April 2025 / Reading Time: 14 minutes
STUDY E: Hidden casualties of war: CSAM possession during humanitarian crises
Introduction
In 2024, 72 countries faced humanitarian crises, affecting over 299 million people, including nearly one in five children globally who are living in or fleeing conflict zones (OCHA, 2024). More than 30 million children have been displaced, many of whom are trafficked, abused, or exploited. Two of the United Nations Security Council’s six grave violations against children in war include rape and abduction, with girls disproportionately affected by sexual exploitation and boys making up the majority of abductees (UNICEF, 2024a, 2024c).
While sexual violence occurs in all contexts, the risks escalate in humanitarian crises. Armed conflicts, natural disasters, and emergencies create environments in which children are particularly vulnerable to sexual abuse, trafficking and other forms of exploitation (UNICEF, 2024b).
Beyond physical exploitation, children are increasingly at risk online. While sexual violence is often a crime of power, economic incentives now play a significant role. The internet has enabled a growing global market for CSAM, where offenders extort children for explicit content and financial gain (UNICEF, 2024b). Despite extensive research on the impacts of humanitarian crises on children - such as malnutrition, forced conscription and sexual abuse - little is known about the online exploitation and abuse of children during such crises, particularly through CSAM.
CSAM includes images, videos and sound clips documenting the sexual abuse or exploitation of children. Accessing, distributing, or creating CSAM is a crime in most countries, and its ongoing circulation inflicts lasting harm on victims. Given what is known about the heightened risk of exploitation during crises, it is critical to investigate how these risks intersect, particularly in relation to CSAM-sharing and hosting.
Understanding how CSAM circulates during crises is essential for developing effective interventions. This research aims to explore whether humanitarian crises influence the hosting and sharing of CSAM across a variety of environments including peer-to-peer (P2P) networks, which allow users to share files directly without relying on centralised servers. Crises disrupt legal and social systems, creating conditions that facilitate exploitation and abuse. Events like war, migration, and disasters can suspend regulations and weaken protections, leading to increased criminal activity (Spangaro et al., 2013; Marsh et al., 2006).
United Nations (UN) Secretary-General António Guterres has warned that, for traffickers and predators, war is not only a tragedy, but an opportunity, with women and children as primary targets (Guterres, 2022). There is documented evidence of increased trafficking and exploitation of refugees, including in Ukraine, where online searches for explicit content featuring displaced women and children have surged. Analysts warn that traffickers are responding to this demand by coercing refugees into sexual exploitation (The Guardian, 2023). Since the start of the war in Ukraine, over 14.3 million refugees have fled, with family separations at 70%, leaving children at greater risk of abuse and trafficking (Child Helpline International, 2024). Similar patterns exist among Syrian refugees in Turkey, where adolescent girls face exploitation and abuse due to economic desperation, with little publicly available data on technology-facilitated CSEA (ECPAT, 2020).
Methodology
This study used Child Rescue Coalition (CRC) data to look at the number of IP addresses (unique identifying numbers assigned to devices like phones and laptops) that were in possession of CSAM on P2P networks at various points (intervals) during crises in 20 parts of the world. P2P networks are the various groups of users who agree to share files with one another, there are currently several operating worldwide.
Countries/places which were undergoing humanitarian crises were identified from ReliefWeb and UN Refugees, which list emergencies and crises. From these sources, dates of the beginning of the crises were identified. For example, the conflict start in Ukraine is officially listed as 24 February 2022 (UNHCR, 2025). The intervals of data for each country were the past 90 days from the start of the crisis; the past 90 days from 15 October 2024 (the date when the data was collected); and a central date between the date of crisis start and 15 October 2024.
The places examined were Ukraine, the Holy Land, Sudan, Yemen, Afghanistan, Syria, Ethiopia, Myanmar, Venezuela, Sierra Leone, Central African Republic, Mauritania, Chad, Benin, Ghana, Togo, Cote d’Ivoire, Iraq, Somalia and South Sudan. In each of these places, it was decided to measure the number of IPs in possession of CSAM three months prior to the crisis, at a point during the crisis, and with a final measurement representing the current number of users as all the crises were ongoing. This data was then compared with available and applicable country-level data from both the Association of Internet Hotline Providers (INHOPE) and the National Center for Missing and Exploited Children (NCMEC), which produce metrics on the number of reported CSAM and CSAM hosted in some of the same countries.
