Just as I mentioned in the first part of this case study I’ve been documenting the whole process of setting up a nearly bulletproof illegal streaming site and I’m going to provide you with my findings below (for educational purposes only, just as before).
So let’s start with the beginning and list out the resources one would need for such a site:
- Disposable/anonymous payment methods
- Free/disposable (preferably encrypted) email accounts
- VPN account from a provider that does not keep logs and uses strong encryption
- Cloudflare account
- A domain name from a reliable provider that stands by his promises and does not expose your whois privacy in any way
- An encrypted VPS or dedicated server for load balancing and several other encrypted VPS’s or dedicated servers for actual site hosting
- A good WordPress setup
- One of the WordPress themes designed for such a site
- Accounts on media hosting and streaming sites
- Tons of movies, TV shows and documentaries (preferably up to date)
- A good monetizing plan (preferably your own adserver)
If you have all of the above then you’re good to go on making your very own illegal streaming site, but bottom line here is that the most heavy resources such a site requires are both time and money.
Now let’s start with the beginning and explain each requirement in depth:
Every IT security researcher and consultant knows that the easiest way to trace back illegal stuff on the internet assumes that you follow the money. Therefore if you can pay using anonymous crypto currencies or generate disposable VCC’s from your bank just do it and avoid at all costs the use of platforms such as Paypal or similar.
An illegal streaming site is not something as simple as managing a DMCA request because all providers will record the IP from which the purchases have been made and the IP from which logins to various accounts are being made so if you use your home IP you’ll probably be traced back easily and accused of piracy.
Moreover unencrypted traffic between you and your ISP or beyond along with traffic that passes through weak encryption can easily be sniffed and even if you’re using a VPN for as long as the encryption isn’t strong you’re still risking to be exposed.
Probably one of the best VPN service solutions in this case is the service offered by PureVPN which is capable of providing such features:
Globally 500+ Servers, 80,000+ IPs in 141 Countries
142+ highly optimized North & South American VPN servers
249+ highly optimized European VPN servers
32+ highly optimized Oceania VPN servers
80+ highly optimized Asian VPN servers
OpenVPN, L2TP, PPTP, SSTP, & IKEv2 protocols
Strict zero log policy
Unlimited bandwidth, server switches & speed
150+ payment methods accepted (including crypto currencies)
Compatible with 20+ operating systems and devices
NAT firewall, Internet Kill Switch, High Level Encryption and Army Graded protocols
Also, if you use this link you can get up to 79% discount on all yearly payments. Use a free WiFi network to create a disposable/encrypted email account and purchase your VPN subscription and avoid at all costs monthly payments.
Once you have your VPN go ahead and create at least a handful of disposable/encrypted email accounts as you’ll need all of them later. Avoid using providers such as Yahoo! who are not only prone to hacking, but who seem to have made a deal with the devil to screen the emails and provide the intelligence services with useful intel. Proton Mail could be a good choice here.
With one of the encrypted emails go ahead and setup a Cloudflare account which you will use to spoof the real IP of your sites. Cloudflare isn’t bulletproof as they will disclose the IP’s as soon as a legitimate claim is made, but their use assumes an extra anonymity layer besides the load balancer.
Using one of the disposable/encrypted email accounts and an anonymous payment method just register a good domain name from a reliable provider. Namecheap seems to be very popular for such use, but Namesilo and InternetBS could be great choices too.
VPS or dedicated servers
You’ll be needing at least 3 VPS or dedicated servers. Dedicated servers are better while VPS are insecure on non-encrypted VPS nodes. You’d need at least 3 servers to pull this off, although a solid setup would assume at least 5 servers. The servers should be with different providers and preferably in different locations. One server should handle load balancing using HA Proxy or other similar software, two servers should handle the webserver which would probably perform better using OpenLiteSpeed and PHP 7, one server should be used to serve the database and the last one should handle URL shortening and advertising.
An up to date list of low cost server providers can be found on ServerBytes.
All servers must have their hard drives encrypted with the highest encryption level possible. The webservers, database server and the server used for URL shortening and advertising should be communicating in between them using NAT as it’s harder to trace. Obviously everything must be covered by a strong SSL certificate and Let’s Encrypt could be a good alternative provided the anonymity level it can provide.
