Last Tuesday, exactly one week ago, unofficial reports began to surface that enforcement action was underway targeting groups and members of ‘The Scene’, the tight-knit entities that are often described as sitting at the top of the so-called ‘Piracy Pyramid’.
As the hours began to pass, it was clear the initial reports were true. The unsealing of indictments in the United States, some dating back to January, later revealed that the US Government had homed in on at least three key members of the connected movie and TV show release groups SPARKS, GECKOS, DRONES, ROVERS and SPRINTER.
On Tuesday, Wednesday and subsequent days, chaos in The Scene was widespread. The USDOJ revealed that an operation was underway on three continents, with law enforcement partners in 18 countries carrying out raids and seizures, declaring that around 60 servers had been taken down.
Unofficial reports indicated that the activity was centered on Europe, particularly in Nordic countries, with Eurojust and Europol deeply involved in the operation.
New ‘Scene Notice’ – As Close as it Gets to a ‘Scene’ News Release
Since then, communication from inside The Scene itself has been sporadic at best but this morning the existence of a so-called ‘Scene Notice’ was revealed on public sites known as ‘pre-databases’. This notice, basically a text file in .NFO format, reveals some interesting information from an insider’s perspective.
So-called ‘Scene Notices’ are relatively rare, certainly when compared to the number of content releases put out by The Scene itself. When they do appear, however, they often carry security-related information, decrying one group or other for being insecure or perhaps accusing certain entities of behavior that could undermine operations.
Sometimes it’s possible to identify who writes these bulletins (groups or individuals) but in today’s case, the author is unknown. Titled “Scene_busts_And_Mitigations”, we reproduce quotes from it here, with some tidying but with grammatical errors intact.
It begins by noting that the purpose of the notice is to shed light on what it describes as the “whole corona era bust”, aka the action against SPARKS and its affiliates. According to the notice, the action was indeed significant and could even be ongoing.
“The scene has been hit hard by various agencies from around the globe. Totaling over 29 sites has been busted within 14 country’s, mostly within Europe. As from the looks now it is certain to say that the bust took a big bite out of the ISO scene. Without a doubt, this will not be the last of it since there will be more information available for the feds to chunk through now,” it reads.
Indeed, from initial reports on Tuesday, through Wednesday and the rest of last week, we received various reports of continuing actions, most of which were hard or impractical to confirm. It seems logical to conclude, however, that as the authorities scooped up additional individuals suspected of crimes, plus their hardware and perhaps even their cooperation, more and more opportunities for further operations raised their heads. Some sources suggest that the number of sites taken down could already be closer to 50 than 30, but official details are hard to come by.
Possible Compromise of Internet Relay Chat (IRC)
While many in the lower (sometimes even just slightly lower) echelons of the piracy world now communicate via newer platforms that can include Telegram or Discord, for example, The Scene itself has always had a preference for IRC, aka Internet Relay Chat.
Somewhat archaic by today’s pretty GUI-driven chat interface standards, IRC is relatively inaccessible to newcomers but that, and its improved security, have kept it popular with The Scene year after year. However, according to the just-published Scene notice, an aspect of one particular IRC network may have been compromised.
“Rumors has it that there was a bust in France from a known user that was also running an IRC server for the linknet IRC network. This is not confirmed nor denied,” it notes.
“So please use linknet only with the common security practices (SSL, Blowfish, Channel encryption,” it adds, referring to what should be common security practices, irrespective of whether a raid has happened or is expected in the future.
“This rumor should not be taken lightly and it’s advised to keep sites off linknet and use private IRCD [IRC daemon] for any site related actions if possible.”
Advice For ‘SiteOps’ and ‘Currys’
Advice for ‘siteops’, or site operators, is also included in the notice. Mostly technical in nature, it again offers tips on keeping platforms secure. Much of it is fairly obvious, such as moving, renaming and otherwise obscuring sites if they hosted any of the groups that were busted.
The same goes for ‘currys’, otherwise known as couriers. These groups and/or individuals are involved in the distribution of Scene release to other platforms within the Scene. To carry out their roles, they necessarily have access to a number of sites, so it’s advised that they “avoid insecure sites or sites that are ignoring the security measures.”
Again, pretty obvious stuff but it is possible that the less experienced will attempt to carry on as normal.
The Future and Recovery of The Scene
There’s a general consensus, based on history, that even following seismic events such as the ones witnessed last week, The Scene will eventually recover. The notice acknowledges that “it will take time” to get everything back and running which is perhaps underplaying how serious things are at the moment.
Nevertheless, it states that the information was put together for the “love of the scene.”
“[W]e will [be] back and we will thrive again! Thoughts are with the fallen ones,” it concludes.
Again, it’s unclear who authored this notice, whether they hold any position of authority, or whether any of the mitigation suggestions will have any meaningful effect on the recovery rate of The Scene. In any event, it seems unlikely that normal business will be resumed any time soon since trust and stability, The Scene’s most valuable commodities, are currently its most scarce.