Last week the illicit IPTV market was thrown into turmoil when Italian authorities teamed up with law enforcement groups in the EU.
Their operation, dubbed ‘Black IPTV‘, targeted individuals and equipment behind at least one Italy-based IPTV provider. More importantly, however, it also targeted Xtream Codes, a management system utilized by many providers and sellers of IPTV services.
While Xtream Codes claimed to be a content-agnostic system, its popularity in the unlicensed market is hard to understate. With an estimated 5,000 providers of varying kinds on its books servicing around 50 million end-users, its closure had an immediate and dramatic impact.
In the immediate aftermath of the raids, suppliers reported an inability to sign up new customers or renew customer subscriptions. Within several hours, it became clear that anyone reliant on the system would be more seriously affected, with IPTV services going dark and paying customers seeing red.
As soon as news of the raids appeared on our radar, we contacted several previously responsive players in the IPTV market. Precisely zero responded to our requests for comment amid the chaos, which was widespread and by some estimates affected up to 90% of the market. Data from Google Trends does seem to indicate that plenty of people hit its search engine for news.
With no obvious central source for information on the impact of the operation, the day after the raids TorrentFreak contacted Sandvine, a networking equipment company that has previously provided detailed analysis on general Internet and piracy-related traffic.
An external source that requested anonymity told us that due to technical issues the full force of the raid may not be felt until Thursday or Friday, the two days directly after the raids took place. So, we asked Sandvine if the company had noticed any significant drop in illicit streaming traffic during that period – it had.
This week a spokesperson for the company told TorrentFreak that on Friday September 20, Sandvine estimated that illicit streaming traffic had decreased 50% from the levels seen on Thursday, a massive drop by any standards.
That many illicit IPTV providers had been seriously affected by Xtream Codes’ removal from the market didn’t really come as a shock. Equally, it wasn’t really a surprise when providers began to adapt to the loss either.
Slowly but surely, some providers and sellers began migrating to alternative management systems, as detailed in emails to subscribers seen by TF. By Saturday, better news for them began to filter through, with services not only returning but also with subscriber payment and subscription information intact.
Sandvine gave TF a brief list of five providers, all of which went down completely between the 19th and 21st of September. By 21st/22nd all were recovering to a greater or lesser extent, with only one failing to return at all.
That being said, the overall market is huge, so it’s almost impossible to say how many have now returned, in whole or in part. It isn’t difficult to find complaints that services are still down even today but there are also several reports of providers that weren’t affected at all by the Xtream Codes situation.
Typically, there are individuals and groups out there trying to make hay even before the storm clouds have cleared. TF has heard of a handful of hopeful end-users who believed they were paying to access a service that was still up, only to have their ‘supplier’ cut and run.
Equally, we were pointed to a service that claims to be an Xtream Codes replacement but is probably nothing more than an elaborate scam. Since the prices were so high, we didn’t feel tempted to test that theory out.
On the other hand, real Xtream Codes alternatives are out there but how vulnerable they are to similar action will remain to be seen. In particular, one service seems happy to take orders and is reportedly in use by a number of previously stranded providers and resellers.
If nothing else, most of those in the chain should now be more prepared if there’s similar action in the future. Or less surprised at least.
As reported Wednesday, police in Italy and several other European countries coordinated to take down Xtream Codes, at least one IPTV provider, and more than twenty individuals and related equipment linked to the services.
The precise roles of all these people remain unclear. However, there can be little doubt that emphasis is being placed on the importance of the Xtream Codes management system which, according to law enforcement officials, lay at the very heart of the targeted criminal operation even though the software didn’t supply any content.
This very large operation involved police forces in Italy, the Netherlands, France and Bulgaria. It was coordinated across borders with the assistance of Eurojust, an EU agency that helps agencies from member states to co-operate in criminal matters.
Yesterday afternoon, a press conference took place to explain how the operation panned out, who it had targeted, and to detail various additional pieces of information. It began with Filippo Spiezia, National Member for Italy at Eurojust, explaining that hundreds of officers had been involved in the operation to dismantle the technological infrastructure of a “criminal IPTV network.”
