Over the past couple of years, cybersecurity company Group-IB has been devoting significant resources to revealing the inner workings of pirate sites.
In particular, the Singapore-based company has taken a keen interest in revealing the business models of illicit streaming platforms and the pirate Content Delivery Networks (CDN) fueling many of them.
Today the company delivers Jolly Roger’s Patrons, a new research study that aims to expose the financial networks of online pirates in developing countries.
TF was given early access to the publication which reveals that the videos embedded in many pirate streaming sites are provided by a fairly limited number of CDNs. In many cases, these are fueled by the gambling activities of those who use illicit and semi-legal online gambling platforms after being referred to them by pirate sites and content.
Background: First Major Blow Against Pirate CDNs
Last year, news broke that BREIN, the MPA and ACE had teamed up to take down Moonwalk, a pirate CDN system that allegedly provided back-end services to large numbers of pirate streaming sites.
BREIN described Moonwalk as a “video load balancer” which provided back-end services and also huge volumes of pirated content, including more than 26,000 movies and 10,000 TV shows, to around 80% of known Russian streaming sites.
Soon after, more CDNs also shut down but that still left around ten “pirate-powered” CDNs still supplying the market, including major players HDVB, VideoCDN, and Collaps.
The Basics of this Pirate Eco-System
According to Group-IB, advertising networks linked to bookmakers and casinos sponsor not only pirate CDNs, but also streaming websites and even some of the content they offer, such as cammed copies of major movies. With CDNs providing the content and the ads to go with it, streaming sites embed video players that deliver both to their users, generating revenue for all involved.
Group-IB’s identifies Collaps, HDVB, VideoCDN, Kodik, Videoframe, Bazon, Ustore, Alloha and Protonvideo as major ‘pirate’ CDNs. They reportedly deploy geographically distributed infrastructures and frequently change their domains and IP address pools to avoid detection.
Several Top Players Use the Services of a Single Russian Company
These CDN companies also need technical resources and according to the report, ZeroCDN, which belongs to the Russian company Mnogobyte, is one of the most popular services used for placing and distributing video content. After being founded in 2015 with an aim to store and transfer large volumes of media content, the service now provides services to major pirate CDNs.
“As at late 2019, the ZeroCDN project infrastructure was used by 38% to 60% of pirate websites,” Group-IB notes, adding that VideoCDN, Kodik, Videoframe and Protonvideo all use the provider.
Major Players Under the Microscope
Collaps is identified as one of the most popular ‘pirate’ CDNs. Group-IB believes it is operated from Ukraine by individuals who also operate a pair of pirate sites – Basinko and Hdrezka. The service currently uses a range of domains to deliver content via its video players.
Group-IB identified a Google Analytics code used by Collaps and discovered that it was in use by more than 50 pirate domains, hosted in countries including the United States, Netherlands, Switzerland, France, Germany, and Russia.
The report further identifies HDVB as the second most popular CDN, with Group-IB estimating that at the end of 2019, around 38% of the pirate streaming services in its report used its services. While the service is regularly blocked in Russia, it deploys technical means and even a publicly available script to create new domains. In common with Collaps, HDVB is linked to the services of many overseas hosting providers, notably in the United States and the Netherlands.
VideoCDN is reportedly the third most popular pirate CDN, with 33% of the pirate streaming platforms in the study using its services as of late 2019. Kodik is identified as useful for mainly cartoons and Asian films and TV series, with VideoFrame, Bazon and Ustore operating variously from US, Russian and Europe-based providers including FDCServers, Hetzner Online, OVH, and WorldStream.
Follow The Money
In previous reports on the activities of pirate CDNs, illegal and semi-legal online casinos and bookmakers were identified as their major financial backers. Not much has changed with the publication of this latest study.
“Although other monetization methods exist, online casino and bookmaker partner programs are still the main way to generate income in the piracy business,” reports Group-IB, adding that pirate websites act as advertising platforms designed to attract new customers.
“In most gambling partner programs, compensation is a percentage of the sum lost by online players. For the largest partners, other terms can be established according to the CPA (cost per action) model. In this case, compensation is paid for an agreed list of player actions and does not depend on the sum lost.”
The study found that there are three basic models to generate revenue – partner links, promo codes, and banners. Partner links and banners are mostly deployed on streaming websites while broadcasts and videos themselves can contain promo codes and ads.
