FIFA World Cup 2022 got underway on November 20 in Qatar, and in the hours leading up to December 10, Homeland Security Investigations began seizing pirate streaming site domains. Our initial report was confirmed by U.S. authorities two days later, with a statement claiming that “55 separate websites” had been seized.
Over the next few days, 23 additional domains were seized, bringing the total to 78. The official announcement referenced an affidavit filed in support of the seizures, but no copy was provided and hours spent trawling court records turned up nothing in December.
Affidavit Dated December 2022 Filed in January 2023
After being officially filed on January 12, 2023, two identical affidavits appeared on record this month at the United States District Court for the District of Maryland. Submitted by HSI Special Agent Jones under two different case numbers, the affidavits carry the signature of Judge Maddox dated December 16, 2022.
Both affidavits relate to seizures that took place between December 16-19 but make no mention of earlier seizures. The affidavits list two other case numbers but those documents were filed under seal.
After previous assignments at the NSA and Weapons of Mass Destruction Response Team, Special Agent Jones is currently assigned to HSI’s Transnational Cyber Crimes Team (TCCT).
His affidavit states that he has probable cause to believe that the listed domains are subject to seizure and forfeiture under 18 U.S.C. § 2323(a)(1)(A)-(B) and (b)(1) because they are used or intended to be used to commit or facilitate criminal infringement under 17 U.S.C. § 506 and 18 U.S.C. § 2319.
Friend MTS Referral to HSI in September
At least two months before World Cup 2022 began, in its role as representative of FIFA, UK-based anti-piracy company Friend MTS (which is heavily involved in dynamic stream blocking in Europe) began supplying HSI with information on “several” domains.
“Friend MTS identified the sites as being used to transmit and distribute copyright infringing content (World Cup games in particular), without the authorization of the copyright holders,” the affidavits read.
A “whitelist” of domains allowed to broadcast games is apparently maintained by FIFA, but none of the domains submitted by Friend MTS appeared on that list.
‘Open-Source’ Search For Additional Domains
To find additional domains illegally streaming copyright-protected content, U.S. investigators reportedly conducted a review of “open-source internet messages.” Some of the sites discovered “appeared to host illicit streaming content,” while others embedded streams or offered links to content hosted elsewhere.
The table below lists some of the domains and the time they were confirmed as offering FIFA content. Also listed are their corresponding domain registries, in this case mostly VeriSign, but others include GoDaddy, Inc., Identity Digital Inc., and Tonic Domains.
After confirming all domains were offering unlicensed content, HSI concluded that “neither a restraining order nor an injunction” could guarantee their seizure.
However, if the domains were seized and redirected to another website, that would “prevent third parties from acquiring the name and using it to commit additional crimes” and “prevent third parties from continuing to access the websites in their present forms.”
Legal Assessment & Seizure
The affidavit states that for civil forfeitures, venue may lie in any district where any of the acts giving rise to forfeiture occurred, where the property was found, or where it was bought. For criminal forfeitures, venue lies in any district in which prosecution could occur.
In this case, the affidavit states there is probable cause to believe that the domains are subject to civil and criminal forfeiture. With all bases covered, attention turns to the domain registries for .com, .tv, .to, .cc, me, .live, and .net domains – Verisign, Inc., GoDaddy, Tonic Domains, and Identity Digital, Inc.
Upon seizure of the domains, the registries were required to associate them with new authoritative name servers, to direct visitors to a government seizure notice referencing a warrant issued by the court.
After being served with a copy of the seizure warrant, domain registrars (through which the domain owners had purchased their domains) were told to “modify any records, databases, tables, or documents” used to identify the owner of the domain, to show that seizure had taken place.
Domain Seizure Instructions
Both affidavits have four attachments marked A1-A4, each detailing actions to be taken by a specific registry. In all cases domain seizures were instructed to take place on December 16, 2022, at 4:00 pm EST.
Registries were given the choice of adding two new DNS entries (ns1 and ns2.seizedservers.com) to each domain or redirecting domains to two designated IP addresses. A third option allowed law enforcement to issue instructions to a relevant domain registrar instead.
All registries were warned to prevent any modification or transfer of the domains and to implement instructions as quickly as possible. The list of domains for each registry reads as follows:
Verisign: Rojadirectatvonline.net, Soccerstreams.net, Weakstream.net, Wizwig1.com, Releasesky.com, Tenorsky.com, Vipleagues.net, Extremotvplay.com, Futbollatam.com, Futboltv-envivo.com, Futbollatin.com, Librefutbol.com, Ovopremium.com
Registry Services, LLC (GoDaddy): AJSports.tv, Sportstream.tv, Futboltv.biz
Tonic Domains: Soccerstreams.to
Identity Digital, Inc.: Rojadirecta.global, Hesgoal.pro, Rojadirecta.me, Livetv605.me, Futboltv.live, Hesgoal.me
Notify Domain Owners of Seizures (or not)
Since domain seizures are still relatively uncommon in the United States, it was unclear whether the authorities would target domain registries, domain registrars, or both. The paperwork clearly shows that registries are the preferred option, but registrars do get a few mentions.
For instance, there’s an instruction for domain registrars to modify registrant records “to reflect the seizure” and also the potential for registrars to change DNS records. In the section shown below, there is a requirement for domain registrars to notify customers that their domains were seized by Homeland Security.
As detailed in our earlier report, U.S. domain registrars are listed for more than 60% of the seized domains. Registrars have access to domain owners’ details, so contacting them about seized domains would be straightforward.
Despite instructions in the warrant directed at registrars and notes that the seizure warrant will be sent to domain name registrars based in the United States, in all cases the list of registrars is surprisingly small.
Other domains listed in the affidavit as having no registrar in the United States include Hesgoal.pro (NameCheap), LiveTV605.me (NameCheap), Fullboltv.live (NameCheap) and Hesgoal.me (Name.com, Inc.)
At least on the surface, it appears that all U.S. registrars must inform their customers of the seizures but only if they are listed in the affidavit as being in the United States. None are listed as such.
Finally, the original seizure applications and orders were sealed and remain so. At least one was filed in a Miami district court back on October 5, 2022, at least six weeks before the start of the World Cup on November 20, 2022.