- EVPAD delivered illegally 24,934 titles to a massive global audience via 78 servers
- Korea University -Scientists revealed 131.175 users associated with Evpad’s secret infrastructure
- DNS domains that are hard-coded in apps gave investigators a key blocking method
Illegal streaming platforms have steadily become more sophisticated using new technologies to distribute copyrighted material worldwide.
Unlike previous sites that were easily closed by blocking domains, many of today’s services adopt peer-to-peer structures and even hardware-based devices to hide their operations.
A recent study presented at Usenix Security Symposium of a group of researchers from Korea University examined one of the most commonly used illegal streaming VOD systems known as EVPAD.
How the EVPAD acted as a global piracy service
This system enabled illegal access to 1,260 channels from 18 countries, including content from local broadcasts, Netflix and Disney+.
Through detailed analysis, the researchers found that the service offered 24,934 titles ranging from film to TV series and had a user base of 131,175 accounts.
They also identified 78 servers that support the platform many hosted data centers abroad.
EVPAD used peer-to-peer libraries to distribute live broadcasts, video-on-demand material and pre-recorded content.
By embedding these features in SET-Top boxes, the service created an environment where users could stream without paying regular subscription fees.
While some users may think they have access to collections similar to libraries with free stock video, the reality is that much of the material is taken without the permission of paid platforms.
This structure mirrored aspects of legitimate video hosting platforms, but without the necessary license agreements.
Once installed, the devices worked on traditional free video players by connecting directly to hidden networks that shared material across regions.
The combination of peer-distribution and cloud-based servers enabled rapid sharing while minimizing exposure of key operators.
In reverse technique service’s Android applications, the team revealed how approval, server lists and peer-to-peer links were managed.
The captured communication between devices and servers and revealed that key DNS domains were hard-coded in apps.
This finding allowed them to suggest a dismantling method based on blocking these domains at the level of ISPs.
Because apps demanded that these addresses work, cut off them immediately disturb both live broadcasts and on-demand streaming.
In addition to domain blocking, the researchers tested another approach aimed directly at the peer-to-peer (P2P) system.
By utilizing weaknesses in the way devices exchanged data, they demonstrated that it was possible to launch a Sybil attack.
In this scenario, many false peers are introduced to the network, overwhelming or deceiving real nodes.
During their test, a single designed package was enough to go down into the streaming service on an EVPAD device.
While these strategies disrupted operations during testing, the study stressed that they are not permanent solutions.
Operators can issue new software versions or record fresh domains and restore access within a few days.
Still, the dismantling showed that technical interventions, when combined with legal cooperation, can weaken large piracy networks.
