Tracking the Owner of Kickass Torrents

Here's the story of how it was done. First, a fake ad on torrent listings linked the site to a Latvian bank account, an e-mail address, and a Facebook page.

Using basic website-tracking services, Der-Yeghiayan was able to uncover (via a reverse DNS search) the hosts of seven apparent KAT website domains: kickasstorrents.com, kat.cr, kickass.to, kat.ph, kastatic.com, thekat.tv and kickass.cr. This dug up two Chicago IP addresses, which were used as KAT name servers for more than four years. Agents were then able to legally gain a copy of the server's access logs (explaining why it was federal authorities in Chicago that eventually charged Vaulin with his alleged crimes).

Using similar tools, Homeland Security investigators also performed something called a WHOIS lookup on a domain that redirected people to the main KAT site. A WHOIS search can provide the name, address, email and phone number of a website registrant. In the case of kickasstorrents.biz, that was Artem Vaulin from Kharkiv, Ukraine.

Der-Yeghiayan was able to link the email address found in the WHOIS lookup to an Apple email address that Vaulin purportedly used to operate KAT. It's this Apple account that appears to tie all of pieces of Vaulin's alleged involvement together.

On July 31st 2015, records provided by Apple show that the me.com account was used to purchase something on iTunes. The logs show that the same IP address was used on the same day to access the KAT Facebook page. After KAT began accepting Bitcoin donations in 2012, $72,767 was moved into a Coinbase account in Vaulin's name. That Bitcoin wallet was registered with the same me.com email address.

Another article.

Posted on July 26, 2016 at 6:42 AM • 34 Comments

Comments

James HareJuly 26, 2016 7:21 AM

Why are "homeland security" investigators involved in enforcing copyrights? Seems like a fairly indefensible way to prioritize limited resources. Couldn't the copyright holders police their own copyrights like the law intended? Is there really any way that national security is implicated by torrent site operators?

Keith GlassJuly 26, 2016 7:55 AM

Interesting, that they're claiming that HE illegally reproduced and distributed over a billion dollars' worth of content. Any torrent tracker hosts nothing but pointers to persons who are individually hosting a torrent.

One can also find torrents via Google or other search engines, but perhaps I've missed the owners of those sites getting extradited. . .

jaysonJuly 26, 2016 8:27 AM

It's a challenge to ignore the breathtaking legal overreach in this case and discuss the methodology. Is the moral of the story to not use American servers when conducting online business?

Dan3264July 26, 2016 8:37 AM

@jayson,
The moral of the story appears to be: "When doing something that could get the attention of powerful people(in a bad way), anything less than fully paranoid is not good enough".
You are welcome to suggest alternative morals to the story.

DanielJuly 26, 2016 10:40 AM

@Dan3264

I think there is a more specific moral at work. If we compare this case with the Silk Road case we find a striking similarity. In both cases the key breakthrough came when the person created an account that could be traced back to them individually, then later tried to go back and "erase" those connections.

So to me the lesson is that one must bake in anonymity from the first step. So it is not enough to be "fully paranoid" one must be fully paranoid from the moment one first connects to the internet in any capacity. Operational security is not something one can accomplish by going back and covering one's tracks.

MonkeyJuly 26, 2016 10:46 AM

The irony is that it was actually buying something online from Apple instead of pirating it that got him caught.

RemoJuly 26, 2016 11:32 AM

@Daniel

So it is not enough to be "fully paranoid" one must be fully paranoid from the moment one first connects to the internet in any capacity.

For those of us who have lived most of their lives connected to the internet, this is the thing that concerns me the most. I know I'm showing my age but this will be an even larger problem for many others who are even younger than me. We've been encouraged to sign up for services using accounts that can easily be linked back to us and used to map all of our activity across the internet without our full understanding of the consequences. By the time we realize how deep it goes it's too late to take back our privacy.

I'm aware that many people of all ages are in the same boat but I can't help feeling particularly bamboozled when I was making these decisions before I was allowed to drive a car.

albertJuly 26, 2016 11:41 AM

@James Hare,
The answer to your question is: Apple, Facebook, and the movie studios. The FBI has always investigated copyright violations for the Big Boys. Check out those warnings at the beginning of each movie. The BBs lose beelions due to torrent websites and pirating. Didn't you know? This is much more important than national security.

@Keith,
According to the complaint, Vaulin -did- actually copy and distribute some works. Rule Number One for torrent sites: Don't do that! Let the -users- do the copyright infringing.

Seems like Vaulin did everything wrong, at every step of the way.
. .. . .. --- ....

nome_de_peintureJuly 26, 2016 12:38 PM

Homeland Security investigators also performed something called a WHOIS lookup on a domain that redirected people to the main KAT site.

I can't imagine the years of training that took at DHS. If only there was a way to search for domain owners....

