The raids and arrests this week targeting piracy release group SPARKS have caused chaos in The Scene, with members and groups going into hiding and new releases dropping like a stone. The targeting of just one group shouldn't have such a massive effect but it seems probable that in the weeks and months to come, we'll learn that one weak spot can be exploited to undermine a much larger infrastructure.
This Tuesday, TorrentFreak received more rapid-fire anonymous tips than we have done in recent memory.
Demanding confidentiality is nothing new but tipsters and sources using anonymous mailers, obscured IP addresses, alongside repeat requests that identities aren’t revealed, usually point to something particularly unusual.
And indeed, something unusual was definitely underway. Late Tuesday, documents filed under seal in the United States as early as January 2020 were suddenly unsealed, revealing one of the most important piracy-related cases of the past decade.
As detailed in our report yesterday, a case brought by the US Government resulted in a Grand Jury charging at least three members of several and related top-tier ‘Scene’ release groups – SPARKS, GECKOS, DRONES, ROVERS and SPLiNTERS – with conspiracy to commit criminal copyright infringement and other crimes.
The US case has been ongoing for many months and the investigation certainly longer. Exactly how long was unknown until yesterday when a Swedish prosecutor revealed that it had been underway “for years”. However, What took us by surprise was the volume of reports on Tuesday, the claims of panic and fear in ‘The Scene’ globally, and what now appears to be a significant reduction of releases of all kinds from what is usually a prolific and cascading ‘Piracy Pyramid’ system.
Initial Information Proved Correct
People closely involved in The Scene are naturally secretive, or at least that’s the mandate. The truth is that some are prepared to talk but everyone is so scared of being caught by the authorities or labeled by fellow members as insecure, that truly verifiable sources are extremely hard to come by. As a result, reporting the finer details becomes a product of overlapping independent sources, none of whom want to be identified, which isn’t ideal.
Nevertheless, during Tuesday we were told by multiple sources that topsites and warez-affiliated members and resources were being targeted by law enforcement, anti-piracy groups, or a combination of both in many regions. What they all had in common was that the entities were affiliated with SPARKS and various topsites.
Another recurring theme was the focus on Nordic countries as being at the heart of action. Many countries were mentioned, including the Netherlands, Germany, Switzerland and Poland but, again and again, the reports cited both Norway and Sweden as potentially the main ‘problem’ areas.
US Department of Justice Began Talking Yesterday
In an official announcement Wednesday, following the initial yet unofficial reports of raids 24 hours earlier and after the unsealing of the indictments, the USDOJ revealed the global scale of the operation against SPARKS and its affiliates.
“Thanks to the efforts of HSI, the Postal Inspection Service, Eurojust, Europol, and our law enforcement partners in 18 countries on three continents, key members of this group are in custody, and the servers that were the pipeline for wholesale theft of intellectual property are now out of service,” the announcement read.
The US revealed that law enforcement authorities in many countries assisted in the investigation against SPARKS including those in Canada, Cyprus, Czech Republic, Denmark, France, Germany, Italy, Republic of Korea, Latvia, Netherlands, Norway, Poland, Portugal, Romania, Spain, Sweden, Switzerland, and the United Kingdom.
SPARKS member George Bridi, 50, was reportedly arrested on Sunday in Cyprus on an INTERPOL Red Notice. Correa (aka ‘Raid’), 36, was arrested Tuesday in Olathe, Kansas, where he will appear in federal court. Umar Ahmad (aka ‘Artist’), 39, was not arrested and as of Wednesday was reportedly still at large, according to the US Government.
The Nordic Connection
Several pieces of information received by TF during Tuesday indeed placed someone known as ‘Artist’ as a central and important figure in the action taking place.
Umar Ahmad is now officially named as that key person but according to his indictment, the US Government is not seeking to prosecute him for SPARKS-related offenses beyond January 2020. That’s also the case for George Bridi, an indicted co-defendant whose alias is currently unknown. The only SPARKS defendant charged with offenses up to August 2020 is Jonatan Correa, aka ‘Raid’.
While there is room for speculation as to what may have happened here, it seems somewhat reasonable to conclude (at least given the charges) that Ahmad and Bridi stopped their alleged offending months ago. However, according to records kept by Scene-watching sites (known as pre-databases), SPARKS-related groups continued releasing content online until fairly recently.
That aside, what we can confirm today is that Norway’s National Criminal Investigation Service, commonly known as Kripos, carried out raids at several premises this week and seized computer equipment on what is being described as a “large scale”.
In addition, three men – who are yet to be named but are in their 30s and 40s – were arrested and charged for breaches of Norway’s Copyright Act. It is not currently known whether 39-year-old Oslo-resident Umar Ahmad is among them.
Danish authorities have also confirmed that four men, aged between 35 and 48, had their homes searched and were subsequently charged with copyright infringement offenses. Servers and other pieces of IT equipment were seized.
Source: Some Warning Signs Were Spotted a While Ago
It’s certainly possible that SPARKS members were absolutely oblivious to the US Government’s investigation but according to one difficult-to-verify source, who insisted on anonymity but spoke with us at length and in considerable detail, this year and “before COVID”, some Scene members were questioning why a particular SPARKS member had suddenly “retired”.
We are not publishing that member’s name here (which we believe was provided to us in advance of the unsealing of the US indictment) but according to the same source, another possibly-connected mystery was still lingering.
The source alleges that some months earlier an individual connected to a separate yet prominent release group also “went afk” and suddenly stopped providing content. Again, we aren’t publishing the name of that group or the nickname of the person involved but we can confirm that the alleged group stopped releasing several months before the end of 2019.
This led to rumors that one or both may have been compromised and hadn’t just taken a break. The relevance is that, according to the same insider, the pair (coincidentally or not) are believed to have shared the same content sources. Again, this is unconfirmed information but the first group has never returned to action and the second has the US Government on the attack after uncovering where it was obtaining its DVD and Blu-Ray discs from.
Significant Legal Action in Sweden
After receiving initial information, which was later confirmed by the USDOJ, that significant action had taken place in Sweden. On Tuesday, we spoke with Jon Karlung, the owner of ISP Bahnhof, which we were informed may have been visited by the authorities investigating SPARKS. That turned out not to be the case.
Karlung told us that nobody had visited the company nor requested information. However, he said that with 400,000 households and 10,000 companies as clients, plus the company’s sale of bandwidth capacity to other ISPs, he couldn’t rule out that someone way down the chain, even a client of someone else, may have been visited.
Whether connected to this specific ISP or not, multiple sources informed us that at least one topsite affiliated with multiple groups utilized a high-bandwidth home link in Sweden, with another topsite connected to multiple groups also seized in the country.
What we know from official sources is that there were 14 house searches carried out in Sweden on Tuesday, including in Umeå, Malmö, Gothenburg and Stockholm. No one was arrested during the raids but according to prosecutor Johanna Kolga, more servers were seized in Sweden than anywhere else.
Netherlands Action and the Existence of MLATs
Finding information about what happened in the Netherlands led us to Tim Kuik of anti-piracy group BREIN. We put it to him that if anyone in the country knows anything about the case, it must be him. Like most other people, Kuik wasn’t budging on detail. But he did offer a plausible explanation for the silence.
“It is an interesting case indeed. It is entirely possible for so-called MLATs to be carried out on the request of say US law enforcement and the Dutch authorities carrying it out without informing any private stakeholders,” Kuik told us.
“In such cases it may be so that stakeholders abroad, who may have filed a criminal complaint for example, have been made aware and would not be at liberty to say anything about it. So nobody is likely to comment I think. But you can always try. I have no comment.”
Later, however, Eurojust – the European Union Agency for Criminal Justice Cooperation – confirmed that it “helped transmit and facilitate the execution of over 30 Mutual Legal Assistance requests and Letters of Request necessary for taking down the servers and executing searches..”
In all, over 60 servers were taken down in North America, Europe and Asia and “several main suspects” were arrested, the agency added.
Interesting Allegations, Few New Releases, and Kevin Bacon
Over the past 48+ hours, TF has been provided with a list of topsites and related infrastructure that has either been raided or taken down as a precautionary measure. The dozen-plus platforms will therefore remain unnamed, as we simply cannot determine which of the platforms are offline voluntarily, or down because they have been seized.
This leads us to why so many sites and other key pieces of infrastructure have disappeared, apparently just because one group was targeted. The reasons, we are told, are complex but can be boiled down to the number of connections SPARKS had in The Scene.
One recurring theme is that one of SPARKS’ members is claimed to have become quite influential and as a result may have “extended his tentacles too far”, as one source framed it. These connections, with many other groups and activities, may go some way to explaining why The Scene all but shut down Tuesday. If we take Bacon’s Law and apply it here, the response makes complete sense.
Nevertheless, the scale of the shutdown is unusual, to say the least, and only time will tell if The Scene will fully recover. For the average torrent or streaming site user, a period of reduced new content availability might be on the horizon but history shows us that rarely lasts for long and that the cycle will probably begin again, once people have figured out who they can trust.
Source: TorrentFreak