Key findings
Conflict and war
Countries experiencing a period of recognised conflict, whether internal or external, including Ukraine, the Holy Land, Sudan, Yemen, Myanmar, Venezuela, Central African Republic and Iraq, had the highest number of IP addresses linked to CSAM possession among all crisis types analysed. Notably, Venezuela had the largest number of IP addresses in possession of CSAM prior to the onset of the conflict. This data is important in order to understand the trends, as Venezuela’s crisis began around 2016, approximately six years earlier than Ukraine’s in 2022, during a period when P2P networks were more commonly used. Additionally, Venezuela’s conflict coincided with the ratification of the United Nations Convention on the Rights of the Child, providing a critical reference point for the country’s evolving crisis.
In terms of P2P CSAM-sharing, three places (Venezuela, Ukraine, and the Holy Land) showed a reduction of over 1,000 IP addresses possessing such material across the three measured intervals. Venezuela experienced the largest drop in IP addresses, particularly in the first measured interval. On average, there was a 31% decrease in IP possessing CSAM across all countries and at all crisis intervals. This could also point to conflict displacing people away from the countries and regions, which would lead to CSAM possession in other locations away from the conflict.
However, despite the decline in P2P CSAM-sharing, reports of CSAM to organisations such as the NCMEC and INHOPE registered a sharp increase during these conflicts. For example, NCMEC data revealed that the number of CSAM reports surged in some countries (by over 150% in Ukraine and the Holy Land), despite the decrease in P2P activity. Although it is important to note that NCMEC referrals have been increasing year on year globally (Figure 1), we see some conflict related fluctuations in NCMEC data on CSAM due to conflict for both Ukraine and the Holy Land (Figure 2). This discrepancy highlights the complex relationship between P2P-sharing and formal reporting mechanisms, where increased awareness, reporting channels, and law enforcement attention may be influencing the rise in official reports, even as P2P activity decreases. The data may also reflect a shift in sharing CSAM away from P2P.
Figure 1: Volume of NCMEC Cybertip Referrals on CSAM for the Holy Land and Ukraine, 2020-2023
Sources: NCMEC Cybertipline Country reports 2020 - 2023 (NCMEC, 2023)
Although it is important to note that NCMEC referrals have been increasing year on year globally (Figure 1- purple line), we see some conflict related fluctuations in NCMEC data on CSAM due to conflict for both Ukraine and the Holy Land (Figure 1- green and yellow bars).
It is also important to note that, while conflict/war was considered the primary crisis in these countries, other aspects, such as famine, political instability, or economic collapse, could have been happening concurrently, potentially influencing the findings. These multifaceted challenges create a more complex environment that can exacerbate the risks faced by children and increase the opportunities for CSAM-sharing.
One notable P2P-sharing exception was Iraq, where the number of IP addresses linked to CSAM possession increased from zero to 90 during the period of conflict. This was the largest increase observed across all the countries in the study. Interestingly, NCMEC reported a decrease in the number of CSAM-related reports from Iraq during the same period, suggesting a possible shift toward more P2P sharing, for which formal reporting may not fully capture the extent of the issue. Table 1 outlines the data sources for the countries affected by conflict/war examined in this study.
