Track shipments

How Investigators Use OSINT to Hunt Down IPTV Pirates *TorrentFreak

Measures to combat online piracy are often described as a game of whac-a-mole, in this case a game where hackers get hit over the head to pop up somewhere else – supplying movies, TV shows , live sports and music intact.

From the perspective of the average pirate, the game is completely useless, if not futile. But for anti-piracy groups around the world, engaging hackers in this irritating game is a significant form of disruption. This is the next best option given the 0% chance of killing all the hacks and the more than 0% chance of them moving to a legal service.

The massive proliferation of pirate IPTV services in recent years is a big problem for many rights holders. They are able to annoy a few with ISP blocking, but behind the scenes they are also shutting down a few here and a few there. How they do this is rarely intended for the public, but the docs made available by TorrentFreak shed some light on the basics. But first a little introduction.

OSINT – Open Source Intelligence

At the lowest level, OSINT is accessible to everyone by simply collecting and processing the data found using a search engine. In the world of OSINT, however, search engines are only a handful of tools in an extremely large toolbox. When these tools are combined and the data collected is processed efficiently, it is possible to obtain disturbing levels of information on all but the most hardened targets.

The screenshot below shows just a few of the tools listed by OSINT Framework, but even that selection barely scratches the surface, especially if we include the associated skills needed to effectively collect and then correlate data.

osint frame

When it comes to online anti-piracy investigations, OSINT tools and techniques might seem almost adequate for the task at hand. Any information about a site operator (such as a domain name, IP address, or email address) can reveal a person’s online footprint. And since today’s online lives tend to be inextricably linked to those enjoyed offline, it’s not hard to see where things might end.

IPTV – Survey Examples

In 2021, a European Union/EUIPO funded project made a presentation in Asia focusing on investigating various players in the illegal IPTV ecosystem. The table below lists everything from content providers, aggregators and developers, to money and “subscription mules” – otherwise known as “resellers”.

iptv ecosystem

An interesting section concerns server devices known as “transcoders”. Video streams are sent to these servers from external sources (Live TV or IP streams) and then transcoded/converted into multiple streams for delivery to multiple users’ viewing devices, usually via another network infrastructure.

The specific model mentioned in the slides (TBS8520) can be managed using a system called “Kylone” accessed through a web browser. So when investigators searched for “Kylone” using “ZoomEye” (an OSINT search engine for “Internet of Things”), the system was able to provide information on more than 141 transcoders. (Note: using Shodan is also an option)

hunting transcoders

Knowing where these servers are is useful information for obvious reasons. An IP address (such as the first result in the table above) has the potential to lead to a hostname or even a physical location using simple tools.

(Note: Hosting companies, including the one in the example, may not know that a customer is involved in illegal activity, and in any case, the customer in question is likely long gone)

Ulango.TV: A lesson in getting caught

In January 2020, we discovered that the Alliance for Creativity and Entertainment had taken down Ulango.tv, an “IPTV solution” offering thousands of live channels via an app. As far as we know, ACE still hasn’t claimed responsibility, but there’s no doubt that they either removed it or got involved in some way.

According to the slides of the EU/EUIPO presentation, solving the case was simplicity itself. Armed with the site’s domain name (ulango.tv) and a WHOIS service, the investigators were able to obtain an IP address and the contact details of the company hosting the server.

Next, they created a map of the ulango.tv site using this tool, which produced a list of external sites to which the .tv domain was linked. This included a link to a Twitter account and another piece of the puzzle.

Then turning to Hunter.io, a very powerful service for email-related surveys, they searched for the Ulango.tv domain and found an email address connected to it. At this point, they seem to have used a bit of deception.

Using the Fakemail and Fake Person Generator services, they created an account on Ulango.tv with false information. Obviously, there are reasons why investigators don’t want to expose themselves in such situations, as it could be counterproductive.

fake ulango

As the slide shows, the next step was to move towards a purchase of the site’s premium service for the princely sum of two euros. Then, after clicking the “Checkout” button, they were given the option to pay by credit card or bank transfer.

Out of necessity, an IBAN number was provided along with the name of the account holder, a name which had also appeared earlier in the investigation. It wasn’t difficult but it seems to have been effective.

IPTV survey using multiple tools

Finally, the slides detail another investigation, but since our checks indicate that the platform is still live, we do not intend to name it here. Instead, we’ll just walk through the steps.

Using the site’s domain name, investigators used Viewdns.info to perform a WHOIS lookup to reveal the name of the domain holder. Armed with that name, they performed a reverse WHOIS search, which shows other domains registered by the same person.

In total, these steps resulted in a name, an email address, a potential physical address and 10 additional domains, mostly connected to pirate IPTV services.

The next step was to load the main domain and view its source using a standard browser. By searching this source code for the term “UA-“, they were able to find the site’s Google Analytics ID. By performing a Google Analytics reverse search, other sites using the same ID were revealed and connected to the first site.

Then it was trying to pay for a subscription on the first site only to find that the payment was being processed by another. This site was (and still is) presented as a legitimate business and as such is incorporated as a limited liability company in the UK.

All UK limited liability companies have a list at Companies House (another excellent OSINT resource) and a search there yielded the name of the director (an overseas national), date of birth and address in London. The latter is a known virtual office and the home of many people who prefer not to give their real address.

At this point, the slides don’t reveal anything further, so it’s unclear whether the investigation ended there or is still ongoing. The sites in question appear to be up and running, so for educational and entertainment purposes only, we’ll see if the deal can be cracked using Maltego and Spiderfoot’s incredible abilities.

These tools allow users to automate their OSINT queries and inquiries, but such a short description does them a huge disservice. They both have a free option so there’s no excuse not to try them, preferably in a virtual machine and certainly behind a VPN, especially in the case of the latter.