Spiezia confirmed that 181 servers had been taken down and seized and more than 800,000 users (police reported 700,000 earlier yesterday) had been disconnected from the Xtream Codes service when it was taken down.
In what became a common theme throughout the conference with several participants, Spieza sometimes appeared to speak generally about the entire operation, which included the takedown of at least one actual IPTV provider, then sometimes in relation to Xtream Codes alone.
This ambiguity and lack of clarity appear to be causing confusion. For example, Reuters reported the following yesterday:
“The biggest illegal platform shut down on Wednesday, dubbed Xtream Codes, had around 50 millions users worldwide,” Reuters reported, citing Gianluca Berruti of the Italian tax police.
“It sold a bundled pay-TV service that included premium content from Comcast’s Sky Italia, Netflix, Mediaset, Dazn, for a monthly subscription of 12 euros,” it claimed Berruti added.
Again, ‘pirate’ IPTV sellers utilizing the Xtream Codes platform may have been doing just that but, at this stage, the second claim above doesn’t make sense or indeed add up. Fifty million users multiplied by 12 euros a month is a staggering amount of money that wasn’t supported by financial information provided later in the conference.
In common with all of those present at yesterday’s gathering, Filippo Spiezia expressed satisfaction at the success of the international operation, noting that cross-border cooperation had proved invaluable since the investigation began.
“During these months of work at Eurojust, we have adapted to the judicial needs of the Italian authorities….to the specific legal requirements of our new partners. This is the first example of an action conducted with these modalities,” he said.
“Thanks to this action we have sent out a very clear signal to criminals that even in this specific domain, even in this specific area which represents the most advanced form of criminality, we will [respond] to them.”
Vincenzo Piscitelli, Deputy Prosecutor in Naples, painted a picture of small offenses by end-users (pirate IPTV subscribers) fueling “huge illegal activities” behind the scenes.
“So this is why we really tried to hit these organizational structures at the heart and that was done through the investigation that was carried out by the public prosecutor’s office of Naples,” he said.
Next up was Valeria Sico, Public Prosecutor in Naples. Sico spoke quickly and through a translator, so that may account for what at times felt like confusing output. While clearly an expert in law, those looking for clear and specific technical details from the Prosecutor failed to receive them.
Some of what Sico said made sense but the fact that Xtream Codes isn’t normally understood to be an actual provider of illegal streams (although it is undoubtedly used by outsiders to manage them), it’s worth reproducing some of her words in full, to see how muddied this has become.
“There was software created by two citizens of Greek nationality. They have a company which had a legal seat in Bulgaria,” Sico said, confirming the information previously supplied by the Italian authorities.
“So this software enables the disclosure and the transmission of [pirate] TV signals through digital ways to different servers which were constructed by the organizations, by the host providers in the Netherlands and in France.
“Through these servers, the signal – the digital signal – was therefore sent to different IP addresses of final users and these people would then receive the [illegal] television signal in their homes.”
Again, it’s worth reiterating that Sico was speaking through a translator so some context and detail may have been lost but from there, the explanation didn’t really become any more clear.
“For the first time, having identified the company that was producing the software, we went directly to the company that was producing the software so they were enabling people to decrypt the signal,” she said.
“So this is why we also went right to the physical place where the disclosure [broadcast] of the signal would take place within these hosting provider companies in Holland and in France….the signal was broadcast to the company that had created the illegal signal – the software company – and then that was sent to the end-users.”
Again, this isn’t the broadly accepted function of the Xtream Codes system, unless the company itself was also involved in the provision of illicit streams. That claim has been the subject of speculation in the past 24 hours, perhaps based on the Reuters report.
Thankfully, Cybercrime Prosecutor Lodewijk Van Zwieten from the Netherlands kept things fairly simple in his prepared speech.
He began by noting that 93 servers had been taken down in one location in the Netherlands, all of which had targeted the Italian market. This seems to be a reference to equipment operated by the actual IPTV provider shown in the video published yesterday.
According to a chart published by the authorities and reproduced below, it was using the Xtream Codes management software, something which seems to have led the company’s software becoming embroiled in the investigation.
Van Zwieten said that no offenses had been committed by Dutch citizens but confirmed that local Internet infrastructure had been abused by the ‘criminal’ network.
