Game of Thrones is a really good series - at BinaryEdge we are all big fans of the show and enjoy watching it. Game of Thrones is also the most pirated TV show on the internet.
Since the new season was starting this week and we had just finished the development of our torrent data prototype, we thought we could take a look at the torrent downloads for the premiere and put it to the test.
Observing torrent transactions is extremely interesting from a "cyberwar" perspective, as sometimes you will find interesting information, one example:
hello .@govph,
— the jester-in-exile (@jesterinexile) April 21, 2016
why are you seeding the .@COMELEC data leak? pic.twitter.com/7zIttRtyHu
This was one specific case, but we have observed other cases where IP addresses that resolve to .mil and .gov addresses of countries show up, hop on, download the data and hop off, or IP addresses that seed that data for a long time.
We have also seen cases where we are able to start observing the torrent lifetime straight from the beginning and watching who is the first IP address to start seeding that data. Crossing this information with our other feeds provides interesting results which sometimes lead to interesting "coincidences".
At BinaryEdge some of the data we observe is from P2P (Peer to Peer) networks, the network behind the torrents called the DHT is exactly that. Having the ability to understand if their organisations are downloading torrents has been something our clients have asked of us, and we have been working on this for a while to include it as one of the streams in our platform 40fy.
Since over the last weeks there were data leaks related to different government organisations, we will look into some of those as well!
For all torrents there were a lot of countries that downloaded them but we will always look only at the top 10.
Also for some of the torrents we were able to start monitoring them almost as soon as they were released but for others we started a few hours later (2-3 hours).
Another important definition is what we call "sustained" - here is the case where the ip addresses downloaded but stayed over time seeding the data as well, instead of just downloading the torrent and disconnecting.
Picking a torrent
We already look at all the torrents that are available on the major providers, but for the purpose of this blogpost we wanted to do something different - we opted for a targeted monitoring. We chose a specific torrent and monitored it for 24 hours in order to see if there was some interesting data that we could play with.
The torrent we picked was the one that was on "top" on the pirate bay tracker: Game.of.Thrones.S06E01.INTERNAL.HDTV.x264-KILLERS.
To get things started, we looked at the geographical breakdown of the IP addresses that most downloaded this torrent.
When compared to a non-unique ip a.k.a. "countries that downloaded and seeded more", the results reveal that the top 10 countries are the same as before but are now in a different order.
Another curious way to look at the popularity of Game of Thrones is to look at the download rate over 30 hours, in this case the time is GMT+1 (Swiss time), also plotted is the "top country at that time" sharing this data.
After doing this analysis, we are now waiting for the season finale to compare how it does against the season premiere.
It should also be fun to cross different season premieres of different series against each other, but that's a post for another time.
Data leaks
Over the last weeks there have been a couple of important data leaks. Some of the hackers are using torrents to publicize this data as after it is shared it can't be taken down and will stay live for a long time.
Phillipines
We won't talk much about the Phillipines data leak as the great Troy Hunt already wrote an absolutely excellent article about it, which we recommend you read:
"Yet somehow, last week’s news that 55 million Filipino voters’ data was now out in the wild went largely unnoticed. Let’s put it down to a very western-centric tech media but move past that and look at this incident for what it is – a ginormous data breach with extremely sensitive information and at 55M individuals, that’s also more than half the country’s population."
Source: Troy Hunt - When a nation is hacked: Understanding the ginormous Philippines data breach
Like we did for Game of Thrones, we will show an analysis of the first 24 hours where we show both the unique ips and the sustained download/upload:
And for the sustained the results are the following:
Here the results are very different: we have the USA going on top for unique IP addresses but then falling down to 4th place in the sustained downloads. This means the USA had a lot of people that downloaded the torrent but then straight way stopped participating on the sharing of this torrent.
Turkey
Turkey had an old database with a lot of their voters data which was leaked a couple of weeks ago. The contents of these files were clear text information on 49,611,709 Turkish citizens. For more details on this leak please check the article on databreaches.net
The content of the database makes it perfect for identity theft and fraud which is something hackers are well known for. Here you can see the main content of this dataset:
- National Identifier (TC Kimlik No)
- First Name
- Last Name
- Mother’s First Name
- Father’s First Name
- Gender
- City of Birth
- Date of Birth
- ID Registration City and District
- Full Address
This content makes this dataset perfect for identity theft and fraud which is something hackers are well known for.
Once again, looking at Unique IP addresses, in the following plot you can see the countries that downloaded this data the most.
The sustained version looks like this:
It was surprising for us to see that Turkey was seeding its own data for such long time, there are many reasons why this happened such as the people downloading it not shutting down the torrent software, or using seedboxes to download that did not get stopped after they were done. (Turkish people downloading the data is not so much surprising as curiosity leads to these actions, this is something we noticed with the Ashley madison data where everyone wanted to know "if anyone they knew was in there").
USA
On the 21st of April, a data leak related to USA Government agencies appeared on the web. We came across the magnet for this download on a post on reddit (/r/pwned).
We added the magnet to our monitoring system and the results are the following:
And for sustained results:
It's interesting to see how China just appears for the download and then hops off and doesn't seed the data.
As a final view we wanted to show a layered map with the geolocation of the IP addresses that downloaded of all these torrents.
By using the button on the top right corner you can choose which layers to activate and visualize
Conclusions
-
Observing torrents can lead to interesting data, and, on one of our next blogposts we would like to discuss how torrent data can be used to identify torrents that have malware when crossed with malware feeds. And how organisations can use this system to see if there is anyone downloading torrents from within them.
-
Resolving IP addresses that download torrents shows that there are military and government addresses monitoring who is downloading this data. This can also be matched with organizations known to monitor torrents for Anti Piracy purposes.
-
Torrent data can at times be helpful to try and identify possible hackers or initial data dumpers.
-
Don't forget on a Peer to Peer Network usually if you can see them, they can see you.