KAT owner busted, site closed.

[DigDog]

very interesting read on how they busted the owner of KickassTorrents, afaik the current largest pirate website.

https://torrentfreak.com/can-kickasstorrents-make-a-comeback-160721/

Yesterday the U.S. Government delivered a massive blow to KickassTorrents. With its alleged founder arrested and pretty much the entire site's operation compromised, it's not obvious that there will be a Pirate Bay style comeback anytime soon.

Founded in 2009, KickassTorrents (KAT) grew out to become the largest torrent site on the Internet with millions of visitors a day.

As a result, copyright holders and law enforcement have taken aim at the site in recent years. This resulted in several ISP blockades around the world, but yesterday the big hit came when the site’s alleged founder was arrested in Poland.

Soon after the news was made public KAT disappeared, leaving its users without their favorite site. The question that’s on many people’s minds right now is whether the site will make a Pirate Bay-style comeback.

While it’s impossible to answer this question with certainty, the odds can be more carefully weighed by taking a closer look at the events that led up to the bust and what may follow.

First off, KickassTorrents is now down across all the site’s official domain names. This downtime seems to be voluntary in part, as the authorities haven’t seized the servers. Also, several domains are still in the hands of the KAT-team.

That said, the criminal complaint filed in the U.S. District Court in Chicago does reveal that KAT has been heavily compromised (pdf).

According to the feds, Artem Vaulin, a 30-year-old from Ukraine, is the key player behind the site. Over the years, he obfuscated his connections to the site, but several security holes eventually revealed his identity.

With help from several companies in the United States and abroad, Homeland Security Investigations (HSI) agent Jared Der-Yeghiayan identifies the Ukrainian as the driving force behind the site.

The oldest traces to Vaulin are the WHOIS records for various domains, registered in his name early 2009.

“A review of historical Whois information for KAT….identified that it was registered on or about January 19, 2009, to Artem Vaulin with an address located in Kharkiv, Ukraine,” the affidavit reads.

This matches with records obtained from domain registrar GoDaddy, which indicate that Vaulin purchased three KAT-related domain names around the same time.

The agent further uncovered that the alleged KAT founder used an email address with the nickname “tirm.” The same name was listed as KAT’s “owner” on the site’s “People” page in the early days, but was eventually removed in 2011.

Tirm on KAT’s people page

KATpeople
The HSI agent also looked at several messages posted on KAT, which suggest that “tirm” was actively involved in operating the site.

“As part of this investigation, I also reviewed historical messages posted by tirm, KAT’s purported ‘Owner.’ These postings and others indicate that tirm was actively engaged in the early running of KAT in addition to being listed as an administrator and the website’s owner,” the HSI agent writes.

Assisted by Apple and Facebook the feds were then able to strengthen the link between Vaulin, tirm, and his involvement in the site.

Facebook, for example, handed over IP-address logs from the KAT fanpage. With help from Apple, the investigator was then able to cross-reference this with an IP-address Vaulin used for an iTunes transaction.

“Records provided by Apple showed that tirm@me.com conducted an iTunes transaction using IP Address 109.86.226.203 on or about July 31, 2015. The same IP Address was used on the same day to login into the KAT Facebook Account.”

In addition, Apple appears to have handed over private email conversations which reference KAT, dating back several years. These emails also mention a “kickasstorrent payment,” which is believed to be revenue related.

“I identified a number of emails in the tirm@me.com account relating to Vaulin’s operation of KAT. In particular, between on or about June 8, 2010, and on or about September 3, 2010,” the HSI agent writes.

More recent records show that an IP-address linked to KAT’s Facebook page was also used to access Vaulin’s Coinbase account, suggesting that the Bitcoin wallet also assisted in the investigation.

“Notably, IP address 78.108.178.77 accessed the KAT Facebook Account about a dozen times in September and October 2015. This same IP Address was used to login to Vaulin’s Coinbase account 47 times between on or about January 28, 2014, through on or about November 13, 2014.”

As for the business side, the complaint mentions a variety of ad payments, suggesting that KAT made over a dozen million dollars in revenue per year.

It also identifies the company Cryptoneat as KAT’s front. The Cryptoneat.com domain was registered by Vaulin and LinkedIn lists several employees of the company who were involved in the early development of the site.

“Many of the employees found on LinkedIn who present themselves as working for Cryptoneat are the same employees who received assignments from Vaulin in the KAT alert emails,” the complaint reads.

Interestingly, none of the other employees are identified or charged.

To gather further information on the money side, the feds also orchestrated an undercover operation where they posed as an advertiser for “a website purportedly advertising a program to study in the United States.” This revealed details of several bank accounts, with one receiving over $28 million in just eight months.

“Those records reflect that the Subject Account received a total of approximately €28,411,357 in deposits between on or about August 28, 2015, and on or about March 10, 2016.”


Finally, and crucially, the investigators issued a warrant directed at the Canadian webhost of KickassTorrents. This was one of the biggest scores as it provided them with full copies of KAT’s hard drives, including the email server.

“I observed that they were all running the same Linux Gentoo operating system, and that they contained files with user information, SSH access logs, and other information, including a file titled ‘passwd’ located in the ‘etc’ directory,” the HSI agent writes.

“I also located numerous files associated with KAT, including directories and logs associated to their name servers, emails and other files,” he adds.

Considering all the information U.S. law enforcement has in its possession, it’s doubtful that KAT will resume its old operation anytime soon.

Technically it won’t be hard to orchestrate a Pirate Bay-style comeback, as there are probably some backups available. However, now that the site has been heavily compromised and an ongoing criminal investigation is underway, it would be a risky endeavor.

