top of page

Stadium of Shadows: Inside the IPTV Piracy World

Updated: Jun 18


Introduction


On the night of June 11, a billion people tuned in to watch the opening match of the 2026 FIFA World Cup. Millions of them paid for the privilege. The rest were watching the same feed, relayed in real time through a parallel ecosystem of pirate panels, burner domains and rebranded Android apps, billing a few euros a month for what licensed broadcasters charge ten times more. 

 

For the viewer, that price difference is the whole appeal: football that legal access has put out of reach, suddenly within it. For the operators, those few euros across tens of thousands of panels add up to a serious business, one that profits from the same fans it serves. In the days around kickoff, we went looking for the infrastructure behind that second feed. This is what the pirate stadium looks like from the inside.


A tournament, An industry, and A multi-billion-euro bill


The men's World Cup kicked off across the United States, Canada and Mexico. Fans paid for matches in three ways. Most subscribed to a licensed broadcaster: DAZN, beIN Sports, Sky, ESPN, or others. Some watched in a pub.


A growing third group opened an Android app called "Smart IPTV Player" or "4K-LiveIPTV" or one of a hundred rebrands, paid €10-€30 to a Telegram handle, and received tens of thousands of channels, series and movies. Every match, every league, every pay-per-view. If you assume every IPTV registered domain hosts a slick storefront for that third group, the data disagrees: most of what we observed in the run-up to kickoff was infrastructure: burner domains pre-positioned in bulk, panels, open directories, and some waiting to be skinned. The real storefronts hide among them.


That third group is why enforcement has been escalating for years, and why it spiked again in the weeks before kickoff. In May 2023, the Dutch fiscal police (FIOD), supported by Europol, shut down one of Europe's largest pirate IPTV services, with over a million subscribers, run out of a data centre in Den Helder, and BREIN estimated the damage in the Netherlands alone in the tens of millions of euros. In November 2024, Operation Taken Down dismantled what authorities called the world's largest illegal streaming network: 22 million users worldwide, more than €250 million in illicit revenue per month, and an estimated €10 billion in damage to rights holders. In February 2026, a follow-up operation seized three more well-known Italian IPTV platforms and a major Romanian provider. And in the days around this tournament's opening, Italy's Guardia di Finanza dismantled three more streaming hubs in Calabria, while Europol's recent Operation KRATOS 2 removed over 27,000 illegal streaming URLs across thirteen countries.


Pirate IPTV is not a hobby economy. It is a multi-billion-euro parallel industry that drains the rights-holder's fans actually want to support. The clearest published figures come from a rights-holder coalition's October 2025 letter to the European Commission, which put estimated annual losses at €2.2 billion in Italy, the highest of any single EU market, followed by €1.8 billion in Germany and €1.5 billion in France. France's own official data puts its figure nearer €1.2 billion. Beyond Europe, the World Trade Organisation's 2020 dispute over beoutQ, a state-linked pirate broadcaster that targeted beIN Sports across the Middle East, concerned cumulative losses estimated at more than $1 billion.


The mirror image of those user numbers is the cost of licit rights. Sky Sports and TNT Sports together paid €7.8 billion for the current English Premier League cycle, and broadcasters have to charge that back through subscriptions; every illegal stream chips away at the base, and every rights cycle, the gap widens. Totaal TV's closing argument in their recent blog regarding the issue is the part most worth quoting: "the cynical paradox: anyone watching illegally is sawing through the branch they're sitting on." If the legal broadcasters and streamers eventually collapse under the financial pressure, there is nothing left to pirate either, the criminal panel operators have already deposited the cash, but viewers lose the future of live sport in the living room.


A high-level look: clusters, countries, broadcasters


Examples of IPTV Websites
Examples of IPTV Websites

To see what the IPTV ecosystem actually looks like while the World Cup is starting, we used Modat Magnify curated passive DNS intelligence seeded on IPTV signals, domain analysis, server-side fingerprints, historically TV-Streaming tagged services and narrowed it to the assets that were genuinely live and freshly registered in the run-up to kickoff (1st -12th of June 2026).