The media cartel lose beelions due to torrent websites and pirating.

This isn't news to most, but beyond making purchasing rights easy, which most don't, the people pirating end up being paying consumers anyway.

Practical software companies know this. They make the software hard enough to steal it's inconvenient for most. The ones that are still determined very likely end up being customers anyway. It's practically speaking a form of marketing.

Ross SniderJuly 26, 2016 12:41 PM

Using Homeland Security personnel to enforce this is absurd, and goes to (continue to) show that ownership of the infrastructure of every aspect of society needs to be controlled and that anything else is considered a National Security threat.

This is where Karl Marx, Richard Stallman and Amish Philosophy overlap: ownership and control of the industries that provide protection and security, entertainment, nourishment and comfort is important to the freedom of the individual.

When these things are privatized and monopolized, be they Facebook for or the power grid for comfort, they are abusable and the individual depends on having the same interests as the rent-controlling entity in perpetuity.

Information distribution entities from Google to Facebook to Hollywood have been thoroughly infiltrated by national intelligence, who use these industries for surveillance, propaganda and information warfare.

To keep them solvent though, they need to engage in protectivism until a successor can itself be infiltrated. Some day there may be a sanctioned torrent site. It will happen when the tracker engages with elements of power and 'chooses' to curate and distribute content in a matter pursuant to national security and interest.

Dan3264July 26, 2016 1:51 PM

@Daniel,
You are correct. That is definitely what people doing stuff like that should do. Unfortunately (for them) you can't just become a expert on something overnight. It is hard to get good advice on defending oneself from advanced persistent threats. Also, most people would not actually follow such advice, even if they have to defend against advanced persistent threats. And you don't really get second chances when dealing with advanced persistent threats.

Darren ChakerJuly 26, 2016 2:44 PM

Indeed, why is Government enforcing copyrights law? Sure it is a law, but today's events in the word dictate resources are put elsewhere to prevent terrorism, not do what Hollywood can do on its own - file a lawsuit, get an injunction, take down the site.

albertJuly 26, 2016 2:48 PM

@Ross,
"...Using Homeland Security personnel to enforce this is absurd...". So is using FBI personnel. To quote a former head of the FBI, in 2002:

"...Understanding this basic fact is essential to evaluating how the FBI fits into the President's proposal to establish a Department of Homeland Security and what we will provide to ensure this new department gets from the FBI what it needs to succeed. That is our obligation. Or put more bluntly, the FBI will provide Homeland Security the access, the participation, and the intelligence in whatever form and quantity are necessary for this new department to achieve its mission of improving and building domestic preparedness against terrorism in America...."

and:
"...Simply put, our focus is now one of prevention..."

So it removes some BS from the feebs, and puts it on the homeys.

. .. . .. --- ....

Gerard van VoorenJuly 26, 2016 2:52 PM

Here is a movie plot for the next Homeland series.

Carrie makes passionate love with Kickass, the site owner of a second-rate pirate bay clone. Afterwards, while Kickass sleeps, Carrie steals the master password of the site, but after that she immediately goes back into bed and let him take her one more time. Meanwhile, Sal looks through a secret camera to this scene with his pants to his knees.

Quinn assassins the kitten of Kickass with rat poison in the milk. "Hawk" Dar Adal works together with a massive Mossad expert team to design a computer virus for DDOSsing the site for at least a couple of hours, in case Carrie fails in her mission. Dar is also the master mind of a smear campaign.

In the final episode, that plays ten years in the future, Carrie dies of cancer because she smoked too much.

---

Or would this be a bit too much reality?

On one hand, I am okay with that the reality is very less dangerous than the Homeland fiction where well organized terrorists try to "take over the world", on the other hand, the reality is much more hypocritical.

Maybe this is what Obama meant with "Yes We Can".

Joshua BowmanJuly 26, 2016 3:39 PM

The interesting takeaway is that a few small op-sec failures that are years old can be easily pieced together into a full picture. But I wonder if he has any recourse to say, "No way, I sold everything years ago, including the Apple account that's required to manage it."

When you think about it, it seems like common sense to start with VPNs and Tor and anonymizers and bitcoin/stolen cards, but most of these sites are started by people who are young and naive; Kickass was founded when he was 24, if they have the right guy, and I'm sure it was meant to be a hobby project until it blew up. And of course, the FBI and NSA have been actively subverting and infiltrating all of those defenses the whole time, so it might not have even helped.

The best defense when you suddenly get the security religion might be to attempt to cover your tracks, but to make it look like you sold it and washed your hands of it. (Or actually sell it.)

Jesse ThompsonJuly 26, 2016 4:20 PM

> The interesting takeaway is that a few small op-sec failures that are years old can be easily pieced together into a full picture.

