Group-IB, a global threat hunting and intelligence company headquartered in Singapore, today presented its report «Jolly Roger’s patrons. Group-IB exposes financial crime network of online pirates in developing countries». The document uncovers major players and driving forces of a criminal digital piracy syndicate which has been flourishing in the post-Soviet space, its safe harbor, for years and now has extended its tentacles as far as to Latin America and Asia. The report shows how digital piracy from a local problem is turning into a global headache perfectly navigating international political agenda, e.g. using geopolitical tensions between Russia and Ukraine, and playing footsie with legal stakeholders like banks, international payment systems and hosting providers, which turn a blind eye to their involvement in the wrongdoing.
The purpose of this report is to deliver a devastating blow to cybercrime by uncovering key organizations sponsoring pirates and exposing the entire criminal structure of online piracy. In view of this, the expanded version of this report has been provided to international law enforcement agencies.
The rougher the seas, the smoother we sail
The report of Group-IB Anti-Piracy unit reveals that, despite the fact that the Russian-speaking piracy conglomerate has been developing against the background of actively enforced anti-piracy legislation and pressure from copyright holders, it managed to grow into a wide criminal network of multiple collaborators and expand globally.
To ensure the prompt and stable supply of content, online pirates rely on content delivery networks (CDNs) — an optimized technology for the distributed delivery of videos, TV series, and sports streams. Aggregating pirated video content, CDNs supply up to 80 percent of illegal video streaming services in Russia and post-Soviet states with content. The shutdown of two major CDNs — Moonwalk and HDGO— in 2019, and the subsequent drop of the Russian piracy market from $87 million to $63.5 million was not meant to last for long. Today, Group-IB observes the emergence of the second wave of CDNs that went beyond their predecessors, duplicating content delivery channels, using geographically distributed infrastructures, frequently changing technical domains and IP pools. They considerably facilitate the recovery of online piracy market, which has almost regained its former strength and is likely to reach a new peak by the end of this year.
This resource-consuming industry could hardly exist without decent funding flows, which, as Group-IB established, comes from illegal bookmakers, online casinos and alcohol suppliers, covering the costs of СamRip groups, translation studios as well as IT infrastructure for pirated content.
To keep on track, the online piracy market is vigorously exploiting geopolitical tensions between Russia and Ukraine. For instance, major pirate CDNs and online casinos, whose owners reside in Ukraine, resort to the services of Russia-based hosting services and banks, using tensions and weak links between the two states to avoid criminal proceedings. Thus, the individuals behind one of the most popular CDNs, Collaps, which provides content to 45% of pirate streaming services primarily watched by the Russians, are reportedly based in Ukraine.
Braving the new world
The main income earners and drivers of illicit video streaming and pirated sports video streaming services are bookmakers and online casinos, with partner programs between pirate resources and these two industries accounting for the largest share in pirates’ incomes. Pirate websites serve as massive online ad platforms for the gambling business and help them attract new customers in a strictly regulated market that bans ads from such businesses.
Under the majority of partner programs, pirate websites receive a fixed percentage of the money spent by the individuals whom they brought into the game. On average, streamers get between 20-40 percent of the gambling losses of the attracted players. The owners of pirate websites who take part in such partner programs for a long time can reach revenues of up to $21,000 per month. 1xBet, Melbet, Parimatch, Linebet, Orca88, Bwin and many other online bookmakers are among major fans of partner programs. While among online casinos they are mostly employed by two companies, Lucky Partners and Welcome Partners, which are the main participants involved in the underground online casino partner programs market.
Having developed this successful operating model, the online piracy squadron sailed toward new countries, with 1xBet acting as its flagship. After the access to the main domain 1xBet.com was restricted in Russia, 1xBet, one of the main sponsors of illegal video content in post-Soviet countries, shifted focus to other markets with similar characteristics: developing countries, non-English speaking regions, populations with the lack of financial literacy, and countries where sports streaming is highly popular. These were Latin America (primarily Brazil), India, and Thailand.
1xBet employs a unique ad system with pirate traffic at its core. In exchange for camrip and voiceover groups sponsorship, 1xBet had its ads hardcoded into pirated copies made by them. Since 2015, 1xBet has sponsored content for 80% of major voiceover studios. According to the analysis of 1xBet activities, the average cost of voiceover services for one episode in the post-Soviet region amounted to about $55, while the average cost of producing one camrip amounted to between $400 and $1,000. Since 2018, when 1xBet started its international expansion with the help of pirates, it sponsored the production of more than 500 camrips, all of which were in English, 14% — in Spanish, 5% — in Tamil, Portuguese, Thai, Hindi, and others.
This multi-stakeholder industry also feeds on defiance of legitimate structures — international payment systems that process the transactions of online casinos and hosting service providers that support online infrastructure of pirate websites and CDNs.
Despite the fact that international payment systems require that almost all online casinos be registered with a special transaction code, MCC 7995, none of the banks, working with the gambling industry in the post-Soviet countries, assign this code for these activities, which, in turn, remains overlooked by the world’s major payment systems. This is relevant mainly for Russia, while there are almost no international precedents of online casinos or bookmakers violating MCC 7995 due to strict legal control.
Hosting service providers, for their part, are being formalistic in handling copyright holders’ complaints, since the majority of pirate websites and CDNs use unique links for each new user, which, therefore, cannot serve as a proof of hosting services’ involvement in any wrongdoing. Thus, hosting services have all formal grounds to distance themselves from solving the matter, continuing to make money by providing a platform for pirate businesses. A notable example of such stance is the company called ZeroCDN, which belongs to the Russian company Mnogobyte, whose infrastructure was used by up to 60 percent of pirate websites as of late 2019. Yet another instance is Russian firm DDOS-GUARD, which not only provides pirate websites with its computing capacities, but also conceals the actual hosting service and obstructs the identification of website owners.
CEO and founder at Group-IB
Because of how popular pirate websites are, they serve as platforms for distributing malware and stealing users’ money and personal data. During the pandemic, Group-IB analyzed over 3,100 pirated websites for viruses, vulnerabilities, and inclusion in blacklists compiled by antivirus providers and search engines. The analysis revealed that up to 23% of pirate resources posed risks to users. In March, the number of total visits to dangerous resources amounted to 76.8 million. High demand pushes the shadow piracy business to new levels despite all the hurdles.
Group-IB calls on media industry, national state watchdogs and international organizations in the field of intellectual property to join their hands in fighting the evil of piracy, delivering a blow to the illegal business that has been flourishing for years.