The build-up shows in the registration data. We discovered more than 40,000 IPTV-adjacent domains since March 2026, with the wave peaking through spring as operators pre-positioned infrastructure ahead of the tournament. June alone added around 4,000 in its first twelve days. These domains vary in content across promotion pages, reseller pages, admin panels and "Work in progress" as we'll see ahead.


Registered domains promoting IPTV services (Mar 2026, Jun 2026)
Registered domains promoting IPTV services (Mar 2026, Jun 2026)

With the DNS picture mapped, we turned to the other side of Modat Magnify - IP Intelligence - to see what was actually running on these hosts. Querying for services labelled for TV Streaming seen over the first 12 days of June, returned 51,173 IPTV specific live in the run-up to the tournament services. Most of that footprint is purpose-built IPTV middleware that straddles legitimate and pirate use. The unambiguous signal sits underneath it, multiple IPTV known panels used to administer and resell access. The Top one was "Xtream Codes" with 4,875 active instances.


What emerged is an ecosystem that is not just alive but industrialised. Thousands of freshly registered domains and active reseller Panels, tens of thousands of IPTV services, and beneath the public storefronts, operator admin panels left open to the internet and illegal apps sitting on their websites. This report is the walk-through of how each layer works and where it leaks.


Targeting by country & language


Combining FQDN, content and panels analysis, the domains map to the targeting profile below. We're looking at two axes at once: region (where the audience lives) and language (what they read at the storefront). This shows both in one picture.


Targeted countries and regions with IPTV content
Targeted countries and regions with IPTV content

Broadcaster organisations are being re-streamed


Targeting a country is half the picture. The other half is targeting a broadcaster organization: the rights holder whose channel pirates plug into their playlist. To find them, we analyzed the web pages, reading the rendered text and logos on landing pages, channel grids, login screens and TV mockups, then cross-checked with FQDN brand text.


Multilingual variants were merged: Arabic "اشتراك IPTV b Sport" a beIN knockoff; "PRIME VESA" a Prime Video clone; "SKYBOX PULSE" a Sky brand spin-off. The counts here are cluster-weighted.


Broadcast companies targeted based on the content of websites
Broadcast companies targeted based on the content of websites


Inside the panels


IPTV operators show considerable effort in concealing their upstream feeds, yet apply little of that same care to securing their own control planes. The pattern repeats across every single panel we walked through during this investigation: a public IP, an HTTP front door, and either no authentication at all, guessable credentials, or poor development practices that the framework shipped and the operator never noticed. The majority of these panels required exploitation to access.


These panels are the operational core of a paid commercial service, yet they expose the contents of that service in the worst-case shape an investigator could hope for. We watched the same combination of weak surface and sensitive contents on every panel: thousands of customer accounts in plaintext (auto-issued usernames, passwords stored unhashed, parental PINs); device fingerprints in the form of MAC addresses that uniquely identify the smart-TV or Android box each customer paid to register; full reseller portfolios with ten, twelve, fifteen brand names per panel, each with their own backend DNS URL, telegraphing every storefront the operator is multiplexing; and the hidden upstream-feed URLs the customer-facing apps were never meant to leak. None of it was hashed. None of it was rate-limited. Most of it sat one URL away from the public landing page.


These credentials are real because they work. To confirm that, we loaded one of the leaked Xtream M3U URLs into VLC, which fetches the playlist, listed every match of the FIFA World Cup 2026 by start time, and then streamed the live broadcast straight through, which appears to be streaming FOX content.


Example of a working IPTV Stream using FOX for the FIFA World Cup 2026
Example of a working IPTV Stream using FOX for the FIFA World Cup 2026

Live Stream of the FIFA World Cup game between Canada and Bosnia and Herzegovina
Live Stream of the FIFA World Cup game between Canada and Bosnia and Herzegovina

Caught in the act of deploying: OPSEC failures


The panels above are at least intentional UIs. The screenshots below are the opposite — things the operators exposed by accident, in the middle of standing their infrastructure up. While deploying, they leave directory listings open and, worse, ship the source code of their own reseller and admin panels in the clear. Each of these is a single misconfigured server, and each one collapses the cost of mapping an operator's full stack from weeks of pivoting to a single download.


