AN OSINT CASE STUDY: NON-CONSENSUAL IMAGERY WEBSITE COPP
OSINT-BLOG.XYZ
Published 4 December 2022
Updates at bottom of page
osintblogxyz@protonmail.com
Currently Accepting (Paid) Work
The website www.cumonprintedpics.com (COPP) is a fetish based forum in operation since approximately the 10th of July 2010.
As the name suggests, the websites primary purpose is to provide a platform for men to degrade images of women in an overtly sexual manner. This act is known as “tributing” and/or “cocking”. Tributing involves a male ejaculating onto an image, often non-intimate, typically of an unwitting victim. Cocking involves taking a photograph of an individual's genitalia next to an image of an unwitting victim.
The site also includes activity that sits outside this scope, but is designed to be degrading or demeaning nonetheless. This includes more “traditional” forms of internet harassment like revenge porn, fakes and non-consensual imagery. There is even a section dedicated to men ejaculating onto women's belongings without their knowledge.
Large proportions of the content, include personally identifiable information (PII) which is often posted alongside the images in question. It is almost certain that the vast majority of content hosted on COPP is posted without the approval of the victim(s). Images of the 'act' are often sent directly to victims and the victims family at random.
COPP’s content is persistent, and based on a ‘standard’ phpbb forum system. There are 8354459 posts, 648238 topics and 325206 users at the time of writing.
It is probable that, given the provision of section 230 under the Communications Decency Act in the United States, the website owner is shielded from liability for the vast majority of the content posted by users.
Notwithstanding, there is clear evidence the website is used to host images of pre-teen females and males. Many examples can be found when visiting the websites front page, and observing the scroll bar labeled “Last 30 Attachments in Forum (Updates every 5 minutes)”, let alone delving into individual threads.
It could be argued, that when combined with the act, or the circumstances in which the images are posted, that the content falls within the definition of Child Sexual Assault Material (CSAM) in many countries or jurisdictions.
Further potential for victimization occurs where these images are posted with PII.
Noting this, and the implications legally, morally, and ethically - I have taken a cautious approach when gathering information on the website. Everything written on this blog has been submitted to numerous LE agencies, in various capacities, over the previous two years.
Based on my own observations, moderation occurs infrequently and there appears to be a high-threshold for interaction by the website's administrator(s). Even spending a short-time on the website reveals a fairly casual approach to content moderation or deletion. For example, there are threads which contain images of pre-teen females, and instead of being deleted entirely, are often only “Locked”. This means the content still remains persistent on the internet, just without further user interaction. Users are unable to delete their own posts or images, except within a two-minute period after submission.
If a user wishes to delete their account, the administrator charges $99USD (https://payform.securepayforms.com/). Individual image removal costs $50USD. Often content removal requests go unanswered. The process appears to be deliberately obstructive. There are many threads littered within COPP regarding this very issue.
The differentiation between COPP and other sites like Reddit, Twitter or Pornhub, is the distinct lack of control over the content posted. If illegal content is posted on more popular platforms, there are mechanisms (albeit imperfect), to deal with content and/or users. COPP’s differentiation is that it has a sizable and comparable collection of illicit and/or illegal content, without the same scrutiny or spotlight other more popular platforms have come under. It is baffling that the website still exists in its current form, and has for the past decade.
My involvement with the website stems from working with two victim(s) whose images were posted on the website in my capacity as a PI, and the natural progression of the investigation, in wanting to understand who runs or had run the website.
Open source data suggests there are two US males involved in the operation of the website. Or possibly, that ownership was transferred from one, to the other. The males reside in Louisiana and Georgia respectively.
The following blog outlines the process used to find both males, and analyses specific components of the website.
Site Owner(s)
Two methods were used to identify possible site owners.
The first involved scrutinizing business records associated with the company which appeared on a credit card statement after paying for content removal on behalf of a victim.
The second involved using data-breaches in conjunction with emails or websites associated with COPP’s WHOIS domain records.
Data-breach information obtained from publicly available sources confirms beyond reasonable doubt that Scott Trentcosta is the current site owner.
Data-breach information also suggests that it is highly likely Joey Kopanski had control of the administrator account during the early years of COPP’s existence.
Content Removal
After emailing “urgent@cumonprintedpics.com” an invoice is generated with a payment gateway directing payment to a company named “L.A. Nerd IT Consulting”. This is the company which takes payment of $99 USD to have a profile removed.
However, the actual line on the credit card statement appears as Cloud Cyberservices LLC Ltd.
