The Xtream Codes IPTV Takedown is Complex and Confused
As reported Wednesday, police in Italy and several other European countries coordinated to take down Xtream Codes, at least one IPTV provider, and more than twenty individuals and related equipment linked to the services.
The precise roles of all these people remain unclear. However, there can be little doubt that emphasis is being placed on the importance of the Xtream Codes management system which, according to law enforcement officials, lay at the very heart of the targeted criminal operation even though the software didn’t supply any content.
This very large operation involved police forces in Italy, the Netherlands, France and Bulgaria. It was coordinated across borders with the assistance of Eurojust, an EU agency that helps agencies from member states to co-operate in criminal matters.
Yesterday afternoon, a press conference took place to explain how the operation panned out, who it had targeted, and to detail various additional pieces of information. It began with Filippo Spiezia, National Member for Italy at Eurojust, explaining that hundreds of officers had been involved in the operation to dismantle the technological infrastructure of a “criminal IPTV network.”
Spiezia confirmed that 181 servers had been taken down and seized and more than 800,000 users (police reported 700,000 earlier yesterday) had been disconnected from the Xtream Codes service when it was taken down.
In what became a common theme throughout the conference with several participants, Spieza sometimes appeared to speak generally about the entire operation, which included the takedown of at least one actual IPTV provider, then sometimes in relation to Xtream Codes alone.
This ambiguity and lack of clarity appear to be causing confusion. For example, Reuters reported the following yesterday:
“The biggest illegal platform shut down on Wednesday, dubbed Xtream Codes, had around 50 millions users worldwide,” Reuters reported, citing Gianluca Berruti of the Italian tax police.
“It sold a bundled pay-TV service that included premium content from Comcast’s Sky Italia, Netflix, Mediaset, Dazn, for a monthly subscription of 12 euros,” it claimed Berruti added.
Again, ‘pirate’ IPTV sellers utilizing the Xtream Codes platform may have been doing just that but, at this stage, the second claim above doesn’t make sense or indeed add up. Fifty million users multiplied by 12 euros a month is a staggering amount of money that wasn’t supported by financial information provided later in the conference.
In common with all of those present at yesterday’s gathering, Filippo Spiezia expressed satisfaction at the success of the international operation, noting that cross-border cooperation had proved invaluable since the investigation began.
“During these months of work at Eurojust, we have adapted to the judicial needs of the Italian authorities….to the specific legal requirements of our new partners. This is the first example of an action conducted with these modalities,” he said.
“Thanks to this action we have sent out a very clear signal to criminals that even in this specific domain, even in this specific area which represents the most advanced form of criminality, we will [respond] to them.”
Vincenzo Piscitelli, Deputy Prosecutor in Naples, painted a picture of small offenses by end-users (pirate IPTV subscribers) fueling “huge illegal activities” behind the scenes.
“So this is why we really tried to hit these organizational structures at the heart and that was done through the investigation that was carried out by the public prosecutor’s office of Naples,” he said.
Next up was Valeria Sico, Public Prosecutor in Naples. Sico spoke quickly and through a translator, so that may account for what at times felt like confusing output. While clearly an expert in law, those looking for clear and specific technical details from the Prosecutor failed to receive them.
Some of what Sico said made sense but the fact that Xtream Codes isn’t normally understood to be an actual provider of illegal streams (although it is undoubtedly used by outsiders to manage them), it’s worth reproducing some of her words in full, to see how muddied this has become.
“There was software created by two citizens of Greek nationality. They have a company which had a legal seat in Bulgaria,” Sico said, confirming the information previously supplied by the Italian authorities.
“So this software enables the disclosure and the transmission of [pirate] TV signals through digital ways to different servers which were constructed by the organizations, by the host providers in the Netherlands and in France.
“Through these servers, the signal – the digital signal – was therefore sent to different IP addresses of final users and these people would then receive the [illegal] television signal in their homes.”
Again, it’s worth reiterating that Sico was speaking through a translator so some context and detail may have been lost but from there, the explanation didn’t really become any more clear.
“For the first time, having identified the company that was producing the software, we went directly to the company that was producing the software so they were enabling people to decrypt the signal,” she said.
“So this is why we also went right to the physical place where the disclosure [broadcast] of the signal would take place within these hosting provider companies in Holland and in France….the signal was broadcast to the company that had created the illegal signal – the software company – and then that was sent to the end-users.”
Again, this isn’t the broadly accepted function of the Xtream Codes system, unless the company itself was also involved in the provision of illicit streams. That claim has been the subject of speculation in the past 24 hours, perhaps based on the Reuters report.
Thankfully, Cybercrime Prosecutor Lodewijk Van Zwieten from the Netherlands kept things fairly simple in his prepared speech.
He began by noting that 93 servers had been taken down in one location in the Netherlands, all of which had targeted the Italian market. This seems to be a reference to equipment operated by the actual IPTV provider shown in the video published yesterday.
According to a chart published by the authorities and reproduced below, it was using the Xtream Codes management software, something which seems to have led the company’s software becoming embroiled in the investigation.
Van Zwieten said that no offenses had been committed by Dutch citizens but confirmed that local Internet infrastructure had been abused by the ‘criminal’ network.
“In the Netherlands, we are proud of the fact that we have a big affordable hosting industry which is very important for our economy but we don’t want these services to be used on a large scale for criminal activities,” he said.
“That is why we find it so important, together with the Dutch hosting industry, to act very diligently against abuse. So it was our pleasure to comply with a request from our Italian colleagues.”
Riccardo Croce, Head of Financial Cybercrime Investigation with the State Police in Italy, said that the “criminal group” (again, no precise explanation of which entities that phrase encompasses) had five million users in Italy alone, contributing to the 2,180,000 euros generated every month in illicit funds.
As highlighted earlier, the figures offered by various parties don’t add up, lack clarity, and as a result, appear to contradict each other.
In common with Sico’s speech, Creco’s was also presented through a translator. However, Creco was absolutely clear that the plan was to get to the “complex mapping of international technological infrastructure and to really hit them at the heart of the infrastructure.”
He spoke briefly about the complex technological network being used to transfer the actual streams but then appeared to touch on the importance of Xtream Codes once again, noting that entities in the chain were able to use a particular service to sell the product to the public.
“Our investigation was based on this, to go to the source level of this illegal signal, to disarticulate completely all servers in various European countries in which the infrastructure existed to replicate these signals,” Creco said.
“And, to hit for the first time, the company that was offering this very interesting support to the criminal infrastructure which put at its disposal these panels, network panels, the computer system through which the multitude of pay channels were able to be sold and resold through a chain of people called resellers throughout Europe so it could end up at the end-users.”
The paragraph above is possibly the clearest description of Xtream Codes’ function from someone in authority since yesterday’s raids. Creco’s statement not only separates the system from the actual provision of illegal streams but describes its function as most people understand it.
While many will argue that Xtream Codes was content-agnostic and capable of being put to plenty of legitimate uses, it’s clear that the authorities do not believe that was the intent at all. Through their statements, as confusing as they were at times, the message seems to be that Xtream Codes was perhaps the most important cog in the wheel.
There are many huge questions now being asked in the unlicensed IPTV community but perhaps the biggest is what information was held on the servers of Xtream Codes at the moment they were seized. They are a potential goldmine of information, not only relating to the many IPTV providers and sellers that used the service but also their customers. The worldwide fallout could be immense.
Importantly, however, Xtream Codes (as popular as it was) is not the only product out there capable of doing this kind of management job. So while the company’s days may already be over, others are already gearing up to fill in the gaps. Whether anyone will want to centralize their data with a vulnerable third-party again will be up for debate, however.