So-called bulletproof hosting services are a thorn in the side of anti-piracy groups everywhere.
They operate much like regular hosting companies but are much more lenient when it comes to complaints from third parties, meaning that spammers, online gambling entities, and other questionable actors have a better chance of keeping their content online.
Given that pirate sites now fall into these categories, bulletproof hosters are also havens for pirate sites. As a result, they attract the negative attention of Hollywood studios who complain about their refusal to deal with takedown notices responsibly.
DDoS-Guard Previously Reported to the USTR
Late 2020, the MPA made its annual submission to the USTR’s notorious markets study, including familiar pirate site targets such as The Pirate Bay, RARBG, YTS, 1337x, Popcorn Time, Leakthis, and Rapidgator, among others.
The Hollywood group also included several Internet infrastructure companies for consideration including Peter Sunde’s Njalla, the .to domain registry, and several hosting services including Cloudflare and DDoS-Guard.net. The latter earned its place on the MPA’s list for playing host to large pirate and file-hosting sites including BS.to, S.to, and GoUnlimited. DDoS-Guard was also linked to so-called ‘pirate CDNs’ (including Kodik) operating from Russia.
“Some of the biggest sites are taking advantage of DDoS-Guard’s services, including bs.to and s.to from this list. DDoS-Guard is not responsive to takedown requests,” the MPA told the USTR.
While DDoS-Guard didn’t make it to the final report published earlier this year, the service could now have an even more serious problem on its hands.
DDos-Guard’s Database and Source Code Reportedly Up For Sale
According to a report from cybersecurity company Group-IB, last week it discovered an unusual sale taking place on the forum of hacking site Exploit.in. The forum is currently down, but Group-IB says the DDoS-Guard database and source code were allegedly on offer.
“The database supposedly contains information about DDoS-Guard’s customers, including their names, IP-addresses, and payment information. In addition to the database, the threat actor claims to have the source code of the DDoS-Guard’s infrastructure,” Group-IB’s report reads.
“The seller is currently auctioning the entire set at a starting price of $350,000. It is not possible to verify the authenticity of the alleged stolen data, as the threat actor didn’t provide the sample.”
Obvious Implications For Pirate Sites
Operating out of Russia (and according to the MPA, also the UK) DDoS-Guard is fairly well known for its dealings with pirate sites. In 2020, for example, Germany-focused music piracy site DDL-Music.to went offline after Universal Music took legal action against Cloudflare, which had been providing CDN services to the platform.
DDL-Music later reappeared using the services of DDoS-Guard but it’s certainly not the only site that could be affected by the alleged leak of the CDN/DDoS mitigation platform’s database.
As seen in the Group-IB-supplied screenshot below, the person offering the company’s data for sale specifically mentions RuTracker, one of the largest and longest-standing torrent sites on the Internet.
The database and source package was initially offered for $500K but the price has been dropped by $150K, presumably to be of more interest to prospective buyers. The big question, at least as far as pirate sites go, is whether the leak (should it prove genuine) carries any useful information about the operators of the many pirate sites who have used the service.
In many circumstances, CDN and DDoS companies are given fake or useless information which can lead to nowhere. However, if there was a level of trust that information would be kept secret, it’s certainly possible that some entities may have let their guards down.
Considering its earlier research into the activities of DDoS-Guard as part of its Jolly Roger’s Patron’s report, TorrentFreak has asked Group-IB for a list of pirate sites using the platform. We’ll update this piece when that becomes available.
Update: Statement from Dmitry Tiunkin, Head of Group-IB’s Digital Risk Protection team in Europe.
“DDoS-Guard currently provides hosting services to a number of prominent pirate websites, including to Nyaa Torrents (big Asian Torrent Tracker), Sci Hub (a shadow library of research papers), G Nula (Latin America pirated streaming service), HDReactor (Russian speaking Torrent Tracker), and multiple technical domains of the infamous Russian CDN Kodik,” Tiunkin says.
“Group-IB Digital Risk Protection platform detected more than 2,200 pirate websites that are using DDoS-Guard services. Russian authorities are restricting access to more than 2,000 pirate websites, their domains, subdomains, and URLs hosted by DDoS-Guard.”
