28 July 2020

Pirate Ship Sailing to Developing World: Group-IB Uncovers Real Captains of Online Piracy Crew

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, today presented its report «Jolly Roger’s patrons. Group-IB exposes financial crime network of online pirates in developing countries». The document uncovers major players and driving forces of a criminal digital piracy syndicate which has been flourishing in the post-Soviet space, its safe harbor, for years and now has extended its tentacles as far as to Latin America and Asia. The report shows how digital piracy from a local problem is turning into a global headache perfectly navigating international political agenda, e.g. using geopolitical tensions between Russia and Ukraine, and playing footsie with legal stakeholders like banks, international payment systems and hosting providers, which turn a blind eye to their involvement in the wrongdoing.

The purpose of this report is to deliver a devastating blow to cybercrime by uncovering key organizations sponsoring pirates and exposing the entire criminal structure of online piracy. In view of this, the expanded version of this report has been provided to international law enforcement agencies.


The rougher the seas, the smoother we sail

The report of Group-IB Anti-Piracy unit reveals that, despite the fact that the Russian-speaking piracy conglomerate has been developing against the background of actively enforced anti-piracy legislation and pressure from copyright holders, it managed to grow into a wide criminal network of multiple collaborators and expand globally.

To ensure the prompt and stable supply of content, online pirates rely on content delivery networks (CDNs) — an optimized technology for the distributed delivery of videos, TV series, and sports streams. Aggregating pirated video content, CDNs supply up to 80 percent of illegal video streaming services in Russia and post-Soviet states with content. The shutdown of two major CDNs — Moonwalk and HDGO— in 2019, and the subsequent drop of the Russian piracy market from $87 million to $63.5 million was not meant to last for long. Today, Group-IB observes the emergence of the second wave of CDNs that went beyond their predecessors, duplicating content delivery channels, using geographically distributed infrastructures, frequently changing technical domains and IP pools. They considerably facilitate the recovery of online piracy market, which has almost regained its former strength and is likely to reach a new peak by the end of this year.

This resource-consuming industry could hardly exist without decent funding flows, which, as Group-IB established, comes from illegal bookmakers, online casinos and alcohol suppliers, covering the costs of СamRip groups, translation studios as well as IT infrastructure for pirated content.

To keep on track, the online piracy market is vigorously exploiting geopolitical tensions between Russia and Ukraine. For instance, major pirate CDNs and online casinos, whose owners reside in Ukraine, resort to the services of Russia-based hosting services and banks, using tensions and weak links between the two states to avoid criminal proceedings. Thus, the individuals behind one of the most popular CDNs, Collaps, which provides content to 45% of pirate streaming services primarily watched by the Russians, are reportedly based in Ukraine.


Braving the new world

The main income earners and drivers of illicit video streaming and pirated sports video streaming services are bookmakers and online casinos, with partner programs between pirate resources and these two industries accounting for the largest share in pirates’ incomes. Pirate websites serve as massive online ad platforms for the gambling business and help them attract new customers in a strictly regulated market that bans ads from such businesses.

Under the majority of partner programs, pirate websites receive a fixed percentage of the money spent by the individuals whom they brought into the game. On average, streamers get between 20-40 percent of the gambling losses of the attracted players. The owners of pirate websites who take part in such partner programs for a long time can reach revenues of up to $21,000 per month. 1xBet, Melbet, Parimatch, Linebet, Orca88, Bwin and many other online bookmakers are among major fans of partner programs. While among online casinos they are mostly employed by two companies, Lucky Partners and Welcome Partners, which are the main participants involved in the underground online casino partner programs market.

Having developed this successful operating model, the online piracy squadron sailed toward new countries, with 1xBet acting as its flagship. After the access to the main domain 1xBet.com was restricted in Russia, 1xBet, one of the main sponsors of illegal video content in post-Soviet countries, shifted focus to other markets with similar characteristics: developing countries, non-English speaking regions, populations with the lack of financial literacy, and countries where sports streaming is highly popular. These were Latin America (primarily Brazil), India, and Thailand.

1xBet employs a unique ad system with pirate traffic at its core. In exchange for camrip and voiceover groups sponsorship, 1xBet had its ads hardcoded into pirated copies made by them. Since 2015, 1xBet has sponsored content for 80% of major voiceover studios. According to the analysis of 1xBet activities, the average cost of voiceover services for one episode in the post-Soviet region amounted to about $55, while the average cost of producing one camrip amounted to between $400 and $1,000. Since 2018, when 1xBet started its international expansion with the help of pirates, it sponsored the production of more than 500 camrips, all of which were in English, 14% — in Spanish, 5% — in Tamil, Portuguese, Thai, Hindi, and others.


Shadow economy

This multi-stakeholder industry also feeds on defiance of legitimate structures — international payment systems that process the transactions of online casinos and hosting service providers that support online infrastructure of pirate websites and CDNs.

Despite the fact that international payment systems require that almost all online casinos be registered with a special transaction code, MCC 7995, none of the banks, working with the gambling industry in the post-Soviet countries, assign this code for these activities, which, in turn, remains overlooked by the world’s major payment systems. This is relevant mainly for Russia, while there are almost no international precedents of online casinos or bookmakers violating MCC 7995 due to strict legal control.

Hosting service providers, for their part, are being formalistic in handling copyright holders’ complaints, since the majority of pirate websites and CDNs use unique links for each new user, which, therefore, cannot serve as a proof of hosting services’ involvement in any wrongdoing. Thus, hosting services have all formal grounds to distance themselves from solving the matter, continuing to make money by providing a platform for pirate businesses. A notable example of such stance is the company called ZeroCDN, which belongs to the Russian company Mnogobyte, whose infrastructure was used by up to 60 percent of pirate websites as of late 2019. Yet another instance is Russian firm DDOS-GUARD, which not only provides pirate websites with its computing capacities, but also conceals the actual hosting service and obstructs the identification of website owners.

The problem of online piracy as many see it today — the violation of copyright and illegal enrichment — is actually only tip of the iceberg. By making public this report, Group-IB aims to deliver a crushing blow to this criminal industry, exposing its entire structure, which is far greater than one could think, and driving forces as well as the duplicity of legitimate companies that provide pirates with technological capacities for their wrongdoing neglecting complaints of copyright holders. Revealing all the stakeholders of this ‘business’ should make the fight against digital piracy a joint endeavor of countries around the world and cut off pirates’ retreat.

Ilya Sachkov

Ilya Sachkov

CEO and founder at Group-IB

Because of how popular pirate websites are, they serve as platforms for distributing malware and stealing users’ money and personal data. During the pandemic, Group-IB analyzed over 3,100 pirated websites for viruses, vulnerabilities, and inclusion in blacklists compiled by antivirus providers and search engines. The analysis revealed that up to 23% of pirate resources posed risks to users. In March, the number of total visits to dangerous resources amounted to 76.8 million. High demand pushes the shadow piracy business to new levels despite all the hurdles.

Group-IB calls on media industry, national state watchdogs and international organizations in the field of intellectual property to join their hands in fighting the evil of piracy, delivering a blow to the illegal business that has been flourishing for years.

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident