CASE STUDY // INFRASTRUCTURE INVESTIGATION
A 27-part passive OSINT investigation that mapped a multi-country streaming infrastructure, identified the operator through 37+ linked accounts, and produced a complete intelligence dossier with 186 evidence steps.
An illegal streaming operation distributing thousands of pirated channels across multiple European markets was investigated using exclusively passive OSINT techniques. Over the course of a multi-phase investigation spanning 27 analytical sessions, the operator was fully identified, the complete server infrastructure was mapped, the financial model was reconstructed, and a law-enforcement-ready dossier was produced.
The investigation began with a single data point — a streaming panel URL — and through systematic multi-source intelligence correlation, expanded to reveal the operator's identity, home location, family connections, ISP relationship, 5-node server architecture spanning 3 countries, and an estimated operation generating €84,000–€420,000 in lifetime revenue.
The target operated behind multiple layers of obfuscation: bulletproof hosting providers, Cloudflare protection, wildcard DNS, and separated infrastructure roles (encoding, panel management, CDN delivery, edge distribution). The operator maintained zero registered business entity — no corporate records, no tax registration under their name linked to the operation.
The objective was to answer three questions through passive means only: Who operates this infrastructure? How is the operation structured technically and financially? What evidence exists to support enforcement action?
Username pattern analysis, email correlation, platform enumeration. Discovered 37+ accounts across developer platforms, social media, gaming services, and underground forums — all linked through consistent username patterns and email addresses.
DNS analysis, certificate correlation, port scanning, service fingerprinting. Mapped 5 server nodes across 3 countries with distinct roles: encoding origin, panel management, CDN delivery, European edge, and mail relay. Identified bulletproof hosting, NAS infrastructure, and VPN access patterns.
API enumeration, channel inventory, content categorization. Documented the full scope: thousands of live streams, thousands of VOD titles, hundreds of TV series — including hundreds of premium channels from 11+ rights holders across 5+ jurisdictions.
Payment channel identification, revenue estimation, upstream provider mapping. Discovered fiat-only payment model through identified payment platforms, estimated subscriber base and revenue, and traced content supply chain from satellite origin through encoding to distribution.
Cross-referencing all intelligence streams. The operator's real identity was confirmed through convergence of multiple independent evidence chains: code repository commits, social media profiles, public registries, forum posts, and infrastructure artifacts.
The 5-node architecture was mapped through passive DNS, certificate transparency, and service fingerprinting:
Node 1 (Origin/Encoder): Residential ISP connection hosting encoding hardware (NAS + hardware encoder). Operated from the operator's physical location with exposed FTP, SMTP, RTSP, RTMP, and VPN services. The most OPSEC-poor node.
Node 2 (Panel): Bulletproof hosting provider running streaming panel software with exposed database (MariaDB) and cache (Redis) ports accessible from the internet — though IP-whitelisted.
Node 3 (CDN): Same bulletproof hosting, handling stream delivery and VOD hosting. Running end-of-life web server software with known CVEs.
Node 4 (Edge): European edge delivery node on a different hosting provider.
Node 5 (Mail): Cloud mail relay handling domain communications.
The complete intelligence package — including operator identification, infrastructure topology, financial analysis, content inventory, and rights holder impact assessment — was compiled into a structured dossier suitable for law enforcement referral. The documentation identified applicable legal frameworks across 5+ jurisdictions and suggested specific investigative steps that would require legal authority to execute (database access, transaction records, ISP subscriber information).
The entire 27-part investigation was conducted using exclusively passive OSINT techniques. Intelligence sources included: public API responses, DNS records, certificate transparency logs, code repository analysis, social media profiles, public registry searches, passive service fingerprinting, and forum post analysis. At no point was any system accessed without authorization, no credentials were tested, and no active exploitation was performed.
Whether it's fraud networks, brand abuse, or competitor infrastructure — we map what others miss.