Woops, sorry you appear to have misspelled "Parallel Constructed" there. :3

MarkJuly 26, 2016 5:35 PM

Another disgusting episode of "Team America World Police". WTF is the US Department of Homeland Security doing on copyright infringement cases?

It's simply the US enforcing its model on the world, ensuring that its own economic dominance continues.

Similar to the Dotcom case, I'm sure that they're trumped up charges. "Racketeering", "money laundering", whatever they can make stick. It's disappointing that foreign authorities continue to work with the US on these issues. It's not enough that the US are enforcing draconian copyright through trade deals.

I'll continue torrenting rather than paying for any US content until this ends.

_________________________________________________

Interesting to see -- as with other cases, such as Silicon Road -- that poor opsec, and not evil encryption, is their downfall. It's also another good reason for those engaged in questionable activities to avoid all US companies. Difficult as times but certainly doable. And to ensure that everything you do it either over Tor or a VPN. And use Bitcoin, cash-bought vouchers, and pre-paid credit cards (topped up with cash, naturally).

Alice BrownJuly 26, 2016 5:54 PM

This is so ridiculous, there are so many more important things going on in the world than people sharing links. I can't believe all the time, money and work that was needed to find the owner and shut down his site. Why?? Because someone felt it was important to stop people from sharing. We have homeless people, people starving, kids being abused, people getting killed, social security gone and our government decides to focus on this??? This is why the USA has so may issues, no one will address the big issues, no instead they spend all their time and money to find the owner of this site. To the people that did all this work for nothing I have one thing to say: Get your priorities straight!!! The amount of money spent on this "hunt" is not that important - deal with the real issues going on, and stop wasting our time and resources to chase down a website.

anonymouseJuly 26, 2016 8:57 PM

wow, good thing I chose not to "create a free account on kat to download". I felt it would be more traceable and no good. Now I see kat is probably being controlled by dhd and no longer a viable site :(

Melvin PortoJuly 27, 2016 7:57 AM

Its one thing to conduct the investigation online...fairly easy, anyone can do it. Its another thing to make it stand up in court... almost impossible. His attorney should warn him not to say anything. Computer generated evidence is the worst kind of hearsay, because it is so easily altered. Unless they got a camera showing him at the keyboard during the transactions...and even then, a good attorney might keep that out, or unless they have witnesses to him admitting something, it will all go away with an attorney who is an expert on computer generated evidence.

WooJuly 28, 2016 2:34 AM

Who does register a domain under his true name and address if he plans doing something illegal with it?!

Vic DeMarinesJuly 28, 2016 10:58 AM

Responding to the comment that any torrent tracker hosts nothing but pointers to persons who are individually hosting a torrent. I very familiar with this site since we use it along with others as a way to assess the piracy risk for software companies. It is absolutely true and that had the site simply been operated as a pure tracker site it would not have been a pirmary target. However, this was one the most popular and active trackers because the site owner was attracting and obviously profiting from operation of the site. This site was designed to provide easy upload of new torrents and promote them. In comparison, if you look at thepiratebay, also target, to post content on this site requires invitation and significant vetting.

MartiniGMJuly 28, 2016 4:01 PM

Joshua Bowman: Once you understand an illegal site started as a hobby will actually bring in some serious money, you probably should sell it to a Panamanian company... with no known owners.. and pick up the money in cash once a year. :P

TRXJuly 28, 2016 5:42 PM

>> easily pieced together into a full picture.

>Woops, sorry you appear to have misspelled "Parallel Constructed" there.

I fhink the word you're both looking for is "perjury."

Comrade MajorJuly 29, 2016 4:20 AM

@James Hare
Why are "homeland security" investigators involved in enforcing copyrights?
Its not something new. Secret Service (POTUS ohranka) do catch various virus/trojan-writers in countries that have extradition treaty with US.

@jayson
@Dan3264
The moral of this story is to do proper compartmentalization and not to use Latvian bank for money transfer.
Instead of using banks, you should use cryptocurrency that do anonymization (mixing) properly (Dash, Zerocoin etc).

Also, be aware that Poland is a NATO country and have extradition treaty with United States.

@Darren Chaker
Indeed, why is Government enforcing copyrights law?
Read why Samuel Slater become traitor in England.

@Joshua Bowman
When you think about it, it seems like common sense to start with VPNs and Tor and anonymizers and bitcoin/stolen cards,
Again, this cryptocurrency don't do any mixing (anonymization).
When AVers find new ransomware, they monitor how much people transfer money to that malware's bitcoin wallet.


Wendy M. GrossmanJuly 29, 2016 5:31 AM

There's another takeaway for those of us living in the UK, where the present government is trying to whoosh the Investigatory Powers bill through Parliament. One of the more contentious elements of the bill is the requirement for all "communications service providers" to keep a year's worth of "Internet connection records". Both are poorly defined; ICRs seem to be anything the Home Office can reasonably argue are metadata (base web addresses up to the first /, the connections messaging apps make, etc). The claim is that without this data the intelligence services can't catch evil-doers, etc.