Table 1. Changes in volume of reports, hosting notices and IPs linked to possession of CSAM in places with war/conflict
| Country and date for start of Crisis | Type of first recorded Crisis | NCMEC Report Data: Volume and Percent Change (2020-2023) | Hotlines Hosting Data: Volume and Percent Change (2020-2024) | P2P File Sharing IPs Data: Volume and Percent Change (Start date – Oct 2024) |
|---|---|---|---|---|
| Ukraine (August 2021) | War/Conflict | +62,213 (+250%) |
+10,652 (+63%) |
-1,233 IPs (-47 %) |
| Holy Land (Israel and Palestinian territory) (April 2023) | War/Conflict | +80,031 (+301%) |
+ 2 (+200%) |
-1,049 IPs (-39 %) |
| Venezuela (December 2014) | War/Conflict | +115,592 (+195%) |
+1 (+100%) |
-69,799 (-98%) |
| Sudan (October 2022) | War/Conflict | -45,773 (-55%) |
No Data | -23 (-88%) |
| Myanmar (February 2017) | War/Conflict | -109,759 (-65%) |
No Data | -34 (-79%) |
| Central African Republic (June 2020) | War/Conflict | -19 (-6%) |
No Data | None |
| Yemen (September 2020) | War/Conflict | -568 (-93%) |
No Data | +251,201 (+460%) |
| Iraq (October 2017) | War/Conflict | -176,220 (-81%) |
No Data | +90 (+9000%) |
Sources: Childlight analysis of CRC data; and NCMEC Cybertipline Country reports 2020–2023 (NCMEC, 2023)
Famine and natural disasters
The following five countries — Afghanistan, Ethiopia, Sierra Leone, Somalia, and South Sudan — were categorised under natural disaster crises. Natural disasters are defined as hurricanes, floods, cyclones, earthquakes and other weather or geological-related crises. The highest number of IP addresses in possession of CSAM across this group of countries was four IP addresses, which were recorded in both Ethiopia and Afghanistan at the start of the crisis. Both of these countries also saw an increase in the number of IPs possessing CSAM during the measured intervals. The other three countries in this group — Sierra Leone, Somalia, and South Sudan — reported either one or zero IP addresses during the measured periods, suggesting that very few people in these regions were using P2P networks for sharing CSAM.
It is important to note that the recorded date of October 2024 represents the most recent data, and the highest number of IPs linked to P2P sharing observed was from the start of the respective crises. This relatively low number of IP addresses in possession of CSAM in countries experiencing famine and natural disasters, compared to those in conflict zones, could be attributed to several factors. It should also be noted that the overall numbers for peer-to-peer users in possession of CSAM are low and should be interpreted with caution. For instance, limited access to technology and internet connectivity in some of these places may have contributed to fewer opportunities for individuals to engage in P2P file sharing. In many
cases, P2P networks are dependent on widespread internet access and sufficient infrastructure, which may be lacking or severely affected in countries facing significant humanitarian crises, including those facing famine or natural disasters.
Additionally, famine or natural disasters may not create the same conditions for the exploitation of children online as armed conflict does. War and conflict often lead to rapid breakdowns in social and legal systems, creating environments where children are more vulnerable to exploitation, including through P2P networks. In contrast, although famine and natural disasters certainly disrupt societies, they might not present the same immediate risks for technology-facilitated child sexual exploitation and abuse (TF-CSEA). While CSAM possession on peer-to-peer networks may be limited in these countries, when looking at report-related data from NCMEC, three of the five saw an increase in reporting of CSAM. One country, Somalia, saw little change over time in NCMEC reports, while Ethiopia saw their reports reduce by approximately half.
Nevertheless, the data from these countries should be interpreted with caution. The lower prevalence of CSAM-sharing in these regions may not necessarily reflect the full scope of the issue. For example, underreporting or limited data availability could result in an incomplete picture of the online exploitation of children during these crises. Further research is needed to explore how factors such as cultural attitudes, limited access to reporting mechanisms, and low internet penetration may contribute to the disparity observed in the data.
Table 2. Changes in volume of reports, hosting notices and IPs linked to possession in places with famine and natural disasters
| Country and date for start of Crisis | Type of Crisis | NCMEC Hosting Data: Volume and Percent Change (2020-2023) | P2P File Sharing Data: Volume and Percent Change |
|---|---|---|---|
| Afghanistan(January, 2015) | Famine and Natural Disaster | +81, 789 (+170%) |
+4 (+33%) |
| Ethiopia (November, 2020) |
Famine and Natural Disaster | -8, 104 (-46%) |
+4 (+300%) |
| Sierra Leone (November, 2018) | Famine and Natural Disaster | +289 (+130%) |
None |
| Somalia (January, 2015 |
Famine and Natural Disaster | -794 (-4%) |
+1 (+100%) |
| South Sudan (March, 2017) |
Famine and Natural Disaster | +1009 (+157%) |
None |
Sources: Childlight analysis of CRC data; and NCMEC Cybertipline Country reports 2020–2023 (NCMEC, 2023)
Conclusion
The findings of this study provide an exploratory and nuanced understanding of the nature and prevalence of CSAM in humanitarian contexts, revealing potential trends in different types of crises. The data highlights that conflict and war zones exhibit the highest rates of CSAM-sharing. Ukraine, the Holy Land and Venezuela show a substantial number of IP addresses linked to CSAM possession, as well as a sharp rise in reports of CSAM hosting or uploads. This trend could be largely driven by the breakdown of social and legal systems, displacement and the resulting risks for children in conflict areas. The continued sharing of CSAM in these places, despite overall reductions in P2P network activity, underscores the persistent and evolving risk of TF-CSEA during crises.