Cloud Cyberservices LLC Ltd, is a UK company with a US director named Scott Trentcosta (Jr) with an April 1993 DOB. Click Here.
Previously, N.O.L.A appeared on credit card statements, which was NOLA Cyberservices LLC Ltd. Click Here.
Data-Breaches
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.
Websites such as dehashed.com (and others) allow a user to pay a subscription and search by email/username/name/password and view any data breach the information is contained within.
As such, data-breaches are useful for finding information related to specific emails, usernames or passwords (amongst other selectors).
I have obscured the actual plain-text passwords associated with Trentcosta and Kopanski's accounts, however the methodology is self-evident and reproducible.
Typically data-breaches are referred to by the actual name of the website or their ‘in-bulk’ name (often many websites are released as packs), such as cit0day or anti-public, which is how I refer to the data below.
WHOIS Domain Records + Data-Breach Information
WHOIS Domain records are publicly available records which list the email and owner details for a particular website.
WHOIS Domain records are typically entered when registering a domain. Usually the email used for account sign-up is entered into record, unless Privacy Guard entries are used. Privacy Guard entries are generic WHOIS entries which do not disclose any information.
Website administrators typically use Privacy Guard entries for WHOIS domain records, in lieu of using their actual email or details. This is common practice nowadays, however less so approximately 10 - 15 years ago.
COPP is no different in this sense, all but one of the entries contain generic Privacy Guard entries.
However, the first WHOIS Domain record for the website address www.cumonprintedpics.com has a ‘burner’ or fake email(s), as shown here:
Several data-breaches exist for the emails highlighted in yellow.
These data-breaches include, but are not limited to:
Neopets.com
Collections (1 ~ 6)
BlackHatWorld.com
Antipublic
Cafe Press
For ease of formatting, I have copy-pasted the data-breaches from various services, but have also screenshotted on occasion to demonstrate process.
Neopets Breach
"email_address": "admin@freebukkakevids.com"
"username": "fr0gina",
"ipaddress": "93.174.88.51",
"password": "t********"
Note the password "t********"
Searching by ‘password’ on popular data breach websites reveals t******** as the password used with the following emails (amongst others):
strentcosta@gmail.com
dam4statch11@gmail.com
ssaws41193@yahoo.com
joewoods1337@yahoo.ca
FitnessPal Breach
"email_address": “strentcosta@gmail.com”
“username”: “dam4statch11”
“hashed password”: 4500ba05c91cc7814a52535e407ee44bd1848340
“plain password”: t********
“I.P. Address”: 166.137.15.173 (ATL, GEORGIA, AT&T)
VillaVu.com Breach
"email_address": “ssaws41193@yahoo.com”
“Username”: “9p00n9”
“hashed password”: fab9109cb4337a2db8040648027d02f8:|vl
“plain password”: t********
“I.P. Address”: 72.200.39.143
Silk Road Breach
"email_address": ssaws41193@yahoo.com
“Username”: “ssaws41193”
“plain password”: t********
Note the email “ssaws41193@yahoo.com” matches Scott Trentcosta’s DOB (APR 1993), as per the UK business records mentioned earlier.
The email joewoods1337@yahoo.ca is contained within the Cafe Press data-breach:
Cafe Press
"email_address": "joewoods1337@yahoo.ca",
"password": "t********"
In summary the password "t********" relates to the site owners initial WHOIS email records, joewoods1337@yahoo.ca and admin@freebukkakevids.com.
The password "t********" is associated with other emails with direct links to Scott TRENTCOSTA, namely strentcosta@gmail.com and ssaws41193@yahoo.com - given both name and DOB correlate.
The data breach information in conjunction with the business records - which were disclosed after having content removed through COPP’s “official process” - leads me to believe Scott Trentcosta is the owner of the website.
Data-Breaches Continued…
A possible co-owner or previous owner was discovered after scrutinizing specific URL’s posted by the administrators account on COPP.
A contact email within a WHOIS record was cross-referenced with password breach-data from several websites, which revealed the identity of a co-owner/previous owner.
The forum administrators account is located via the following link:
https://www.cumonprintedpics.com/memberlist.php?mode=viewprofile&u=2
https://www.publictributes.com/memberlist.php?mode=viewprofile&u=2
Within the Site Administrators post-history is the following post:
https://www.cumonprintedpics.com/viewtopic.php?f=6&t=4076&p=22050#p22050
https://www.publictributes.com/viewtopic.php?f=6&t=4076&p=22050#p22050
https://archive.is/nIdqo (archived)
The person who controlled the COPP administrator forum account replies to a post, stating their photo-blog is located at http://dailywhorepics.com (which no longer exists).
