BULGARIA coordinated a Europol backed operation that dismantled a network of illegal streaming services across Europe leading to 29 arrests and the seizure of dozens of domains as announced by Europol.
The action known as Operation KRATOS ran from September 2025 to April 2026 and involved law enforcement from thirteen countries targeting nine organised crime groups that ran the piracy infrastructure according to industry coverage.
During the sweep authorities removed more than twenty seven thousand illegal streaming URLs and took down 169 malicious domains that were used to distribute malware.
Investigators carried out 148 house searches identified 86 additional suspects and with private sector partners uncovered over four thousand newly registered piracy related domains as reported by security analysts.
The criminal networks often marketed cheap access to films and sport events but the streams frequently contained payloads designed to harvest credentials or install ransomware on viewers devices.
No specific CVE identifiers were associated with the takedown but the operation highlighted how copyright infringement sites are routinely abused to deliver exploit kits and information stealing trojans.
Researchers observed that many of the seized domains hosted payloads linked to known malware families such as Vidar and RedLine which harvest login credentials and financial data.
Europol noted that the dismantling of the backend infrastructure rather than just the public facing websites marked a tactical shift in anti piracy efforts.
The cross border cooperation demonstrated in the operation has already led to faster sharing of indicators of compromise among participating states and private security firms.
Industry analysts say the removal of thousands of domains and URLs will increase the cost for operators to rebuild similar services thereby reducing the overall availability of illicit streams.
Content owners have reported a measurable drop in pirated viewership figures since the takedown suggesting a short term deterrent effect.
Defenders should ensure that their blocklists include the 169 domains seized in the raid and monitor for the newly identified piracy related domains that have been flagged by Europol.
Network administrators are advised to update DNS filtering rules and endpoint protection signatures to detect the malware families commonly bundled with illegal streams.
Sharing the Indicators of Compromise through trusted information sharing platforms such as MISP or ISP‑based feeds can help block future campaigns before they reach end users.
Finally organisations should run awareness campaigns reminding employees and customers that accessing unauthorised content carries significant cybersecurity risks beyond copyright violations.