deployment automation, possibly combined with bulletproof hosting services to evade takedown attempts. These mirrors ensure operational resilience and improve discoverability for users who frequent dark web indexing sites or Telegram-based directories.

Interestingly, a few URLs such as  I*****************c.onion and rq**********************************************.onion and were discovered not through web crawling but by tracking the movement of Bitcoin payments and cross-referencing email aliases.

The volume and continuity of mirrors, combined with email alias reuse, suggest that this is a well-maintained platform backed by either a centralized operator or a closely coordinated collective. The infrastructure strongly implies the use of bulletproof hosting or hidden service automation tools to replicate and relaunch sites quickly after any disruption.

Red Room Convergence

Among the most disturbing elements uncovered during the investigation was the platform’s integration with so-called “Red Room” livestream portals. In dark web terminology, a Red Room refers to an alleged online event where users can watch, or even interact with, a live broadcast of torture, rape, or murder, typically behind a cryptocurrency paywall. Although the authenticity of such events is debated, the infrastructure uncovered in this case demonstrates how the idea of Red Rooms is operationalized and monetized.

Two such Red Room sites were found:

• http://rq******************************************************.onion/
• http://24*********************************************.onion/spectator.php

These portals used language such as “Join Room” and “Spectate,” and often displayed countdown clocks suggesting scheduled events. Each session had its own Bitcoin payment address, with prices ranging from 0.0021 BTC (~$250) to larger fees for what appeared to be custom or VIP interactions. At least seven unique Bitcoin wallets were directly associated with these domains:

• bc***********************************shp
• bc**************************************366
• 14*******************************p
• 15********************************J
• bc****************************************l
• 1L**************************************e
• bc******************************************t

Moreover, these Red Room platforms were found to reference or link back to the Rape and Murder site, suggesting a deliberate cross-promotion or shared backend system. The user interface and BTC infrastructure between both environments were strikingly similar.

Whether all content is authentic or staged remains inconclusive, but the operational design, per-session wallets, countdown-based access, and mirrored domains, strongly mimics a real-time abuse marketplace. From an intelligence standpoint, these platforms represent a high-risk convergence of voyeurism, fetish violence, and possible real-world criminal harm.

Payment Infrastructure

A key focus of the mapping was the identification of cryptocurrency wallets. Using StealthMole’s tools, I identified 8 distinct wallets:

• 14******************************dp
• 1**********************************c
• bc**************************************shp
• bc****************************************366
• 15*******************************J
• 1L*******************************e
• bc1**********************************mt
• bc1****************************************l

The reuse of wallet addresses across multiple mirrors and Red Room domains indicates a shared backend and potentially centralized revenue collection or wallet-forwarding mechanism.

Telegram Promotion & Distribution

Telegram has emerged as a vital tool for the distribution and promotion of illicit platforms like Rape and Murder. This leg of the investigation began after I ran the domain I**************c.onion through StealthMole’s Telegram Tracker and identified a key promotional channel titled T*****X J**A **4. This Arabic-language channel promotes dark web links that include necrophilia, torture-themed content, and Red Room access points. The channel appears to primarily target Arabic-speaking users across the MENA region, judging by its linguistic structure and engagement style.

One of the platform mirrors — I**********************.onion — was specifically mentioned in a section labeled “Necro,” which strongly indicates its promotion as part of a content category involving necrophilic violence. While the interface did not present hashtag-based navigation, channels of this type frequently rely on informal tagging or sectioning to organize .onion content based on abuse themes.

The Telegram handle @**********_BOT is listed in the channel’s bio for user inquiries and also disseminates guides on OPSEC, mobile hacking, and T******x exploitation — all tools that enable lower-tier cybercriminals to participate in dark web ecosystems.

CSAM Linkage

The "Rape and Murder" platform does not separate its content focus between adult violence and child sexual abuse. Instead, it appears to host both under the same ecosystem, reinforcing the notion that CSAM is a built-in component of the platform rather than a side operation or escalation. This is consistent with many similar platforms across the dark web, where sadistic content often spans across age boundaries with no content-specific segmentation.

