Hunting Ghost No. 1 – China’s Three Year Quest to Take Down The Most Sophisticated Movie Piracy Ring Ever

By Patrick von Sychowski | June 6, 2019 11:38 pm PDT
Ghost No. 1 with Projector and Camcorder Setup

It was the piracy nightmare that was supposed to be technically impossible. Hollywood studios had spent years coming up with the digital cinema specifications and a certification process that ensured military-grade encryption would protect the latest blockbuster film releases. Camcording, albeit traceable was still possible, but getting a perfect digital copy off a server would never happen.

Except somewhere in China, digital cinema projection server No. A15591 was letting pirates make pristine HD copies the very same day new releases opened in cinemas. The piracy tracking team of China’s Central Propaganda Department’s Film Technology Quality Inspection Institute even had a nick-name for the server: Ghost No. 1. It was their job to find it – and stop it. This is the story of their three-year battle to take down the greatest film piracy ring to ever operate in China.

Piracy Becomes A Big Business In China
With China having become the world’s second biggest cinema market in terms of box office, and the world’s largest in terms of cinema screen numbers, the commercial value of film releases has soared. Not just for Hollywood and Chinese film distributors, but also for local film pirates. Far from just being amateur torrent enthusiasts, piracy is a large-scale criminal commercial enterprise, even in a tightly policed state such as Communist China. Street stalls of VCDs (video compact discs) and DVDs (digital video discs) long ago fell out of fashion with the rise of smartphones, so today links to pirated films on shadowy websites are instead traded on social media channels such as WeChat and QQ, which have conveniently built-in micro-payment systems.

Streaming has grown even faster in China than the number of multiplexes, with the legal streaming market worth CNY ¥53.6 billion (USD $7.7 billion) in 2018 – only CNY ¥7.3 billion (USD $1 billion) less than the country’s total box office that same year. As cinema ticket subsidies in China have been reigned in, the lure of an HD copy of the latest cinema release for less than the equivalent of a dollar can be irresistible. Such an opportunity was enabled by a sophisticated shadowy network of private cinemas fed by a piracy syndicate with no regard for intellectual property (IP). And most of the HD copies being circulated could be traced back to one single source.

Ghost No. 1
Ghost No. 1 and the Two Horses (Photos: Su Network)

Ghost No. 1, Spies and an Engineer Hero
The story of the monumental effort by Chinese authorities to track down the “ghost” server has a plot worthy of a film and interestingly enough began with a spy film. The first person to come across the rogue server was Zhou Lingfei, an engineer of the Film Technology Quality Inspection Institute, on 6 December 2016 when he found a link to a pirated version of the Brad Pitt / Marilon Cottilard spy thriller “Allied” from Paramount Pictures. Image forensic testing and analysis revealed that the pirated movie’s digital watermark ID was 138471 and the serial number of the playback server to be A15591. The digital cinema server was registered to Screen 2 of Jiuzhou Studios, Xuefu Road, Jingkou District, Zhenjiang City.

Zhou notified the Ministry of Culture, Radio and Television, but a week later the engineer was informed that the Jiuzhou Studios cinema had closed down and the equipment sold off – with the new destination unknown. But the “phantom server” was only getting started, because 20 days later five new pirated films appeared online with the same server using the identity of the Beijing Digital Theater in the Hebei, a mountainous northern Chinese province near Beijing. This time the titles weren’t just Hollywood films but also the Hong Kong action thriller “Shock Wave.” Since the server couldn’t be physically located, Zhou notified China’s three main distributors, including China Film Group and Huaxia, instructing them to blacklist the server with serial number A15591 and to block the use of its digital security certificate from the keystore for key delivery message (KDM) keys to decrypt future films.

China is, if anything, stricter than Hollywood in its oversight of the deployment and control of digital cinema systems. With just 40 cinema operator licences to screen first-run films having been issued, it’s not possible to simply buy a projector / server combo and then strike an agreement with distributors to show their films. Each projector and server that is manufactured, no matter where they end up in the world, comes from the factory with a unique serial number. The ID and digital security certificate of each piece of equipment is held in what is known as a trusted devices list (TDL) by all distributors or content service providers (which are strictly controlled in China) and matched to specific cinema locations.

Distributors then send a hard drive with the encrypted film (a.k.a. a digital cinema package or DCP) to each cinema in which the film is to be shown and then separately issue a KDM that “unlocks” the film for a specific server / projector combo during a set period of time. Yet even when decrypted the image carries a watermark, invisible to the human eye, that can identify the playback equipment, time and location where the film was shown – assuming the server identity is correct. But Ghost No. 1 was evading identification by what the Chinese refer to as “resurrecting the corpse,” or in more prosaic technical terms, “cloning.”

Since 2012 Chinese authorities have used digital cinema watermarking to successfully trace and prosecute over 500 instances of film theft, including for major blockbusters such as “Painted Skin,” “Lost in Thailand” and “Wolf Warrior 2.” Huang Mingzhe, deputy detachment leader of the Public Security Defender of Yangzhou City Public Security Bureau (located just across the Yangtze River from Zhenjiang City, where the server originated from) explained how Ghost No. 1 managed to evade efforts to find it and stop it for several years, “The so-called cloning is the copying of the digital security certificate of one server of a regular theater to another server, so that the two servers have the same ID.” Chasing Ghost No. 1 just became a game of whack-a-mole; blacklist one valid security certificate and the pirates could just copy another non-blacklisted certificate onto A15591.