Similarly, uploaders and users may also worry about what information the authorities have in their possession. The complaint cites private messages that were sent through KAT, suggesting that the authorities have access to a significant amount of data.

While regular users are unlikely to be targeted, the information may provide useful for future investigations into large-scale uploaders. More clarity on this, the site’s future, and what it means for the torrent ecosystem, is expected to become evident when the dust settles.

i've always wondered how pirate websites make money; is it through advertising? because i couldn't believe those two scrawny banners on the side of the page could ever pay that much .. and also, since it's a pirate website, surely the users are smart enough to use an adblock?
$28M a year is not what i expected.

 

[Joepublic2]

Apparently the Ukraine doesn't have an extradition treaty with the US.

http://www.state.gov/documents/organization/71600.pdf

“I observed that they were all running the same Linux Gentoo operating system, and that they contained files with user information, SSH access logs, and other information, including a file titled ‘passwd’ located in the ‘etc’ directory,” the HSI agent writes.

Nothing gets past THIS super sleuth. He can use elite hacker commands like "uname" and "ls".

Also, what the hell is Homeland Security doing carrying water for private copyright holders?

The Department of Homeland Security has a vital mission: to secure the nation from the many threats we face. This requires the dedication of more than 240,000 employees in jobs that range from aviation and border security to emergency response, from cybersecurity analyst to chemical facility inspector. Our duties are wide-ranging, and our goal is clear - keeping America safe.

Keeping us safe from free music and movies, I guess.

 

[SheHateMe]

You would think a guy running a site like that would have better OpSec. Logging into KAT's facebook page without masking your home IP? Attaching your bank account to your Apple account? Registering services in the US and having your real name on the WHOIS records. This guy wanted to get caught I guess.

 

[Sonikku]

Apparently the Ukraine doesn't have an extradition treaty with the US.

http://www.state.gov/documents/organization/71600.pdf



Nothing gets past THIS super sleuth. He can use elite hacker commands like "uname" and "ls".

Also, what the hell is Homeland Security doing carrying water for private copyright holders?



Keeping us safe from free music and movies, I guess.

Of the corporations, by the corporations, for the corporations.

 

[DigDog]

but seriously, how does he make that much money?

 

[Grooveriding]

but seriously, how does he make that much money?

I'd guess the figure is bullshit, made up to make the action seem more significant than it actually was. Similar to drug busts and how they inflate the dollar value of what they've seized.

 

[DigDog]

yeah, exaggerated by 100x, likely.

 

[1prophet]

Yesterday the U.S. Government delivered a massive blow to KickassTorrents

Corporations always looking for "what the country can do for them" in this case enforce their IP rights, but when it comes time to "do for their country" use every loophole and excuse to avoid doing so because "profit only matters".

 

[OILFIELDTRASH]

Why do this to yourselves unless you're just a broke teen or college student? Torrents are full of virus' and garbage quality stuff. Content is cheap enough these days that it's much easier to just pay for it and get it right then and it's great quality.

 

[Knowing]

Ooh boy, a passwd file in the /etc/ directory. That's a smoking gun right there, said no one who has used Linux for more than a day.

Their opsec was terrible, as it so often seems to be.

 

[Anubis]

the site is already back up

 

[DigDog]

Torrents are full of virus' and garbage quality stuff.

are you lying on purpose or do you really believe what you say ?

 

[MajinCry]

the site is already back up

Naw it ain't. Ya probably on one of those fake honeypotters. Shame, I had something that I needed to d-I mean, I would never, ever download something from that hellerific site! My internet connection is made of moral fibers!

 

[Linux23]

Why do this to yourselves unless you're just a broke teen or college student? Torrents are full of virus' and garbage quality stuff. Content is cheap enough these days that it's much easier to just pay for it and get it right then and it's great quality.

Yeah right.

 

[master_shake_]

Apparently the Ukraine doesn't have an extradition treaty with the US.

http://www.state.gov/documents/organization/71600.pdf



Nothing gets past THIS super sleuth. He can use elite hacker commands like "uname" and "ls".

Also, what the hell is Homeland Security doing carrying water for private copyright holders?



Keeping us safe from free music and movies, I guess.

business as usual.

http://the-gadgeteer.com/2014/01/20/amc-movie-theater-calls-fbi-to-arrest-a-google-glass-user/

corporations are people.

people need security.

just wait till the TPP passes and they'll be their own countries.

 

[UglyCasanova]

So what are the alternatives?

 

[CZroe]

Torrents are full of virus' and garbage quality stuff. Content is cheap enough these days that it's much easier to just pay for it and get it right then and it's great quality.

are you lying on purpose or do you really believe what you say ?

Probably talking about what makes Usenet superior.

So what are the alternatives?

Usenet.

 

[Lepton87]

Why do this to yourselves unless you're just a broke teen or college student? Torrents are full of virus' and garbage quality stuff. Content is cheap enough these days that it's much easier to just pay for it and get it right then and it's great quality.

Surely you are detached from the reality that hundreds of million of people have to contend with. Software is very cheap where you live compared to pretty much the rest of the world. Most of the world population don't live in the US.

 

[DigDog]

with the .am domain.

we gotta stop these gosh-darn pirates from ruining our future.

 

[compuwiz1]

So what are the alternatives?

Buy your shit legally, maybe?

 

[SheHateMe]

So what are the alternatives?

Private trackers. I quit public torrent sites like 4 years ago. Usenet is decent...but if you really want to spend money on an account and then extra money on a block account just to get around incomplete files...go ahead.

 

[Linux23]

Private trackers. I quit public torrent sites like 4 years ago. Usenet is decent...but if you really want to spend money on an account and then extra money on a block account just to get around incomplete files...go ahead.

How do you get into private trackers? Not that I would do it. Just wanted to know out of curiosity.