Three WHOIS domain records exist for http://dailywhorepics.com with the following dates:
Within the record dated 26th March 2011 the following information is entered:
The administrative email is listed as maddcowjoe77@yahoo.com. The name within the WHOIS record is fake, along with the address (random, perhaps).
Password breach data for maddcowjoe77@yahoo.com is as follows:
Cafe Press Breach
"email_address": "madcowjoe77@yahoo.com",
"password": "j******"
My Space Breach
"email_address": "madcowjoe77@yahoo.com",
“username”: ”madcowjoe77”
"password": "j******"
Note the username ‘madcowjoe77’ with one ‘d’ missing. This username can be added to the Myspace.com URL to reveal the corresponding user.
Entering www.myspace.com/madcowjoe77 reveals the following profile:
Archive (https://archive.vn/yCT3r)
The MySpace profile is blank but clearly displays the name Joey Kopanski.
Searching for madcow77@yahoo.com (same schema, but removing the ‘d’ like the username above), reveals the following password breach data:
Note the two emails madcowjoe777@yahoo.com and madcowcoe7777@yahoo.com used the identical password ‘"j******"’.
It is almost certain these emails belong to Joey Kopanski also, given the password schema and use of madcowjoe as the prepend.
This further ties the username with the password. The username is tied to Joey Kopanski's MySpace page.
The name “Joey.Kopanski” was entered as a wildcard search on the leak-check.net password data breach service.
A domain wildcard search returns all results where “Joey.Kopanski” is present, regardless of what email service is appended (yahoo.com, gmail.com, hotmail.com etc.).
This was completed to ascertain whether the name is fake, and to see what other password data is revealed which might tie the identity back to the original 26th March 2011 WHOIS entry for http://dailywhorepics.com.
This search reveals the following data:
Note the password ‘joey******’. This uses a similar schema to the ‘"j******"’ password which corresponds to the various maddcowjoe emails and usernames, albeit the ‘j’ has been expanded to include the name ‘joey’. Note the other password ‘Joey******!’.
This includes the use of a capital letter and special character.
This was probably used to comply with Chegg.com’s password complexity requirements on sign-up (given the evolution of password requirements).
The email Joey.Kopanski@gmail.com produces the following Google profile:
In summary, the administrator account on COPP made direct reference to “their” photoblog being dailywhorepics.com through a forum post. Previous WHOIS entries for dailywhorepics.com indicate Joey Kopanski was the domain owner.
Kopanski's link to the website is less obvious than Trentcosta's. Kopanski does not appear on any business records associated with the payment gateway/content removal system like Trentcosta does. However, it is difficult to fathom what alternative explanations would result in Kopanskis blog dailywhorepics.com being posted by the administrators account.
One explanation is that the administrator (i.e: Trentcosta) has simply found the photoblog www.dailywhorepics.com, and is claiming it as his own via an admin account forum post.
A second (less likely) explanation is that the blog was used as a red herring by Trentcosta.
At the very least, it is almost certain that Kopanski has owned the photoblog www.dailywhorepics.com. If you stop to consider that URL name, it is not outside the realm of possibility that Joey was the initial creator of COPP, or that he co-owns the website along with Trentcosta.
Chat
The chat system is located towards the bottom of the front-page, and is available for use after registration. The chat is often used to refer people to other communication or image platforms. ‘Dog-whistling’ and solicitation for underage content occurs regularly. Chat users are frequently seen using characters to circumvent the word-filter.
Word-Filter
A word-filter operates within the chat system and wider forum. Entering words such as “no-limits” automatically appends “18+”, to make No Limits (18+). Entering the word “rape” automatically adds (rp), which is the acronym for role-play. Entering “pre-teen” or “pedo” displays “.”. This list is not exhaustive and it is certain that other filters have been set accordingly.
The phpbb forum system allows the administrator to manually add these rules. This is an interesting point, given the administrator has entered these rules knowing this content is mentioned within the chat and forum.
Typing “Trentcosta” into the chat, automatically changes the message to -. Kopanski does not have a word rule, and appears as-is.
Typing CumOnPrintedPics into the chat, changes the name to PublicTributes
EXIF Data
Interestingly, EXIF meta-data is not scrubbed from images which are hosted on COPP. There are numerous examples of images which still have location data available. Images are hosted numerically against the following strings, from 1 - 13,786,301 (approximately, at time of writing). https://www.cumonprintedpics.com/download/file.php?id=*NUMBER*. It would be possible to scrape the entire contents of the website, by downloading each string, and plot images within ARCGIS. This would aid in identifying offenders within specific states/regions/countries who still have location-tagging turned on.
