Report exposes digital piracy players
July 28, 2020
By Colin Mann
A report from global threat hunting and intelligence company Group-IB has uncovered the major players and driving forces of a criminal digital piracy syndicate which has been flourishing in the post-Soviet space, its safe harbour, for years, and which now has extended its influence as far as Latin America and Asia.
The report, Jolly Roger’s patrons. Group-IB exposes financial crime network of online pirates in developing countries, shows how digital piracy from a local problem is turning into a global headache perfectly navigating international political agenda, e.g., using geopolitical tensions between Russia and Ukraine, and playing footsie with legal stakeholders such as banks, international payment systems and hosting providers, which turn a blind eye to their involvement in the wrongdoing.
The aim of the report is to deliver a devastating blow to cybercrime by uncovering key organisations sponsoring pirates and exposing the entire criminal structure of online piracy. In view of this, the expanded version of this report has been provided to international law enforcement agencies.
The report reveals that, despite the fact that the Russian-speaking piracy conglomerate has been developing against the background of actively enforced anti-piracy legislation and pressure from copyright holders, it managed to grow into a wide criminal network of multiple collaborators and expand globally.
To ensure the prompt and stable supply of content, online pirates rely on content delivery networks (CDNs). Aggregating pirated video content, CDNs supply up to 80 per cent of illegal video streaming services in Russia and post-Soviet states with content. The shutdown of two major CDNs — Moonwalk and HDGO— in 2019, and the subsequent drop of the Russian piracy market from $87 million to $63.5 million was not meant to last for long.
Group-IB now observes the emergence of the second wave of CDNs that go beyond their predecessors, duplicating content delivery channels, using geographically-distributed infrastructures, frequently changing technical domains and IP pools. They facilitate the recovery of online piracy market considerably, which has almost regained its former strength and is likely to reach a new peak by the end of 2020.
This resource-consuming industry could hardly exist without decent funding flows, which, as Group-IB established, comes from illegal bookmakers, online casinos and alcohol suppliers, covering the costs of СamRip groups, translation studios as well as IT infrastructure for pirated content.
To keep on track, the online piracy market is vigorously exploiting geopolitical tensions between Russia and Ukraine. For instance, major pirate CDNs and online casinos, whose owners reside in Ukraine, resort to the services of Russia-based hosting services and banks, using tensions and weak links between the two states to avoid criminal proceedings. Thus, the individuals behind one of the most popular CDNs, Collaps, which provides content to 45 per cent of pirate streaming services primarily watched by the Russians, are reportedly based in Ukraine.
The main income earners and drivers of illicit video streaming and pirated sports video streaming services are bookmakers and online casinos, with partner programmes between pirate resources, with these two industries accounting for the largest share in pirates’ incomes. Pirate websites serve as massive online ad platforms for the gambling business and help them attract new customers in a strictly regulated market that bans ads from such businesses.
Under the majority of partner programmes, pirate websites receive a fixed percentage of the money spent by the individuals whom they brought into the game. On average, streamers get between 20 per cent to 40 per cent of the gambling losses of attracted players. The owners of pirate websites who take part in such partner programmes over a long period can reach revenues of up to $21,000 per month.
1xBet, Melbet, Parimatch, Linebet, Orca88, Bwin and many other online bookmakers are among major fans of partner programmes. While among online casinos they are mostly employed by two companies, Lucky Partners and Welcome Partners, which are the main participants involved in the underground online casino partner programmes market.
“Having developed this successful operating model, the online piracy squadron sailed toward new countries, with 1xBet acting as its flagship,” says Group-IB. After the access to the main domain 1xBet.com was restricted in Russia, 1xBet, one of the main sponsors of illegal video content in post-Soviet countries, shifted focus to other markets with similar characteristics: developing countries, non-English speaking regions, populations with the lack of financial literacy, and countries where sports streaming is highly popular. These were Latin America (primarily Brazil), India, and Thailand.
1xBet employs a unique ad system with pirate traffic at its core. In exchange for camrip and voiceover groups sponsorship, 1xBet had its ads hardcoded into pirated copies made by them. Since 2015, 1xBet has sponsored content for 80 per cent of major voiceover studios. According to the analysis of 1xBet activities, the average cost of voiceover services for one episode in the post-Soviet region amounted to about $55, while the average cost of producing one camrip amounted to between $400 and $1,000. Since 2018, when 1xBet started its international expansion with the help of pirates, it sponsored the production of more than 500 camrips, all of which were in English, 14 per cent — in Spanish, 5 per cent — in Tamil, Portuguese, Thai, Hindi, and others.
This multi-stakeholder industry also feeds on defiance of legitimate structures — international payment systems that process the transactions of online casinos and hosting service providers that support online infrastructure of pirate websites and CDNs.
Despite the fact that international payment systems require that almost all online casinos be registered with a special transaction code, MCC 7995, none of the banks, working with the gambling industry in the post-Soviet countries, assign this code for these activities, which, in turn, remains overlooked by the world’s major payment systems. This is relevant mainly for Russia, while there are almost no international precedents of online casinos or bookmakers violating MCC 7995 due to strict legal control.
Hosting service providers, for their part, are being formalistic in handling copyright holders’ complaints, since the majority of pirate websites and CDNs use unique links for each new user, which, therefore, cannot serve as a proof of hosting services’ involvement in any wrongdoing. Thus, hosting services have all formal grounds to distance themselves from solving the matter, continuing to make money by providing a platform for pirate businesses.
A notable example of such stance is the company called ZeroCDN, which belongs to the Russian company Mnogobyte, whose infrastructure was used by up to 60 percent of pirate websites as of late 2019. Yet another instance is Russian firm DDOS-GUARD, which not only provides pirate websites with its computing capacities, but also conceals the actual hosting service and obstructs the identification of website owners.
“The problem of online piracy as many see it today — the violation of copyright and illegal enrichment — is actually only tip of the iceberg,” suggests Ilya Sachkov CEO and founder at Group-IB. “By making public this report, Group-IB aims to deliver a crushing blow to this criminal industry, exposing its entire structure, which is far greater than one could think, and driving forces as well as the duplicity of legitimate companies that provide pirates with technological capacities for their wrongdoing neglecting complaints of copyright holders. Revealing all the stakeholders of this ‘business’ should make the fight against digital piracy a joint endeavour of countries around the world and cut off pirates’ retreat.
Because of how popular pirate websites are, they serve as platforms for distributing malware and stealing users’ money and personal data. During the pandemic, Group-IB analysed over 3,100 pirated websites for viruses, vulnerabilities, and inclusion in blacklists compiled by antivirus providers and search engines. The analysis revealed that up to 23 per cent of pirate resources posed risks to users. In March, the number of total visits to dangerous resources amounted to 76.8 million. High demand pushes the shadow piracy business to new levels despite all the hurdles.
Group-IB calls on media industry, national state watchdogs and international organisations in the field of intellectual property to join together in fighting the evil of piracy, delivering a blow to the illegal business that has been flourishing for years.