The FBI has filed an affidavit detailing how it identified a US Navy man who was allegedly distributing child sex abuse material (CSAM) through Discord.
Navy Petty Officer 3rd Class Rumaldo Valdez, 22, was charged [PDF] this month with possessing visual images of CSAM, transporting them across state lines, and possessing them at a military facility – in this case, the Naval Computer and Telecommunications Area Master Station Pacific in Hawaii.
According to court documents, the FBI began investigating in 2021 after being tipped off via the National Center for Missing and Exploited Children (NCMEC); it was reported that a user named “Duck” had uploaded suspected CSAM to Discord. Similar reports subsequently came in from Discord of someone using variants of the username, presumably to evade bans.
Agents later easily linked “Duck” to Valdez, we’re told: Discord provided details of the suspicious accounts to the Feds, which included things like a recovery phone number, a personal Gmail address, and IP addresses. According to the Feds, the email address and the IP addresses led to Google and an ISP providing a name – Rumaldo Valdez – as did the phone number because it was listed as Valdez’s contact number in the Navy. The ISP also confirmed the IP addresses were associated with a home address in Valdez’s Navy records, the FBI claims. That home address being his residence at his base in Hawaii.
Furthermore, in 2024, a “confidential human source,” or CHS, seeking a lighter sentence after pleading guilty to federal charges of child pornography and cyberstalking provided additional intelligence. The source claimed “Duck” was prominent on a Discord server dedicated to CSAM, and that he was editing pictures and videos and supplying them to others.
“According to the CHS, server members – including a member going by the moniker ‘Duck’ – would send victims links to malicious files that, if clicked on by the victims, would deploy malware on victims’ computers that the server members could then use to accomplish blackmail,” the affidavit added.
The source claimed [PDF] “Duck” was based somewhere near Oceanside, California, and he was still in high school when he first started interacting with the group. However, the felon could not provide more accurate location data.
According to the confidential source, “Duck” at one point coerced a minor into performing a sex act on camera, then used the footage to blackmail her by threatening to share it with her family and friends. The same source claimed the minor later sent him a video in which she cut his screen name into her arm – a clip he allegedly shared on Discord.
“In my experience investigating the offending server and similar online groups, I know that participants in such groups often collect victim ‘fan signs’ (media) as trophies from their online extortions and championing their aliases,” reported FBI special agent Scott Wells in the affidavit.
Valdez joined the Navy in 2021 and was warned all computer activity on bases was monitored and recorded. When the FBI reviewed Valdez’s military network activity logs, they allegedly found over 10,000 Discord chat URLs being accessed, repeated logins to that Gmail account linked to the “Duck” persona, and numerous searches related to malware and hacking tools.
After obtaining a search warrant on May 31 last year, agents raided Valdez’s home at the Hawaii facility. There they apparently seized a desktop PC, two external hard drives, and an iPhone 14. Both drives were encrypted, though the decryption key was found on the computer in a file named “illegal chars.txt.”
Investigators said they found multiple files of CSAM on both drives, and chat logs suggesting Valdez was distributing such material via Discord.
The g-men also said they found Snap on Valdez’s iPhone and filed a search warrant with the chat app maker, so they could unlock and view the account. The biz agreed to preserve all data on the account, and after the search warrant was executed, but before Valdez’s arrest, it noticed seven attempts to log into the account from an Android phone. However, the account had two-factor authentication that was tied to the seized iPhone, and the logins were unsuccessful.
Valdez was formally charged on May 16 this year in Hawaii with three counts related to CSAM. The government has filed for him to be held without bail. No date has been set for his trial. ®