The discovery of CSAM-linked infrastructure began when I traced the Bitcoin wallet bc1*****************************shp, initially tied to Red Room payments. Upon running it through StealthMole’s Darkweb Tracker, I uncovered several domains explicitly dedicated to CSAM content. These included:

• yxo***************************************************eyd.onion
• hv*****************************************************ad.onion
• 4zi****************************************************id.onion

These domains displayed similar layouts to the Rape and Murder platform, including BTC-only paywalls, thumbnail previews, and encrypted contact forms for "custom" material. Their inclusion in the same network of financial and technical infrastructure confirms that the platform is not only tolerant of CSAM but deeply embedded in its distribution.

While the presence of CSAM is deeply disturbing, it is unfortunately not unusual in ecosystems promoting extreme sexual violence and Red Room activity. It reinforces that this actor network is part of a broader, non-specialized marketplace for sadistic material that spans both adult and child victims.

From an intelligence perspective, this highlights the necessity of tracing blockchain identifiers, as it allowed the linkage of seemingly separate entities within the dark web criminal landscape.

Hashes & Digital Artifacts

During the investigation of Red Room domains and associated .onion links, three SHA-256 hashes were uncovered from a page labeled spectator.php hosted on one of the livestream portals. These hashes are likely references to specific media files, possibly encrypted snuff or abuse content, and were presumably intended for verification or retrieval via private communication with the operators.

The hashes retrieved were:

• 32*************************************************************3
• f**************************************************************4
• 07f************************************************************2

These artifacts have been indexed and stored for future tracking in case the same hashes appear across additional platforms or are associated with leaked databases or file bundles elsewhere on the dark web. The inclusion of such identifiers suggests that the operators maintain a form of inventory or content registry to support fulfillment or buyer access.

Conclusion

The Rape and Murder platform represents a deeply entrenched node within the broader dark web criminal ecosystem. Its infrastructure is intentionally fragmented across numerous .onion mirrors, suggesting resilience strategies against takedowns and a long-standing presence within illicit communities. Unlike isolated or one-off abuse forums, this platform combines high-volume media storage, Red Room promotions, and a wide array of sexual violence categories, including content involving minors, into a centralized and monetized gateway.

This investigation illustrates how encrypted communication, cryptocurrency anonymization, and decentralized hosting allow high-risk criminal content to thrive under relative impunity. The platform’s strategic use of consistent branding, and mirrored hosting points to a tightly controlled operation that understands both the technological and psychological demands of its audience.

Moreover, its overlap with Red Room sites and CSAM-linked infrastructure demonstrates the porous boundaries between different forms of dark web exploitation. These are not separate verticals, but often interconnected environments with shared payment systems, audience pools, and promotional mechanisms, as evidenced by the Bitcoin wallets, Telegram cross-posting, and hash identifiers discovered throughout this case.

Editorial Note

This report was compiled to demonstrate the utility of StealthMole in uncovering, mapping, and analyzing one of the most disturbing and resilient dark web ecosystems encountered during open-ended manual reconnaissance. The goal was not just to document URLs or indicators of compromise (IOCs), but to tell a comprehensive story of how these criminal operations are structured, monetized, and protected.

By following a single lead, a domain found manually, I was able to uncover a wide-ranging infrastructure that spans Red Room live-streaming, CSAM distribution, cryptocurrency laundering, and Telegram-based promotion. Every section of this report reflects verifiable connections through StealthMole’s modules, and no speculative links were included.

It is worth mentioning that although Tor v2 domains have been officially deprecated, StealthMole retains the ability to investigate historical v2 infrastructure. This capability allows investigators and law enforcement agencies to uncover past activity, attribute operational footprints, and connect legacy operations to ongoing dark web ecosystems.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com