Banners and links have unique codes that identify which platform customers have been referred by, with promo codes embedded in videos serving a similar purpose. These codes give new customers to gambling platforms an incentive to sign up by offering a bonus, which is later subtracted from sums paid out to the platform for attracting the customer.
“The main advertisers in sports streaming are 1xBet, Melbet, Parimatch, Linebet, orca88, Bwin, and others,” Group-IB says.
“A streaming service’s average revenue is between 20% and 40% of the sum lost by the players it attracted. As compensation is dependent on how lucky the online players are, it is impossible to forecast the revenue for each project. Moreover, passive income from previously attracted players grows over time.”
Detailing the Melbet program, Group-IB says it’s possible for partners who attract 70-80 players every day to generate revenues of around $21,000 per month. However, it’s not all sunshine and roses for the platform’s affiliates.
The company says that while some partners make good money, online casinos sometimes delay or cancel payouts, as well as underreport the amounts lost by players. Furthermore, when players make a profit from the gambling platform, these losses are reflected in the affiliate accounts of pirate site operators, sometimes causing them to fall below zero, resulting in negative feedback as shown below.
The Activities of Gambling Platform 1xBET
1xBET is a gambling brand that’s well-known among pirates as its marketing is visible in hundreds of pirate ‘cammed’ movies. In 2016 its main domain was blocked by Russian authorities yet in early 2019, 1xBET was the third most prolific online advertiser in the country.
According to the report, 1xBET countered Russian blocking by deploying more than 800 mirror sites and expanding development beyond the post-Soviet region to areas such as Latin America (mainly Brazil), India and Thailand.
In tandem, Group-IB says that the gambling company also increased its work with so-called ‘voiceover studios’ to release pirate movies onto the web with integrated 1xBET ads. By 2019, 17 voiceover studios were reportedly working with 1xBET.
“Collaboration with voiceover studios was based on the following pattern: a voiceover studio would inform a 1xBet advertising manager about a possibility to produce content and 1xBet would pay for it. This meant that 1xBet did not participate in content production (did not order any specific content) but sponsored it. Its collaboration with camrip groups was similar,” Group-IB reveals.
“Voiceover studios and their representatives searched for digital copies of content released abroad. The more relevant the content, the more 1xBet paid for it. [T]he average cost of produсing one camrip amounted to between $400 and $1,000, depending on the copy’s quality and the content’s popularity.
“As for integrating ads into the pre-rolls of pirate CDNs, collaboration has been ongoing since 2016. As such, 1xBet ads have been placed on more than 80% of all pirate resources in post-Soviet countries. The total number of content items voiced over with 1xBet’s support in post-Soviet countries amounts to over 900 (movies and TV series).”
1xBET, Cammed Movies, and the ‘Koshara’ Team
The report reveals that in early 2019, a Russian release group known as ‘Koshara’ began working as an intermediary between 1xBET and voiceover studios.
Around the same time, Koshara began releasing cammed copies with hardcoded 1xBET ads in place. Koshara reportedly makes this content available by uploading it to eight major torrent sites and two ‘pirate’ CDNs. Since the partnership began, 100 cammed movies have been released, an average of three per week.
In 2018, 1xBET reportedly began targeting overseas markets too, with 500 releases covering 270 titles. 100% of these releases were made available in English, 14% Spanish and 5% in other languages including Tamil, Portuguese, Thai, Hindi, and others.
Group-IB Hopes its Report Will Deliver a Blow to Online Piracy
In common with many modern anti-piracy initiatives, Group-IB says it used the ‘follow-the-money’ approach to identify those generating revenue from piracy. It says that after identifying illegal casinos and bookmakers as the main beneficiaries and drivers of illicit video streaming services, it hopes the authorities will take action.
“The purpose of this report is to deliver a devastating blow to cybercrime: to expose the entire structure of online piracy, to uncover the key organizations that sponsor this activity and those behind them,” the company says.
“Group-IB’s report contains confidential data, including information on individuals believed to be behind some of the key piracy industry players. Copies of this report have been provided to the Russian Prosecutor General’s office, Russian and international law enforcement agencies.”
The full report, titled Jolly Roger’s Patrons, is available here
Many thanks to TorrentFreak for the breaking news.