WordPress and themes
Since the vast majority of such sites run WordPress and specific themes that rely on automation policies we’re going to consider WordPress just as well. You can setup WordPress to use an internal CDN too which can be hosted on the same server where you’re hosting the URL shortener and adserver.
For streaming specific themes, besides MundoThemes which seem to be of reference in this field I was also able to locate MasThemes and StormPlay. Each theme has it’s pro’s and con’s, but I’d say that once purchased the theme files should be altered or encrypted in a way that makes it impossible to determine the theme developer as whoever finds out who’s the developer can easily ask who was the client.
File hosting & streaming providers
There are a lot of file hosting and streaming providers that will host files for illegal streaming sites without even sweating. Probably the most commonly used provider nowadays is OpenLoad, but social media sites such as VK.com seem to be used for the storage and streaming of files. While services such as OpenLoad pay you for the views and downloads of the files hosted, social networks don’t. Sites that don’t pay are safer simply because there’s absolutely no money trail, but obviously they are less profitable.
To make your site popular you need tons of up to date content and this is one of the hardest parts of the entire plan. First of all you should never be downloading content to your home PC and then upload it to one of these streaming sites. This is clear piracy and the most risky part of all of this. Clearly there are ways you can add content to your site with the help of others and I’m listing them below:
- Use Google and FTP meta search engines to find the content you need. There are hundreds (if not thousands) of unprotected network shares that are available either via HTTP or FTP and all of them contain movies and series. I was able to identify 25 such sites using a simple Google search string: intitle:”index of:” mp4 OR mkv
- Use a seedbox to pull content from private torrent trackers. Avoid at all costs public trackers as most ISP’s block them or consider your use of their service abusive and will suspend your account.
- If you consider torrenting to be too risky you can setup a server that will download from Usenet instead which is probably the most anonymous download service available.
Services like OpenLoad support remote and FTP uploads so pulling the content from either sources to your account with them is very easy and can be automated.
Getting your site indexed and positioned in Google should not be very hard if you’ve got your act together and you’re doing things right, but keeping your site there could prove tricky because as soon as your site starts receiving DMCA notices your links will be removed and you’ll be experiencing penalties. You can promote the site on forums and social media, but nothing is as good as the organic traffic.
Probably the hardest part of it all is monetizing all of this. If you have good content and good traffic you can make good money, but it all comes at a cost and that cost could be on your own freedom. Most recently the EU court of justice ruled that linking is not a crime for as long as you’re not monetizing it and just as I said previously, to a researcher it’s all about following the money trail.
Using public ad networks is out of the plan simply because networks such as AdSense will either reject your application or suspend your account as soon as they find out what you’re trying to do. Warez friendly networks such as Exoclick might seem like a good choice, but on the long run they can prove risky too simply because they could easily disclose your details.
Therefore the best solution would be to setup your own URL shortener in order to cloak affiliate links and to use a system like Revive Adserver to serve your own affiliate ads. You should always use ads uploaded to the server which have their links cloaked and avoid at all costs the use of embedded ads.
The actual costs
Following the analysis above I will try to conclude strictly upon the costs involved into rolling out something like this. As you probably see from the input above the plan is nearly bulletproof and does not match any of the script kiddy plans that are actually used by the vast majority of streaming site owners.
- VPN service – at least $50/year
- Domain name + whois privacy – maximum $15/year
- 5 dedicated servers – $1500/year (considering low-profile hardware that costs no more than $25/month)
- WordPress theme – $80 one time (based upon the average of the best themes on the market so far)
- Server used for intermediate download/upload activities – $168/year (considering a 4TB storage server with 32TB bandwidth)
Considering that you know what you’re doing, technically speaking and you know how to properly optimize and promote the site in order to get things rolling the right way you’d need to invest at least $1800 into such a project, money with which you could just as well start a legitimate business.
Time wise such a project is even more costlier and not worth the hassle unless of course you’re into making big bucks on the long run and willing to risk a lot for it.
NOTE: The scope of this article is to act as a proof of concept for educational purposes only and the author intention isn’t to encourage or endorse illegal activities in any way, but actually to provide a plausible scenario of the reality behind illegal streaming websites.