Until today, Kickass Torrents (KAT) was one of the most visited websites on the internet and brought in tens of millions of dollars a year in advertising.
Now, the website is no more.
It has disappeared from the internet and its 30-year-old alleged founder and operator, Ukranian Artem Vaulin, has been arrested and is facing extradition to the United States.
The domain names KAT used — and there are several — are in the process of being seized by the US Government.
It was the result of years of investigation by Jared Der-Yeghiayan, a special agent with the US Department of Homeland Security.
While he is not exactly a household name, he is the same investigator who brought down Ross Ulbricht, the person behind the infamous online drug marketplace, Silk Road.
The investigation was done both online and in meat space (the real world), and was a mixture of old-school police work and top-of-the-line digital forensics.
Mr Der-Yeghiayan laid out his evidence in the criminal complaint, filed to the US District Court of Illinois.
Here is how he tied Artem Vaulin to KAT:
Follow the (advertising) money
KAT sold adverts around its pirated content, and it is estimated the revenue brought in around $17 million a year.
It was that need to make money that opened KAT up for infiltration.
In late 2015, an undercover agent — known as UC-1 — who worked for the US Internal Revenue Service (IRS) emailed KAT to enquire about advertising on the site.
The undercover agent said the advert was for a US study program and they were after an ad run of five days.
KAT said it would cost $300 a day to run the advert, with a total cost of $1,500.
Nearly a month after the initial enquiry, a KAT representative provided the agent with banking information to transfer the money for the advertising deal.
The bank account was in Latvia, in the name of “GA Star Trading”.
A few months later, the IRS transferred the money and the ad went live.
The IRS tried to organise a few more ad campaigns, and was given bank accounts in Estonia, as well as a Russian payment system, but the Latvian account had already given the US Government a way in.
With that information, agents requested the account holder information under the Mutual Legal Assistance Treaty (MLAT).
It is a set of agreements between countries to share and swap information with the aim of enforcing various laws.
The agents discovered the account had received 28,411,357 euros in deposits from August 2015 and March 2016.
Watch those server logs
Following the money revealed the scale of the operation, but Mr Der-Yeghiayan needed more.
He had been keeping an eye on KAT for years and at some point managed to identify two IP addresses of servers in Chicago.
The Chicago hosting company provided evidence that the servers had previously been tied to a known KAT domain name (kat.ph), and the IP addresses had been held by the person owning the servers for years.
In January 2016, investigators went in and took a forensic copy of the server for analysis, which revealed domain names again pointing to known KAT addresses.
The servers also contained files and access logs, and had user accounts called “Nike” — a username that Mr Vaulin had previously been known to use when instant messaging.
The US Feds connect the dots
With records from some of the world’s largest tech firms like Apple, Facebook and Google, it does not appear to have been particularly difficult to connect the dots.
At a point in the investigation, Mr Der-Yeghiayan worked out the Apple-run email address [email protected] belonged to Artem Vaulin.
That email address was the linchpin in the case:
- The username “tirm” was known as the administrator of KAT
- Investigators discovered the email had made a purchase on iTunes using the IP address 220.127.116.11
- They cross referenced the IP address with the social media site Facebook and found that someone had logged into KAT’s account with the same IP address that day
- They found emails from known KAT domains in the email inbox
- They found bug reports referencing the KAT website and feature requests, which were tasked to “Artem Vaulin”
- The investigators found emails from KAT employees asking what to do about a copyright takedown request, with the subject line being: Ignore? The reply from Mr Vaulin was “of course”
- They also found a series of test emails from [email protected] and [email protected] to the [email protected] account
Financially linking Vaulin to Kickass Torrents
The first clue was via an email in 2010, which predated the 2012 switch to using an internal KAT email system.
A second clue came via KAT’s donation system, which allowed users to donate Bitcoin to an address maintained by a company called Coinbase.
And who did that Coinbase account belong to? An “Artem Vaulin” of Ukraine. The backup email was [email protected]
Finally, there was the job of linking the GA Star Trading account — which had received more than 28 million euros in seven months — to Mr Vaulin’s Apple account.
Mr Der-Yeghiayan found connections to the Latvian GA Star Trading account in Mr Vaulin’s email account.
GA Star Trading’s bank account had received deposits in the hundreds of thousands of euros from a company called Castleton Trading, which was a shell company holding a 1/4 share in another company called Bitcoin Innovations Ltd.
The criminal complaint alleges that Mr Vaulin himself has the controlling interest in Bitcoin Innovations Ltd.