An example of image(s) with Exif location data turned are as follows (post by darkrat and remi00 ):
https://www.cumonprintedpics.com/viewtopic.php?f=4&t=511617&start=60
https://www.cumonprintedpics.com/viewtopic.php?f=4&t=25609
Similarly, any profile photo uploaded to a user's profile retains all EXIF data.
Search
The website has a search feature, like other forums. Recent searches can be located at the bottom of the page.
The member search feature is located at the following link:
https://www.cumonprintedpics.com/memberlist.php
Wildcard member searches can be used with the * key. After searching, you need to select the letter the username starts with to ensure results are shown.
Disclosure Vulnerability
The registration system can disclose whether an email exists on the website by taking an already registered username, and using it in conjunction with the email you wish to interrogate. If both match it will throw an error stating both the username and email are in use.
IP Information, Domain Host, Content Host (this requires updating - 15 May 23)
The IP address resolution for the website is through DDOS-guard Russia/ - 185.178.208.170
The old IP address resolution for the website was: 89.248.168.199 . The IP address is space owned by IP Volume Inc, a shady company previously involved in a revenge-porn case in the Netherlands.
The current domain host, as per the last WHOIS record is ENOM.COM (Enom Domain Hosting / Tucows).
The mail header information is as follows:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@cumonprintedpics.com header.s=default header.b=ukCd9kUy;
spf=pass (google.com: domain of copp@cumonprintedpics.com designates 185.22.174.3 as permitted sender)
Misc. Info
Website users have been the subject of previous LE interaction, as indicated here:
https://cases.justia.com/indiana/court-of-appeals/2018-90a05-1707-cr-1622.pdf?ts=1516723636
https://cms7files.revize.com/boonecountyky/2016060802.pdf
https://www.fox7austin.com/news/former-ut-austin-student-charged-with-burglary-indecent-assault
https://www.vice.com/en/article/4aywd3/tribute-porn-site-targeted-youtuber
https://storage.courtlistener.com/recap/gov.uscourts.cacd.846195/gov.uscourts.cacd.846195.1.0.pdf
Other News articles include:
https://www.thejournal.ie/cork-women-porn-2546734-Jan2016/
https://www.mirror.co.uk/news/uk-news/vile-internet-troll-stole-womens-7764357
https://www.dailystar.co.uk/news/latest-news/revenge-porn-website-girls-pay-17009627\
https://www.bbc.com/news/uk-england-sussex-39491749\
https://www.theargus.co.uk/news/14493815.olly-whiting-of-eastbourne-re-arrested-over-revenge-porn/
https://www.theverge.com/2018/4/29/17299020/anon-ib-the-netherlands-dutch-police-revenge-porn-shut-down
https://storage.courtlistener.com/recap/gov.uscourts.cacd.846195/gov.uscourts.cacd.846195.1.0.pdf
A good blow-by-blow account of the websites history is available within the posts of the following Reddit user:
Online Presence / Profile(s) of Probable Owners
Rather than copy-paste social links for each person I have provided a gist of their online footprint.
Scott Trentcosta
Mr Trentcosta has a small internet footprint, but an interesting past. Mr Trentcosta has no active social media accounts (unless under alias). There are several usernames associated with the emails listed above, which connect him to hacking forums (hackforums.net) and a now defunct credit card fraud website (carder.su).
Previous post history under the usernames fr0gina, fr0, x0rx, dam4statch and dam4statch11 (all obtained from the above data-breaches) suggest Mr Trentcosta has previously ran botnets and been involved in Runescape hacking as a teenager.
Mr Trentcosta has dozens of “burner emails' ', connected to him through password reuse, usernames and cellphone. Many emails associated with COPP were created through tutanota.com or cock.li.
Trentcosta is a unique name, which gives some interesting search results. His father has some previous LE interaction. His mother appears to live a seemingly normal life with what is assumed to be a younger son/brother.
Interestingly, Mr Trentcosta may have lived in the Ukraine and/or Russia for a period of time.
Trentcosta may have used the name LEITZ previously, or has some familial link to the name. There are people living at his previous address with the name Leitz. The twitter account (@dam4sta) lists his name as Scott Letiz. Dam4sta is a username Scott has used.
Trentcosta has previously been arrested for Possession of Marijuana.
Trentcosta has links to addresses in METAIRIE, LA.