The most damaging are the exposed panel sources. A default directory listing was enough to retrieve an operator's complete PHP panel source, modified the same morning we recovered it, and the source itself is a manual: it documents how the admin and reseller panels are operated, how resellers are provisioned, and every back-end domain the operation relies on and what each one is used for. Elsewhere, open parent directories indexed an operator's entire rebranded-reseller tree straight back at us, billing portals, API hosts, and development endpoints. In the worst case, an operator's full customer credential database had been dumped. None of this required exploitation. It was published, and we read it.


Example of multiple panel setups over subdomains
Example of multiple panel setups over subdomains
Listed URLs with credentials sold to IPTV users
Listed URLs with credentials sold to IPTV users
Full source exposed
Full source exposed

From €10 on Telegram to a live match on a smart TV: payments, credentials, rebranded apps


The path from "I want to watch the match" to a working stream is short and almost entirely public. The customer pays a Telegram or WhatsApp handle, receives playlist credentials back as a chat message, installs a rebranded Android-TV app, often straight from the Google Play Store, pastes the credentials in, and the app quietly proxies the request to the operator's upstream feed through the panel infrastructure mapped earlier. No dark corner of the internet is involved at any step.


Almost none of the storefronts run their own checkout; the marketing portal exists only to show pricing and a contact button, and the sale happens in a private chat. Pricing is strikingly uniform, around €10 a month for one device, more for multi-device and annual plans. Payment is routed through whatever clears fastest in the region: PayPal Friends and Family, Stripe under benign merchant names, bank transfer, crypto, or local rails such as Pix and M-Pesa. The "money-back guarantees" several advertise are meaningless when the payee is a Telegram handle.


Once payment clears, the customer is sent a single Xtream playlist URL (A host, port, username and password issued by the panel software, typically Xtream Codes Reborn). There is no invoice, no website account, no portal login; the customer never sees the upstream feed, only the panel's redirect. Every piece of this is replaceable in minutes, a new bot, a new panel, a new IP, which is exactly the point.


To use the credential the customer needs an app that accepts a playlist URL, they install whichever rebranded clone the operator points them to. We found the same underlying apps distributed with fake official Google Play Store pages, and a third served from the operator's own open directory, which also raises concerns about these apps' security.



Put these layers together and the picture is uncomfortable: the last mile of this entire economy runs through and with official and unofficial apps. The customer pays a stranger in a chat, pastes a link into an app they found, and a licensed broadcast lands on their television, no side-loading, no technical skill, no visit to anywhere that looks illicit. For the operator, the store listing is not a shortcut, it is the business: once the app is installed it owns the customer, the credential goes in, the stream comes out, and the platform itself keeps the app updated. That is why takedowns downstream of this point rarely bite, the storefront, the chat handle and the panel are all replaceable, but the distribution channel they all rely on is one the operators never had to build.


Closing


Every recent takedown proved the same thing: you can arrest an operator, but not the supply chain that regrows around the same software within weeks.


What this report shows is that the IPTV piracy supply chain does not need be guessed at, it leaks at every layer. Connecting IP intelligence with passive DNS turns all the information shared above into a single motion. The two signals together see far more than either does alone, the public domain is only the surface, and it is the combination that exposes the operators' real infrastructure underneath: the back-end feeds, the shared origins, the resolver trails that tie supposedly unrelated brands to a single operation. That is the difference between taking down a storefront and reaching the handful of vendors and feeds the whole market depends on.


The losses are contested in their decimals but not in their direction. That is the missing budget for the next broadcast deal, the next edition of the FIFA World Cup, the next investment in the sport, redirected into a criminal supply chain instead.


So the question we should be asking is not whether IPTV piracy is too big to stop, but whether rights-holders and investigators will keep chasing storefronts built to be rebuilt overnight, or finally follow the infrastructure underneath them. Today, on day six of the World Cup, the pirate stadium is wide open, and the trail is right there.


About Modat 

Modat is the European internet intelligence company. Modat builds AI-driven intelligence on global internet infrastructure. It reveals who is behind it, what they are preparing, and when they will act. Its flagship platform, Modat Magnify, continuously scans the entire internet, profiles every connected device using deep fingerprinting, and delivers contextual intelligence across 50+ categories. 


>> Learn more by visiting modat.io and to access the platform visit magnify.modat.io 


Visit: 


bottom of page