Russia: Pandemic drives legal service usage
April 1, 2021
By Colin Mann
Findings from Group-IB, a global threat hunting and adversary-centric cyber intelligence company, estimate the revenue of the video piracy market in Russia in 2020 at $59 million. The market decline has slowed down, however, with 7 per cent drop in 2020 compared to 27 per cent in 2019.
Online pirates were not quite successful in fully restoring the video content database after the elimination of the CDN big three. After Moonwalk, HDGO, and Kodik were shut down, the geographical scope of pirate CDNs has been quite limited, with three locations: the Netherlands, Lithuania, and Russia (Mnogobyte/ZeroCDN).
Furthermore, they have lost the advertising profits and found themselves in a competition for viewers with legal online streaming platforms which were able to increase their audience during the pandemic. Despite the circumstances, digital pirates found a workaround for the anti-piracy memorandum.
According to a Group-IB report, What makes Jolly Roger sad. The state of video piracy in Russia, in the pandemic-hit 2020, the number of people using legal video streaming services increased by 17 per cent and rose to 63 million viewers compared to the previous year. According to TMT Consulting, the revenue of the legal streaming services market in Russia increased by 66 per cent and reached $365.7 million.
The number of searches in popular search engines in Russian for free trending movies and TV shows on illegal websites has also grown. The figures show a 12 per cent increase compared to 2019, amounting to 11.8 billion search queries (compared to 10.5 billion in 2019). The number of searches for illegal content rose to a record-high 1.4 billion intentions in April 2020. At times, servers streaming illegal content failed to deal with such a high influx of viewers.
Nevertheless, despite a growing interest in illegal video content, the pirate video content market continued to shrink last year, losing 7 per cent in revenue: it fell from $63.5 million in 2019 to $59 million in 2020. The market decline has slowed down, however, with 7 per cent drop in 2020 compared to 27 per cent in 2019.
In summer 2020, Group-IB released a report, Jolly Rogers patrons, which revealed that online casinos and betting websites benefit the most from the Internet piracy market. They sponsor the illegal streaming of movie premieres and TV shows, translation into several languages by voiceover studios, and release of the pirated content. Illegal streaming platforms are used for advertising banners, promotional codes, and links to attract new gamblers. The advertisers started losing interest after law enforcement, financial institutions and regulators increased their focus on shadow money traffic. The average CPM (Cost-Per-Mile) numbers saw a 16 per cent decrease to $5 compared to $6 in 2019.
By mid-2020, the Big Three CDNs Moonwalk, HDGO, and Kodik, taken down in 2019, were replaced by eight new second-wave CDNs: Collapse, HDVB, VideoCDN, Videoframe, Bazon, Ustore, Alloha, and Protonvideo. However even at this point the the content database coverage of these eight biggest CDNs includes just 50 per cent of the Big Three’s volume which supplied 90 per cent of the largest illegal platforms in Russia & CIS with 75,000 films and TV shows. The geographical scope of pirate CDNs has been quite limited, with three locations now: the Netherlands, Lithuania, and Russia (Mnogobyte/ZeroCDN).
The next technological innovation adopted by pirates in 2020 was integrating CDNs with fully automated streaming services. The first mass prototype was the Cinemapress script and about 400 pirate streaming services were based on it. In April 2020 Cinemapress was replaced by Yobobox with its 250 domains discovered so far, which — unlike its predecessor — is entirely free and integrated with Collapse, one of the largest CDNs.
Yandex search engine remains the main viewer source for illegal streaming services which accumulates up to 90 per cent of traffic, even though this number decreased by 5 per cent over the year as per November 2020 measurements. The remaining 10 per cent are brought by other search platforms (including Google with its per cent2) as well as social networks, messengers, and direct website visits. Furthermore, Yandex bot’s faster indexing of the new links alongside automation methods used by video pirates may neglect the effect of link elimination from the search results unless any tools for high-frequency monitoring are applied.
Experts’ biggest worries are tied to the fact that in 2020 Russian-speaking video pirates learned to quickly detected the links eliminated by the anti-piracy memorandum, to generate duplicates in real time (using alternative URLs), and use mutating links (scripts for automatic changing of paths in links) resulting in a decreased effectiveness of countermeasures. It’s worth noting that the 2018 anti-piracy memorandum obliged its members to delete any links in their search queries tied to illegal content. Up until recently the memorandum served as an effective tool to counter the online piracy.
“In 2020 both legal and illegal streaming platforms significantly increased their audience but failed to get the maximum benefit out of it,” notes Dmitriy Tiunkin, Head of Digital Risk Protection Europe at Group-IB. “We witnessed pirates recover from the three largest CDNs being shut down. Pirates are restoring their technical capacity and increasing opposition to copyright owners. Some digital pirates use mutating links, domain changes, and decentralised CDNs to bypass the anti-piracy memorandum, thereby undermining attempts of manual regulation and anti-piracy techniques that were relevant several years ago.”
Group-IB experts have no doubt that a traditional monitoring and blocking approach is no longer enough. Adversary infrastructure must be identified and blocked using an automated system in order to find and eliminate digital risks. Successful takedown activities also require a knowledge database updated daily with information about the infrastructure, tactics, techniques, and new schemes used by video pirates.