The Scene: Pirates Ripping Content From Amazon & Netflix
In recent weeks, TF was able to speak to a member of The Scene, the shadowy network of individuals and groups sitting right at the apex of the so-called ‘piracy pyramid’.
If the tip of this polyhedron represents the exclusive few, the progressively larger and lower portions constitute the increasing masses, all enjoying the pirated content flooding down, albeit without the consent of those at the very top.
Our introduction dealt with a selection of the basics, from how The Scene is structured to who takes on various roles. Our contact – “Source” – runs his own release group, something we were able to verify by having a unique marker placed in a Scene release. However, he also touched on something that’s rarely discussed in public.
So-called WEB releases are videos obtained from streaming services, particularly Netflix and Amazon. Not to be confused with WEBRip content, which is obtained using technology such as hardware capture cards or software-based ‘capping’ tools, WEB releases involve downloading the raw video files to a computer or server.
“Source” describes himself as a programmer with involvement with WEB releases. For security reasons he wasn’t prepared to identify which groups he’s affiliated with but he did provide an overview of the process.
“Content for WEB releases are obtained by downloading the source content. Whenever you stream a video online, you are downloading chunks of a video file to your computer. Sceners simply save that content and attempt to decrypt it for non-DRM playback later,” he says.
When accessing the content, legitimate premium accounts are used, often paid for using prepaid credit cards supported by bogus identities. It takes just a few minutes to download a video file since they’re served by CDNs with gigabits of bandwidth.
“Once files are downloaded from the streaming platform, however, they are encrypted in the .mp4 container. Attempting to view such video will usually result in a blank screen and nothing else – streams from these sites are protected by DRM.
“The most common, and hard to crack DRM is called Widevine. The way the Scene handles WEB-releases is by using specialized tools coded by The Scene, for The Scene. These tools are extremely private, and only a handful of people in the world have access to the latest version(s),” “Source” notes.
“Without these tools, releasing Widevine content is extremely difficult, if not impossible for most. The tools work by downloading the encrypted video stream from the streaming site, and reverse engineering the encryption.”
Our contact says that decryption is a surprisingly quick process, taking just a few minutes. After starting with a large raw file, the finalized version ready for release is around 30% smaller, around 7GB for a 1080p file. Subtitle files, which can be numerous on a typical WEB release, are not encrypted, meaning there’s nothing further to do.
Although evasive over the name of the WEB groups he’s affiliated with, “Source” told us his role involves creating scripts for downloading content in an automated manner from Widevine-protected sites.
“A simple example is a bot, where you feed a stream URL and a release gets downloaded, packed and uploaded to topsites fully automatically, with no human interaction needed,” he explains.
“Source” says that the decryption tools he’s familiar with mainly target protected content using Windows tools and Google Chrome. He also mentioned exploits for Smart TVs and other platforms but wasn’t able to provide additional details on those or the apparent exploit of iTunes which saw 4K content leak online earlier this year.
However, he did reveal that, in an attempt to ensure that Scene decryption tools don’t leak out to the wider public, some versions of the Scene’s tools only work server-side and are protected by Hardware ID (HWID). The aim here is to restrict which machines are capable of running the software.
Perhaps surprisingly, “Source” went on to send us screenshots of what he said were two Widevine decrypter tools in action. One of them, which has been redacted to hide some sensitive information, is shown below.
Since we’re always protective of our sources, the supply of these screenshots raised alarm bells with us. If these decryption tools are so secretive, why would he put himself at risk by allowing us to publish images of them?
It transpires that in common with other ‘pirate’ content, Scene-only tools sometimes leak out too. “Source” told us that the screenshots he provided were culled from older tools that were leaked and subsequently offered for sale on the wider Internet, so that’s why he is comfortable with them being published.
“There are countless other tools,” he added, “but I can’t publicly say about them.”
He did, however, point us to an online platform where the tools had been offered in exchange for bitcoin.
We spent some time looking around but couldn’t immediately match the screenshots to any specific software on offer. Surprisingly, part of the problem was the sheer number of Netflix and Amazon ripping tools being offered by various anonymous parties.
Given the high prices being attached to these products and their illegal nature (circumvention, in this case, would constitute a breach of the DMCA), we weren’t prepared to buy or test them. However, it is clear that this is an area ripe for exploitation, with several buyers claiming that supplied tools do not work as advertised.
As a result, we can’t say for sure whether any of the software being offered in public is real, currently works, or indeed ever worked. It is obvious, considering the number of releases being made, that tools inside The Scene are working as intended, something that may have been underlined by the recent release of 4K video sourced from Netflix.
But for pirates, this may not be the case for much longer. “Source” says that the flood of WEB releases (also known as WEB-DL in the P2P arena) may start to dry up – at least for a while.
“Widevine is expected to update their DRM, and the only working Windows-based crack (I’m aware of) is strictly regulated, and most groups won’t get access to it, compared to the current older tools not requiring any sort of server-side or hardware verification for use,” he concludes.
Part 3 of this series, dealing with the technical aspects of The Scene, is a work in progress.