Conversely, countries experiencing famine and natural disasters tend to report lower rates of CSAM possession compared to conflict and war zones. While these regions may still face significant risks, the data shows a relatively smaller presence of CSAM on P2P networks. The lower levels of CSAM sharing in these contexts could be attributed to factors such as limited internet connectivity, lower penetration of P2P technologies and perhaps a reduced focus on technology-facilitated child sexual exploitation and abuse during these crises.
The decline in CSAM activity over time in several countries, including those impacted by conflict, suggests that interventions and restrictions on P2P networks may have had an effect, although further research is needed to confirm this. While the data points to a decrease in IPs sharing CSAM across P2P in the studied countries, NCMEC global data continues to show an increase in the numbers of CSAM reports globally, most recently passing 36 million reports (NCMEC, 2024). This suggests that CSAM sharing and uploads are occurring in these countries/regions outside of peer-peer networks.
Nevertheless, some hotspots warrant more focused monitoring. Countries in active conflict zones, especially those with significant displacement of populations, remain high-risk areas for both contact and TF-CSEA. The data shows a potential rise in demand for CSAM linked to displaced populations, such as in Ukraine, where a marked increase in the exploitation and abuse of at-risk children online has been observed. Furthermore, the findings from Iraq, which saw a sudden spike in CSAM possession during the conflict, suggest the need for heightened vigilance in such contexts, where internet accessibility and the digital footprint may evolve rapidly.
Caveats regarding the data sources are essential for interpreting these findings. The numbers presented rely on data from P2P networks, for which the number of IP addresses linked to CSAM may not accurately reflect the full scope of the issue. For example, an individual user possessing multiple files could be counted as a single IP address, which can distort the overall picture. Additionally, variations in internet connectivity, the availability of technology and the degree of law enforcement oversight in different regions significantly influence the presence and distribution of CSAM. The study’s focus on P2P CSAM data also means that the true volume of CSAM - both in terms of files shared and victims depicted - remains difficult to quantify and separate. The INHOPE and NCMEC data on hosting of CSAM, as well as reports of CSAM, help to unveil the potential volume of files. In bringing together all three of the available data sources, this study begins to explore how CSAM sharing migrates between technology facilitated spaces, both within countries and across the globe. These limitations underscore the need for further research and more comprehensive data sources to capture the full scale of TF-CSEA in humanitarian crises.
In conclusion, while the research has revealed key trends in the sharing of CSAM during periods of humanitarian crisis, it also highlights the complexities and challenges of monitoring this issue effectively. Ongoing data collection, improved reporting mechanisms and a coordinated international effort are crucial to mitigate the risks of TF-CSEA and to protect vulnerable children in these increasingly complex environments.
Recommendations
The following recommendations have been tailored to specific phases of crises (pre-crisis, during crisis response, and post-crisis).
Pre-crisis phase
Recommendation 1. Improve awareness and training for humanitarian actors. It is essential to conduct regular, targeted awareness programmes for humanitarian actors (NGOs, frontline responders, etc.) on the nature of TF-CSEA, the mechanisms for detecting it, and the importance of safeguarding children from online and offline exploitation and abuse.
Recommendation 2. Ensure that TF-CSEA is explicitly included in the child protection rapid assessments conducted in the immediate aftermath of a crisis, particularly in conflict zones, refugee camps, and areas with high displacement. This could help identify regions at high risk of exploitation.
Recommendation 3. Many affected communities may have weak legal frameworks for protecting children, particularly regarding online exploitation. It is important to collaborate with governments and local actors to strengthen laws and community-based child protection systems that prevent TF-CSEA.
During crisis response phase
Recommendation 4. Implement immediate child protection protocols in refugee camps. During emergency response, child protection measures need to address both immediate physical threats (such as trafficking and abduction) and digital risks (such as TF-CSEA). Ensure that child protection services in refugee camps and displacement settings are prepared to address both forms of abuse.
