Which agencies conduct CSAM honeypot operations?

1. Honeypots: a common tool across researchers, vendors and some public bodies

Technical primers and industry guides make clear honeypots are a mainstream tool used to attract and study malicious actors: definitions and use cases appear in TechTarget and SentinelOne explainers and in surveys of honeypot platforms and best practices ^{[2] [6] [7]}. Security vendors and academic researchers publish honeypot logs and analysis—SANS Internet Storm Center, for example, featured CSAM‑honeypot logs as part of routine threat monitoring ^[1]. Those materials show honeypots are used broadly but do not provide a comprehensive roster of which specific government agencies operate CSAM honeypots ^{[2] [1]}.

2. Private sector and open‑source projects run many honeypots

Market and product coverage lists commercial and open‑source honeypot solutions and vendors who provide deception platforms and managed services—SecurityHive, NeroSwarm, and similar product writeups appear in the results—indicating that much CSAM‑related baiting and monitoring can be and is performed by private firms and research groups ^{[7] [8]}. These sources describe the technology and capabilities of vendor platforms but do not claim these vendors are acting on behalf of specific law enforcement agencies in the current reporting ^{[7] [8]}.

3. Law enforcement and policy debates: honeypots as an alternative to mass scanning

Policy discussion around EU "chat control" explicitly cites honeypots as a targeted method to catch perpetrators of child sexual abuse material without monitoring everyone’s communications; the commentary argues honeypots and other methods are preferable to client‑side mass scanning ^[4]. Legal scholarship likewise treats law enforcement cyber sting operations (including honeypot‑style stings) as contested, raising entrapment and cross‑border cooperation issues—showing authorities do deploy sting tactics but also that their use raises rights and legal‑procedure questions ^[5].

4. Examples in reporting are fragmentary rather than comprehensive

Published logs and case posts (SANS Internet Storm Center’s CSAM web honeypot logs) demonstrate concrete instances where researchers operated decoys that captured CSAM‑related probing or abuse‑seeking activity ^[1]. However, the available materials do not assemble an authoritative list of national police units, prosecutors’ offices, or international agencies that run CSAM honeypots; rather, they show the technique’s presence across the cybersecurity ecosystem ^{[1] [2]}.

5. Legal and operational risks that agencies and researchers face

Academic and practitioner literature emphasize design, isolation and legal constraints when deploying honeypots—operators must avoid creating new crimes, prevent lateral movement into production networks, and be mindful of entrapment and international legal issues; the Chicago Journal of International Law piece highlights the entrapment debate in law enforcement cyber stings ^{[5] [9]}. This context suggests agencies considering honeypots must balance investigative value against procedural and ethical constraints ^{[5] [9]}.

6. What the provided sources do not say (important omissions)

Available sources do not provide a clear, sourced list naming which specific national law‑enforcement agencies run active CSAM honeypot operations; the cited materials instead describe honeypot technology, commercial offerings, honeypot logs from research teams, and policy arguments favoring honeypots over mass surveillance ^{[7] [1] [4]}. If you need a roster of specific agencies (e.g., police units or prosecutor offices) that operate CSAM honeypots, that information is not found in the current reporting and would require targeted freedom‑of‑information requests or direct confirmations from agencies.

7. How to verify who runs CSAM honeypots (practical next steps)

To build a defensible list, consult: (a) public disclosures or research reports from national cybercrime units and child‑sex‑offence task forces; (b) peer‑reviewed papers and vendor white papers that name sponsoring organizations; and (c) freedom‑of‑information requests to specific agencies. The present sources show researchers sometimes publish honeypot logs (SANS) and policy advocates point to honeypots as alternatives ^{[1] [4]}, but they do not replace direct documentation from the agencies themselves.

Bottom line: honeypots are a standard tool used across private, academic and sometimes public sectors to detect CSAM‑related activity, and policy writers explicitly recommend them over mass scanning; however, the records provided here do not enumerate which specific government agencies operate CSAM honeypot programs ^{[1] [4] [2]}.