LALIGA has participated as a strategic partner for the audiovisual sector in KRATOS 2, an international operation against networks dedicated to distributing protected content through illegal IPTV and unauthorized streaming platforms. The operation, carried out between September 2025 and April 2026 with the support of Europol, resulted in 29 arrests, dismantling of nine criminal groups, over 148 house searches, and the removal of 27,332 URLs.
The operation reflects a reality that goes far beyond the user trying to watch a free match. Large-scale audiovisual piracy has become a technical, distributed, and hard-to-dismantle business. Behind many illegal platforms, there are management panels, resellers, rotating domains, origin servers, proxies, payment gateways, IPTV lists, support channels, and systems designed to survive the shutdown of specific websites.
The problem exists and has an obvious economic impact on leagues, clubs, operators, and platforms paying for audiovisual rights. It also has a security dimension: many illegal services expose users to malware, credential theft, fraud, and unguaranteed modified applications. But the controversy in Spain isn’t just about whether piracy should be prosecuted, but also about how it is technically addressed and what collateral damage results when broad IP bans are implemented.
IPTV piracy can no longer be fought by shutting down a single website
KRATOS 2 focused on the ecosystem supporting illegal streaming, not just the visible websites. According to data released by LALIGA, authorities identified 86 suspects, referred 59 cases to judicial authorities, are conducting 72 ongoing criminal investigations, reported 169 domains, removed 27,332 URLs, and identified 722,961 infringing objects.
The operation also involved collaboration with private audiovisual and anti-piracy entities, including beIN Media Group, UEFA, AAPA, and Irdeto. This cooperation led to the detection of 4,370 new domains related to piracy activities, 18,331 IP addresses associated with illegal services, 397,384 URLs reported for suspension or removal, and an additional 126,979 infringing objects.
Technically, these networks often separate the layer that users see from the infrastructure delivering content. The public website can frequently change domains, while video streams are distributed from intermediate servers, proxies, or redistribution networks. Dynamic DNS, mirror domains, reseller panels, and constantly updated lists are used to prevent the shutdown of one component from collapsing the entire service.
Therefore, a well-planned international operation cannot just stop at removing URLs. It is more effective to investigate who manages the panels, who charges, who resells, where the origin servers are located, which providers host the infrastructure, and how the money moves. Acting on those responsible, payment systems, and infrastructure creates a more lasting impact than merely blocking the last visible domain.
The technical problem of blocking shared IPs
The most controversial issue concerns IP blocks deployed in Spain to prevent access to pirate streams during matches. LALIGA has defended that these actions are backed by judicial resolutions and target IP addresses used to distribute unauthorized audiovisual content. The Commercial Court No. 6 of Barcelona dismissed in March 2025 the nullity claims filed by Cloudflare and RootedCON against a ruling ordering the blocking of IP addresses used for illegal distribution of LALIGA content.
The issue is that an IP address no longer necessarily corresponds to a single website. Today’s internet often shares IPs among hundreds or thousands of domains via CDN, DDoS protection, load balancers, reverse proxies, or cloud platforms. Providers like Cloudflare and Vercel have reported that some blocks associated with LALIGA have inadvertently affected legitimate sites not involved in piracy.
The explanation is straightforward. When a pirate website uses a shared CDN IP and is ordered to be blocked, the telecom operator may make all sites passing through that IP inaccessible, regardless of their legitimacy—be it online stores, technical blogs, SaaS services, news outlets, or business apps. For the ISP, the block is applied at a network layer unaware of the actual domain affected.
Blocking by domain is more precise but also limited. Using DNS-based blocking can be evaded with alternate resolvers or encrypted DNS. Intervening at HTTPS layer is more complex since the URL path is encrypted and not visible to the network operator without intrusive techniques. The Server Name Indication (SNI) has enabled domain identification for years, but advances like ECH (Encrypted Client Hello) and other privacy mechanisms further obscure visibility. Effective and precise blocking thus requires cooperation with hosting providers, CDNs, registrars, payment processors, and infrastructure operators near the source of the abuse.
This is the key technical point: blocking IPs is quick and may be effective short-term, but it risks collateral damage when using shared infrastructure. Domain or URL blocking is generally more targeted but easier to bypass. Addressing origin servers, customer accounts, payments, and resellers demands more investigation but results in less collateral impact.
Precision must be part of anti-piracy strategies
Fighting audiovisual piracy should avoid technically blunt measures. As illicit networks become more professionalized, responses must also be more precise. In an environment with CDN, Anycast, shared hosting, public clouds, proxies, IPv6, and encrypted traffic, blocking orders need to be guided by sufficient technical understanding to prevent specific violations from affecting legitimate services.
A more realistic approach combines multiple layers: criminal investigation (as in KRATOS 2) to identify groups, infrastructure, payments, and responsible parties; cooperation with intermediaries who can act on concrete resources; removal of domains, accounts, and servers with sufficient evidence; and dynamic, limited-scope blocking with oversight, traceability, and rapid correction mechanisms.
Transparency is also essential. A legitimate company that gets blocked during a match should be able to understand what happened, who requested the block, under what resolution, for how long, and how to appeal. Without an agile review process, small businesses, media outlets, and platforms lacking legal resources may suffer serious damage.
Proportionality is not an excuse to let pirate networks operate freely. It is a condition for sustainable response. If anti-piracy measures mistakenly block services that do not infringe rights, legitimacy erodes and social acceptance drops. Moreover, it encourages users to turn to VPNs, alternative DNS, or other solutions that can paradoxically hinder future investigations and reduce the effectiveness of blocks.
A battle impacting internet architecture
The LALIGA case illustrates a broader tension. Rights holders want quick responses to broadcasts that last only hours. Piracy networks exploit that urgency to shift between domains and infrastructure. CDN and cloud providers argue that punishing thousands of legitimate clients for the actions of a few is unfair. Telecom operators find themselves caught in the middle, executing bans on increasingly encrypted and shared networks.
The solution will not be simple. However, a clear guideline is emerging: future anti-piracy efforts should resemble cybersecurity more than network shutdowns. They require technical intelligence, attribution, precise indicators, infrastructure analysis, international cooperation, and graduated measures. Blocking shared IPs can help in specific cases but should not be the primary tool if less harmful alternatives exist.
KRATOS 2 proves that complex criminal organizations can be tackled through police and private cooperation. This approach is slower than sending a list of IPs but more robust. Protecting audiovisual rights is legitimate but must coexist with recognizing that the internet operates on shared infrastructure. Blowing apart that layer to pursue infringers risks affecting innocent users.
Frequently Asked Questions
What is KRATOS 2?
KRATOS 2 is an international operation against illegal IPTV networks and unauthorized streaming, conducted between September 2025 and April 2026 with Europol’s support and involving LALIGA and other audiovisual sector partners.
Why can IP blocks affect legitimate websites?
Because many sites share IP addresses via CDN, cloud services, or protection platforms. Blocking a shared IP associated with a pirate site may inadvertently block other legitimate sites that are unrelated to piracy.
Why don’t they just block specific URLs?
Because with HTTPS, the full URL path is encrypted and typically invisible to network operators. Precise action usually requires cooperation with hosting providers, CDNs, registrars, payment services, or infrastructure managers.
What would be a more proportionate anti-piracy response?
Combining criminal investigation, domain and server takedowns, action on payments and resellers, targeted blocking where necessary, and quick channels to address collateral damage.