Recommendation 5. Increase data collection on TF-CSEA. As humanitarian crises disrupt traditional social and legal systems, tracking TF-CSEA becomes increasingly important. More comprehensive data collection mechanisms should be put in place to track incidents of online abuse and exploitation during crises.
Post-crisis phase
Recommendation 6. Strengthen digital literacy and resilience for children and communities. After the crisis, as children and families begin to rebuild, it is crucial to enhance their digital literacy and resilience to TF-CSEA. This includes providing information to children, parents, teachers and others about the risks of online platforms and the importance of online safety.
Recommendation 7. Monitor and evaluate TF-CSEA prevention efforts. Following the resolution of immediate humanitarian needs, long-term monitoring of the effectiveness of interventions to prevent TF-CSEA is essential. This ensures that policies and programmes are continuously adapted and improved based on real-world data and outcomes.
Overarching recommendation
This research is a nascent step in a wider study, also examining refugee crises and Covid-19. Further research is required to compare activities before, during and after the crises. Further research is also required into the number of victims portrayed in CSAM exchanged on P2P in relation to the number of IPs showing they are in possession of these files. This will provide a better understanding of the impact of one single user exchanging CSAM on this network and the scope of the harm this can cause
Limitations
As P2P networks require many users to possess and share the same files in order to facilitate quick and efficient transfer, those using the network are encouraged to make all their files publicly available. As such, while it is in the interest of the network for users to share that they are in possession of files, including CSAM, some users may choose not to share these files for fear of detection. Hence, the data may present an inaccurate representation of the number of users engaging in P2P networks for the purpose of the proliferation of CSAM.
As noted above, the numbers also do not represent a 1:1 ratio of IPs to users or IPs to the number of victims portrayed in the sexual abuse material. Further study is needed concerning the computer storage space required for each file, along with content based on analysis of the files, to get a sense of the amount of CSAM contained.
The findings are also limited by the available data, which meant that certain crises were not included, having begun before 2014 and, therefore, would not be fully represented in the ten-year period of available data. This was further complicated by limitations around the geolocation of the IPs, which had varying degrees of specificity with certain countries/regions, such as the Holy Land in particular, being grouped.
The crisis types were not experienced in isolation, with many of the countries experiencing more than one crisis type during the studied period. The countries were organised by the first listed crisis type, which may have influenced the findings. Many of the countries were likely to have been simultaneously impacted by increased globalisation and internet connectivity as well.
While data was collected prior to the onset of the crisis, at a midpoint and at the end, this is only within country data and does not include a control group. Evidence suggests that the trends presented here may mimic larger global trends (NCMEC data increasing year on year; P2P data decreasing), but this needs to be explored more in depth as certain country variations exist. We also know that TF-CSEA is a transnational phenomenon; CSAM may be produced on children in humanitarian crises, hosted in a second country and consumed by an offender in a third country. Thus, this data is very likely an underestimate of the true scale of the issue. More research is needed to better understand the demand-side of distribution and consumption of CSAM during humanitarian crises.
More information
Suggested citation: McFeeters, A., Page, S., Stevenson, J., & Fry, D. (2025). Hidden casualties of war: CSAM possession during humanitarian crises. In: Searchlight 2025 – Childlight's Flagship Report. Edinburgh: Childlight – Global Child Safety Institute.
Researchers: Dr Ashleigh McFeeters, Ms Sabrina Page (PhD Can.), Mr James Stevenson, Professor Deborah Fry
Study partners: Child Rescue Coalition
Registered study protocol: OSF | CSAM Content P2P Networks CRC
Ethics approval: University of Edinburgh, Childlight Research Ethics Sub-Committee (UTGNO-AMF-0050424CL)
Advisory committee members: Liz Wright (INTERPOL), Eleena Ahmed (UK Foreign, Commonwealth & Development Office), Elly Hanson (clinical psychologist), Rosalind Willi (SOS Children’s Villages), Nigel Jenkins (former board member Médecins Sans Frontières [MSF] Amsterdam, retired)
Funding acknowledgement: The research leading to these results has received funding from the Human Dignity Foundation under the core grant provided to Childlight – Global Child Safety Institute under the grant agreement number [INT21-01].