“In the Netherlands, we are proud of the fact that we have a big affordable hosting industry which is very important for our economy but we don’t want these services to be used on a large scale for criminal activities,” he said.
“That is why we find it so important, together with the Dutch hosting industry, to act very diligently against abuse. So it was our pleasure to comply with a request from our Italian colleagues.”
Riccardo Croce, Head of Financial Cybercrime Investigation with the State Police in Italy, said that the “criminal group” (again, no precise explanation of which entities that phrase encompasses) had five million users in Italy alone, contributing to the 2,180,000 euros generated every month in illicit funds.
As highlighted earlier, the figures offered by various parties don’t add up, lack clarity, and as a result, appear to contradict each other.
In common with Sico’s speech, Creco’s was also presented through a translator. However, Creco was absolutely clear that the plan was to get to the “complex mapping of international technological infrastructure and to really hit them at the heart of the infrastructure.”
He spoke briefly about the complex technological network being used to transfer the actual streams but then appeared to touch on the importance of Xtream Codes once again, noting that entities in the chain were able to use a particular service to sell the product to the public.
“Our investigation was based on this, to go to the source level of this illegal signal, to disarticulate completely all servers in various European countries in which the infrastructure existed to replicate these signals,” Creco said.
“And, to hit for the first time, the company that was offering this very interesting support to the criminal infrastructure which put at its disposal these panels, network panels, the computer system through which the multitude of pay channels were able to be sold and resold through a chain of people called resellers throughout Europe so it could end up at the end-users.”
The paragraph above is possibly the clearest description of Xtream Codes’ function from someone in authority since yesterday’s raids. Creco’s statement not only separates the system from the actual provision of illegal streams but describes its function as most people understand it.
While many will argue that Xtream Codes was content-agnostic and capable of being put to plenty of legitimate uses, it’s clear that the authorities do not believe that was the intent at all. Through their statements, as confusing as they were at times, the message seems to be that Xtream Codes was perhaps the most important cog in the wheel.
There are many huge questions now being asked in the unlicensed IPTV community but perhaps the biggest is what information was held on the servers of Xtream Codes at the moment they were seized. They are a potential goldmine of information, not only relating to the many IPTV providers and sellers that used the service but also their customers. The worldwide fallout could be immense.
Importantly, however, Xtream Codes (as popular as it was) is not the only product out there capable of doing this kind of management job. So while the company’s days may already be over, others are already gearing up to fill in the gaps. Whether anyone will want to centralize their data with a vulnerable third-party again will be up for debate, however.
Reports of legal action and law enforcement activities against IPTV services and providers are a regular occurrence but news coming out of Italy this morning is particularly interesting.
According to the Guardia di Finanza (GdF), a law enforcement agency under the authority of the Minister of Economy and Finance, a huge operation is underway to target and dismantle the software service known as Xtream Codes.
What makes the case unusual is that Xtream Codes isn’t an IPTV provider as such. Usually operating from Xtream-codes.com, the company behind the software/system offers a comprehensive package that allows people to manage their own IPTV reselling service and its customers.
The system is subscription-based, starting at around 15 euros per month and running to 59 euros per month for the powerful “all-in-one” solution.
The Guardia di Finanza say that 100 officers from its Special Unit for the Protection of Privacy and Technological Fraud (NSPFT) are taking part in the operation to take Xtream Codes down.
Early reports suggest that the system has been “seized”, allegedly preventing 700,000 users from accessing the platform. Xtream Codes itself recently reported having more than 5,000 clients servicing in excess of 50,000,000 end clients.
The Italian police unit is describing Xtream Codes as an international criminal group that’s being targeted not only in Italy but with simultaneous searches in the Netherlands, France, Germany, Greece and Bulgaria.
Xtream Codes is registered as a company in Bulgaria, has a local VAT number, and lists an address in Petrich for its offices. According to its now-disappeared website, it was founded by two students. Police say that 25 “managers” have been identified but there’s no specific mention of any arrests.
Disruption is already being reported by some IPTV sellers utilizing the Xtream Codes system. Authorities in Italy are set to provide more information on the operation this morning so we’ll update this article as more news comes in.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.