The World Cup is the most prestigious tournament in international soccer. International governing body FIFA protects its lucrative competition rights with an iron rod.
The 2022 FIFA World Cup kicked off on November 20 in Qatar, and in the hours leading up to December 10, National Security Investigations began. seize domains of pirate streaming site. Our initial report was confirmed by US authorities two days later, with a statement stating that โ55 separate websitesโ had been seized.
In the coming days, An additional 23 domains were seizedbringing the total to 78. The official announcement he referenced an affidavit filed in support of the seizures, but no copy was provided and hours spent trawling through court records turned up nothing in December.
Affidavit dated December 2022 Filed in January 2023
After being officially filed on January 12, 2023, two identical affidavits appeared on file this month in the United States District Court for the District of Maryland. Filed by HSI Special Agent Jones under two different case numbers, the affidavits bear the signature of Judge Maddox dated December 16, 2022.
Both affidavits relate to seizures that took place between December 16 and 19, but make no mention of prior seizures. The affidavits list two other case numbers, but those documents were filed under seal.
Following previous assignments with the NSA and the Weapons of Mass Destruction Response Team, Special Agent Jones is currently assigned to HSI's Transnational CyberCrime Team (TCCT).
Your affidavit states that you have probable cause to believe that the listed domains are subject to seizure and forfeiture under 18 USC ยง 2323(a)(1)(A)-(B) and (b)(1) because they are used or intended to be used to commit or facilitate criminal offenses under 17 USC ยง 506 Y 18 USC ยง 2319.
Friend MTS Referral to HSI in September
At least two months before the 2022 World Cup began, in its role as a FIFA representative, UK-based anti-piracy company Friend MTS (which is heavily involved in dynamic blocking of broadcasts in Europe) began providing to HSI information about "multiple" domains.
โFriend MTS identified the sites as being used to broadcast and distribute copyright-infringing content (in particular, World Cup games), without the authorization of the copyright holders,โ the affidavits read.
FIFA apparently maintains a "white list" of domains allowed to stream games, but none of the domains submitted by Friend MTS appeared on that list.
'Open source' search for addon domains
To find additional domains that illegally transmit copyright-protected content, US researchers conducted a review of "open source Internet messages." Some of the discovered sites "appeared to host illegal streaming content," while others embedded streams or offered links to content hosted elsewhere.
The table below lists some of the domains and when they were confirmed to offer FIFA content. Their corresponding domain registries are also listed, in this case primarily VeriSign, but others include GoDaddy, Inc., Identity Digital Inc., and Tonic Domains.
After confirming that all domains offered unlicensed content, HSI concluded that "neither a restraining order nor a court injunction" could guarantee its seizure.
However, if the domains were seized and redirected to another website, that would "prevent third parties from acquiring the name and using it to commit additional crimes" and "prevent third parties from continuing to access the websites in their current forms."
Legal assessment and seizure
The affidavit states that for civil forfeiture cases, jurisdiction may be any district where any of the events leading to the forfeiture occurred, where the property was found or purchased. For criminal forfeitures, the venue is in any district in which prosecution may occur.
In this case, the affidavit establishes that there is probable cause to believe that the domains are subject to civil and criminal forfeiture. With all bases covered, attention turns to domain registrations for .com, .tv, .to, .cc, me, .live, and .net domains: Verisign, Inc., GoDaddy, Tonic Domains, and Identity Digital , Inc.
After domains were seized, registries were required to associate them with new authoritative name servers, directing visitors to a government seizure notice that referenced a court-issued order.
After receiving a copy of the seizure order, domain registrars (through which domain owners had purchased their domains) were told to "modify any registry, database, tables, or documents" used to identify the owner of the domain, to show that seizure had occurred.
Domain Forfeiture Instructions
Both affidavits have four attachments marked A1-A4, each detailing the actions a specific record must take. In all cases, domain seizures were ordered to take place on December 16, 2022 at 4:00 pm EST.
Registries were given the option of adding two new DNS entries (ns1 and ns2.seizedservers.com) to each domain or redirecting the domains to two designated IP addresses. A third option allowed law enforcement to issue instructions to a relevant domain registrar.
All registries are advised to avoid any modification or transfer of the domains and to implement the instructions as quickly as possible. The list of domains for each record reads as follows:
verisign: Rojadirectatvonline.net, Soccerstreams.net, Weakstream.net, Wizwig1.com, Releasesky.com, Tenorsky.com, Vipleagues.net, Extremotvplay.com, Futbollatam.com, Futboltv-envivo.com, Futbollatin.com, Librefutbol.com, ovopremium.com
Registry Services, LLC (GoDaddy): AJSports.tv, Sportstream.tv, Futboltv.biz
Tonic domains: soccerstreams.to
Digital Identity, Inc.: Rojadirecta.global, Hesgoal.pro, Rojadirecta.me, Livetv605.me, Futboltv.live, Hesgoal.me
Notify domain owners about seizures (or not)
Since domain seizures are still relatively rare in the United States, it was unclear whether authorities would target domain registries, domain registrars, or both. The paperwork clearly shows that registries are the preferred option, but registrars get few mentions.
For example, there is an instruction for domain registrars to modify registrant records "to reflect seizure" and there is also the possibility for registrars to change DNS records. In the section below, there is a requirement for domain registrars to notify customers that Homeland Security has seized their domains.
As detailed in our previous report, US domain registrars are listed in more than 60% of seized domains. Registrars have access to the details of domain owners, so contacting them about seized domains would be easy.
Despite the instructions in the order addressed to registrars and the notes that the seizure order will be sent to domain name registrars based in the United States, in all cases the list of registrars is surprisingly small.
The affidavit states that neither registrar is based in the United States, but in the example above, both ajsports.tv Y futboltv.biz list NameCheap Inc. as the registrar.
Other domains listed in the affidavit that do not have a registrar in the United States include Hesgoal.pro (NameCheap), LiveTV605.me (NameCheap), Fullboltv.live (NameCheap), and Hesgoal.me (Name.com, Inc.)
On the surface at least, it appears that all US registrars are required to inform their clients of seizures, but only if they are listed on the affidavit like being in the United States. None are listed as such.
Ultimately, the original seizure requests and warrants were sealed and remain so. At least one filed in a Miami district court on October 5, 2022, at least six weeks before the start of the World Cup on November 20, 2022.
The two identical affidavits filed in separate cases can be found here Y here (pdf)
