- EVPAD illegally provided 24,934 titles to a massive global audience via 78 servers
- Korea University researchers uncovered 131,175 users connected to EVPAD’s secret infrastructure
- DNS domains hard-coded in apps gave investigators a key blocking method
Illegal streaming platforms have steadily become more sophisticated, using new technologies to distribute copyrighted material on a global scale.
Unlike earlier websites that were easily shut down by blocking domains, many of today’s services adopt peer-to-peer structures and even hardware-based devices to hide their operations.
A recent study presented at the USENIX Security Symposium by a group of researchers from Korea University examined one of the most widely used illegal streaming VOD systems, known as EVPAD.
How EVPAD operated as a global piracy service
This system illegally enabled access to 1,260 channels from 18 countries, including content from local broadcasts, Netflix, and Disney+.
Through detailed analysis, the researchers found that the service offered 24,934 titles, ranging from films to television series, and had a user base of 131,175 accounts.
They also identified 78 servers supporting the platform, many hosted in data centers abroad.
EVPAD used peer-to-peer libraries to distribute live broadcasts, video-on-demand material, and pre-recorded content.
By embedding these functions into set-top boxes, the service created an environment where users could stream without paying regular subscription fees.
Although some users may believe they are accessing collections similar to libraries of free stock video, the reality is that much of the material is taken without authorization from paid platforms.
This structure mirrored aspects of legitimate video hosting platforms, but without the necessary licensing agreements.
Once installed, the devices bypassed traditional free video players by connecting directly to hidden networks that shared material across regions.
The combination of peer distribution and cloud-based servers enabled rapid sharing while minimizing exposure of central operators.
By reverse engineering the service’s Android applications, the team uncovered how authentication, server lists, and peer-to-peer links were managed.
They intercepted communication between devices and servers, revealing that key DNS domains were hard-coded into the apps.
This finding allowed them to propose a takedown method based on blocking those domains at the level of internet service providers.
Because the apps required those addresses to function, cutting them off would immediately disrupt both live broadcasts and on-demand streaming.
Beyond domain blocking, the researchers tested a second approach aimed directly at the peer-to-peer (P2P) system.
By exploiting weaknesses in the way devices exchanged data, they demonstrated that it was possible to launch a Sybil attack.
In this scenario, many fake peers are introduced into the network, overwhelming or deceiving real nodes.
During their tests, a single crafted packet was enough to crash the streaming service on an EVPAD device.
While these strategies disrupted operations during testing, the study stressed that they are not permanent solutions.
Operators can issue new software versions or register fresh domains, restoring access within days.
Still, the takedown showed that technical interventions, when combined with legal cooperation, can weaken large-scale piracy networks.
You might also like
- These are the best VPNs with antivirus you can use right now
- Take a look at our pick of the best internet security suites
- Google Drive is making scanning documents with your phone less of an awful experience
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.