And then you have this case, which seems like it ought to be Patient Zero for backing up that claim. But the fact is, the guy was caught by the traces he left himself, right out there in public. No ICRs needed, just the cooperation of Apple and Facebook once there was probable cause.

wg

Comrade MajorJuly 29, 2016 6:01 AM

@Wendy M. Grossman
One of the more contentious elements of the bill is the requirement for all "communications service providers" to keep a year's worth of "Internet connection records". Both are poorly defined;
Same story in Russia. Even term "communicatios service providers" is almost the same. Google "Yarovaya law".

ianfJuly 29, 2016 8:21 AM


@ Wendy M. Grossman

[…] "One of the more contentious elements of the bill is the requirement for all "communications service providers" to keep a year's worth of "Internet connection records". Both are poorly defined" (cc: Comrade Major)

Same story all over the EU (that I looked, not everywhere). Whatever it might be, however, the quoted requirement is NOT "poorly defined," it is defined as widely as possible within currently known realm of Internet services. Had it been narrowed down to, say, just the hardwired backbone ISPs, these could have split off into unaffected wireless etc. branches and the like. Had just text-borne services been singled out, instant photo-relaying "converservers" would have been excluded. (I am not condoning the practice, merely trying to redirect your ire towards dimensions of it that better deserve blog criticism.)

Just meJuly 30, 2016 3:43 AM

He did nothing illegal.
They did nothing remarkable in order to trace him and wrongfully charge him.
Someone must arrest and imprison the people that arrested him, because THEY are the ones not respecting the law (and common logic) here.
He must open his site again asap because we all miss it.
And next time, I will donate to him (I had missed the bitcoin address so far).

For those who care, here is a link to a site that seems to be the replacement of the original site (I can't even tell the difference):
http://kickasstorrentsan.com/
There are a lot of beginner tutorials on security/malware-analysis/exploit-development/pen-testing/etc in there.
No-one of us was going to buy this stuff anyway, but having free access to such material is good in many ways for the general good. The original copyright holders do not loose any money, because we wouldn't buy anything from them, especially without paying in cash, having all those homeland terrorists (usually called "authorities") spying on every financial move we make and `firing` at us on every chance they get.

The CIA ?August 3, 2016 9:57 PM

We've always had an interest in advertising and submitted submissions on behalf of Google to do away with the rules that the internet be used for non commercial purposes such as frivolous things as education. How the heck else are we supposed to aggregate all your data and run analysis? We don't get any help without financial interests being involved. "Screw you all, I'm going home."

Almost forgot, we've been analysing you telemetry pings courtesy of a Firefox function. It's very helpful as it contains detailed information on your hardware, detailed browser setting info and other such yummy selectors we aggregate with IP, login/user names, your mom, and passwords. "Thank you very much".

denneySeptember 16, 2016 8:49 AM

The best defense for this guy would be to spend some of whatever money he was making on this site on contributions to his local politicians and elected representatives so that he had some political cover when the heat came down.

MaxSeptember 16, 2016 11:36 AM

Mistakes he made were just well... idiotic, but let's skip them and concentrate on just one.

Caught in Poland, from Ukraine.

It's nonsense to travel towards West because the more you go West from there you're getting:
- less corruption so harder to disappear, bribe if on the run,
- better tech so more cameras etc.,
- better/sober public forces,
- it gets more expensive and generally more dangerous to dress and bribe homeless in order to get account or whatever... there's a big chance that he really won't remember you, just have that bottle... he already had one ;)

Doing anything (it related) that could get you into trouble it's obviously better in Ukraine, Russia etc. rather than Germany, Netherlands or Uk.

& again, if running from there... just go to Asia with trans siberian rail, if you're stressed you can get mercenaries on the way lol... just saying that everything is possible on that train, especially if you have few American dollars, did I mention that they're widely and happily accepted in both Ukraine and Russia?

And a backpack or two of fruits, deeper on the way, in the train and stops/breaks, you will be able to exchange them for alcohol, accommodation and favours :)

- do not underestimate people,
- be extra paranoid (if you're not then watch defcon videos),
- no, going through your neighbour's wifi is not enough, implement layers of security rather than one great way,
- no, dont use any computer on which you've logged into any of your real stuff EVER, be civilised and have separate clean machine/s that connects to other machine that... the only limit is imgaination,
- diversify your language/writing/communication/access patterns in order to stay safe

just a list of woulds and coulds though.

privacy factionSeptember 16, 2016 11:46 AM

We need an open, decentralized network, and leave the corporate scumbags and drones from the megachurch to feed on each other.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.