Group-IB: What makes Jolly Roger sad. The state of video piracy in Russia

Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has estimated the revenue of the video piracy market in Russia in 2020 at $59 million. The market decline has slowed down, however, with 7% drop in 2020 compared to 27% in 2019. Online pirates were not quite successful in fully restoring the video content database after the elimination of the CDN big three. After Moonwalk, HDGO, and Kodik were shut down, the geographical scope of pirate CDNshas been quite limited, with three locations: the Netherlands, Lithuania, and Russia (Mnogobyte/ZeroCDN). Furthermore, they have lost the advertising profits and found themselves in a competition for viewers with legal online streaming platforms which were able to increase their audience during the pandemic. Despite the circumstances, digital pirates found a workaround for the anti-piracy memorandum.

In the pandemic-hit 2020, the number of people using legal video streaming services in Russia increased by 17% and rose to 63 million viewers compared to the previous year. According to TMT Consulting, the revenue of the legal streaming services market in Russia increased by 66% and reached $365.7 million.

The number of searches in popular search engines in Russian for free trending movies and TV shows on illegal websites has also grown. The figures show a 12% increase compared to 2019, amounting to 11.8 billion search queries (compared to 10.5 billion in 2019). The number of searches for illegal content rose to a record-high 1.4 billion intentions in April 2020. At times, servers streaming illegal content failed to deal with such a high influx of viewers.
Nevertheless, despite a growing interest in illegal video content, the pirate video content market continued to shrink last year, losing 7% in revenue: it fell from $63.5 million in 2019 to $59 million in 2020. The market decline has slowed down, however, with 7% drop in 2020 compared to 27% in 2019.

In summer 2020, Group-IB released a report called “Jolly Rogers patrons”, which revealed that online casinos and betting websites benefit the most from the Internet piracy market. They sponsor the illegal streaming of movie premieres and TV shows, translation into several languages by voiceover studios, and release of the pirated content. Illegal streaming platforms are used for advertising banners, promotional codes, and links to attract new gamblers. The advertisers started losing interest after law enforcement, financial institutions and regulators increased their focus on shadow money traffic. The average CPM (Cost-Per-Mile) numbers saw a 16% decrease to $5 compared to $6 in 2019.

By mid-2020, the Big Three CDNs Moonwalk, HDGO, and Kodik, taken down in 2019, were replaced by eight new second-wave CDNs: Collapse, HDVB, VideoCDN, Videoframe, Bazon, Ustore, Alloha, and Protonvideo. However even at this point the the content database coverage of these 8 biggest CDNs includes just 50% of the Big Three’s vollume which supplied 90% of the largest illegal platfroms in Russia & CIS with 75,000 films and TV shows. The geographical scope of pirate CDNs has been quite limited, with three locations now: the Netherlands, Lithuania, and Russia (Mnogobyte/ZeroCDN).

The next technological innovation adopted by pirates in 2020 was integrating CDNs with fully automated streaming services. The first mass prototype was the Cinemapress script and about 400 pirate streaming services were based on it. In April 2020 Cinemapress was replaced by Yobobox with its 250 domains discovered so far, which unlike its predecessor is entirely free and integrated with Collapse, one of the largest CDNs.

Yandex search engine remains the main viewer source for illegal streaming services which accumulates up to 90% of traffic, even though this number decreased by 5% over the year as per November 2020 measurements. The remaining 10% are brought by other search platforms (including Google with its %2) as well as social networks, messengers, and direct website visits. Furthermore, Yandex bot’s faster indexing of the new links alongside automation methods used by video pirates may neglect the effect of link elimination from the search results unless any tools for high-frequency monitoring are applied.

Experts’ biggest worries are tied to the fact that in 2020 Russian-speaking video pirates learned to quickly detected the links eliminated by the anti-piracy memorandum, to generate duplicates in real time (using alternative URLs), and use mutating links (scripts for automatic changing of paths in links) resulting in a decreased effectiveness of countermeasures. It’s worth noting that the 2018 anti-piracy memorandum obliged its members to delete any links in their search queries tied to illegal content. Up until recently the memorandum served as an effective tool to counter the online piracy.

In 2020 both legal and illegal streaming platforms significantly increased their audience but failed to get the maximum benefit out of it. We witnessed pirates recover from the three largest CDNs being shut down. Pirates are restoring their technical capacity and increasing opposition to copyright owners. Some digital pirates use mutating links, domain changes, and decentralized CDNs to bypass the anti-piracy memorandum, thereby undermining attempts of manual regulation and anti-piracy techniques that were relevant several years ago.

Dmitriy Tiunkin
Dmitriy Tiunkin

Head of Digital Risk Protection Europe at Group-IB

Group-IB experts have no doubt that a traditional monitoring and blocking approach is no longer enough. Adversary infrastructure must be identified and blocked using an automated system in order to find and eliminate digital risks. Successful takedown activities also require a knowledge database updated daily with information about the infrastructure, tactics, techniques, and new schemes used by video pirates.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.