Joey Kopanski
Joey Kopanski is a Cinematographer living in Atlanta, Georgia. Perhaps his passion for cinematography explains the choice of URL when the site was initially registered in 2010?
Mr Kopanski has a large internet footprint given his career as a cinematographer. He appears to be well-respected and very talented.
Conclusion
Putting aside the fact the website is already abhorrent, and by-design meant to degrade victims' images.
It is certain the administrator(s) of COPP are aware of the abundance of underage content posted/shared.
The presence of the word-filter is indicative of an understanding underage content is shared on the forum and chat. It is worthy of note, that the word-filter does not actively exclude the content and/or post/message - instead obscures the originally conveyed message.
A weak approach to enforcement is evident. There are dozens of threads involving underage victims, which are still present.
There is evidence that moderator(s), or administrators have engaged with underage content, but instead of deleting the content entirely, “Locked” the thread which means the content is persistent and indexed on search engines.
Many of the accounts posting under-age content are still active.
It is almost certain that Scott Trentcosta is the owner of the website, or perhaps co-owned with Joey Kopanski.
The ‘adm’ (admin) account has not posted since the 5th May 2017, notwithstanding I cannot find any indication COPP has been on-sold or under different management. Trentcosta’s business records were updated in 2020 (for Cyberservices Limited).
Lastly, as indicated by the sheer number of threads which include underage content, and dog-whistling within the chat, COPP is clearly used for the procurement and trade of CSAM.
At the very least, Trentcosta/Kopanski have lost control of the ability to effectively moderate the platform to ensure children are not victimised.
One can only assume that the advertising revenue is too lucrative, or that anonymity (until now?) has been the motivator to continue the site's operation.
If you have anything to add or have been a victim of the website, please let me know.
Update 10 Jan 2023:
Another username came to light after information was submitted via my ProtonMail address
Scott has previously used “JoryDoe” as a username, as it is linked to him through data-breach information below.“email_address”: “dam4statch11@gmail.com”,
“username”: “JoryDoe”,
The following thread was posted by JoeDory in 2011, where he complains about inaction from a Hosting Provider (LimeStone).
https://www.webhostingtalk.com/showthread.php?t=1106735
To which the LimeStone Admin replies:
“Your complaint was dealt with immediately. The thread was removed. Next time you can just send direct contacts to HF admins.
Also the site you run being attacked is a pornographic site dedicated to some rather odd material. The person who wanted the site attacked was protecting a girl who was being targetted and abused at the site. So don’t play the Mr. Innocent Victim here. If you dealt with complaints to remove material as quick as HF then maybe you wouldn’t have issues.
Lastly…no attacks originate from HF. The members are ******** just like 4chan but HF is not responsible for the actions of others. How would you like it if someone called you a child pornographer because some member on your forum posted a pic? The person who posted to maliciously attack your site was just some random new member hoping to hell someone would give a crap about his story. I guess it was touching enough that someone took notice.
In any case the content was removed per your request.
Good luck with your site.”
Update 26 Jan 2023:
A domain named www.cumonprintedpics.net existed prior, or alongside www.cumonprintedpics.com.
The information is described here:
Update 30 Jan 2023:
It would appear Scott Trentcosta's Mugshot was found on the internet:
Update 10 Apr 2023:
COPP has been down for approximately 1 week. The domain is on hold. There are no mail exchange records, or DNS / DDOS-Guard records. Lots of rumours circulating on Reddit.
Update 28 Apr 2023:
COPP has "re-branded" as www.publictributes.com. It would appear the whole database was moved to this new forum, as all the old usernames, posts and threads are active. Entering CumOnPrintedPics into the chatbox re-names it as PublicTributes.com
COPP was offline briefly from the 10th April 2023 to the 28th April 2023, after which the website re-appeared as www.publictributes.com (PT). The websites database (including all old posts, threads and usernames) was moved from the COPP domain to PT. DDOS-Guard no longer protects the website, instead CloudFlare is used as denial of service mitigation. Many of the techniques listed still work, but require manipulation of the URL from COPP to PT.
Update 06 June 2023:
PublicTributes.com appears to have been suspended.
Update 19 November 2023:
I am aware the website goes under a new name but will refrain from posting it as I do not want to drive traffic.
I am aware that Scott knows of this blog given the URL (osint-blog.xyz) is censored on the website.
Update 4 December 2023:
Bloomberg article about COPP
Update 16 March 2024
Bizarre message appeared on COPP, perhaps hacked as it disappeared quickly
Updates
Contact
osintblogxyz@protonmail.com