(Please Note: We have purposely obscured the precise methodology so as not to provide instructional references for any would-be pirates.)

Operation 2.15
Law enforcement officials detail Operation “2.15” – China’s greatest anti-piracy action. (Photo: Xinhua News)

Operation “2.15”
This year’s Chinese New Year (a.k.a. Spring Festival or Lunar New Year) holiday would prove critical for the efforts to thwart piracy in China. Historically this is a time reserved for the biggest domestic blockbusters, with big films such as “The Wandering Earth” and “Crazy Alien” block booked across tens of thousands of screens. With talk of a ‘Winter is coming’ for China’s film and cinema business seeing stagnating growth in 2019, no-one could afford box office revenue being siphoned off by pirates. But that’s apparently just what happened. Between February 4th and 10th the total box office in China was CNY ¥5.8 billion (USD $839 million) , including the one billion yuan (USD $144 million) sci-fi hit “The Wandering Earth” earned in just four days. Though a box office record for the period, attendance was largely flat and only higher ticket prices made it stronger than last year. Was piracy partly to blame?

According to the data from the National Copyright Association of the People’s Republic of China (PRC), which had been monitoring piracy activity over the holiday, the number of infringing online links of the eight films released over the holidays numbered 51,000.  Of those, no less than 38,900 of the infringing links were to HD versions, and the total number of click-to-play broadcasts was about 82.82 million. This is estimated to have resulted in a box office loss of about CNY ¥787 million (USD $114 million). More significantly, of the 27 pirated versions of the eight films released, the source was always the same: server A15591 or Ghost No. 1.

Chinese authorities notoriously block any Hollywood or foreign films about spirits or afterlife from having a theatrical release in China (even the recent all-female “Ghostbusters”) so as not to “promote cults or superstition”. Now they were about to take an even harsher approach on the “Ghost” server.

A joint operation was launched with the name “2.15,” codenamed after 15 February of the New Year Holiday period, under the auspices of the Ministry of Public Security. While the many levels of public security bodies, ministries and police departments in China tackling this might seem bewildering to outsiders, China is incredibly efficient when it comes to coordinating security actions. Even prior to the 2.15 operation the anti-piracy bodies had completed 25 cases of film and television infringement and piracy detection, in which 251 criminal suspects had been arrested, 361 pirated video websites closed, 57 apps shut down, and seven high-definition movie piracy servers seized. The total amounts involved in these actions was CNY ¥230 million (USD $33 million). But this would pale next to the hunt for Ghost No. 1.

The first step was to infiltrate the WeChat channels used by the criminal pirate gangs to sell links to HD copies. A perfect HD copy of “The Wandering Earth” had appeared online just a day after the movie opened in cinemas, despite the efforts of the film’s producer Gong Geer to increase security around the film release, as well as having three anti-piracy teams monitoring all social media channels day and night. Based on the information culled from social media channels (the exact methods are being kept secret) five arrest teams were despatched to the cities of Anshan and Xiangtan, both in Hunan Province in South Central China, where they monitored the main suspects. Simultaneously 13 smaller units were initially sent to eight provinces and 11 cities for investigation and evidence collection. In total Yangzhou Public Security Bureau dispatched more than 200 police officers to work in 46 cities in 20 provinces to make arrests.

Dongles seized as part of the “2.15” anti-piracy raids in China. (Photo: Li Yukun – Beijing News)

Once the Ministry of Public Security gave the order the teams swooped in and made the arrests of the five key suspect targets: Ma Mou, Ma Mosong, Wen Mou, Lu Mou, and a technician with the surname Liu (no first name). There were 59 additional suspects arrested (some reports claim over 250) across the provinces of Liaoning, Heilongjiang and Hebei in the north and north east and Hunan in the south. More than 100 private cinemas were raided. A total of 13,673 devices were impounded, including 67 pirated movie hard drives and four projection servers. These had been used to provide over 10,000 films and TV shows to pirate sites, apps and shadowy ‘private cinemas’. The authorities ultimately investigated more than 1,900 suspected individuals, verified 185 key personnel, and successfully locked up five major criminal suspects of the criminal group during the 2.15 operation.

Journalists shown around the evidence by Yangzhou Municipal Public Security Bureau saw that the physical evidence in this case was almost enough to fill an entire storage hall.

In photographs, a large number of “dongles” could be seen piled up in a number of boxes arranged in sequence on a physical evidence shelf. The task force police officer Mr Ke picked up a small USB ‘dongle’ key and said: “This is used to install the playback equipment on the offline private cinema. Without it, the criminal group’s pirated movies can’t be released. More than 9,000 such dongles had not yet been sold or sent out. If it spreads, criminal groups will develop so many boxes that can play pirated movies. Such a large amount will have a big impact on the Chinese film market.”

The pirates were creating a shadow network of private cinemas showing first-run films illegally. And they were able to do so thanks to one of the four servers amongst the more than 13,000 devices impounded – the notorious Ghost No. 1. Yet it is the story of how server A15591 or Ghost No. 1 came to be the fountain of pirated films that holds the most chilling lesson for the cinema industry in China and abroad. Because there is nothing to stop a Ghost No. 2 or No. 3 or so on.

Ghost No. 1
GDC server A15591 was given the name Ghost No. 1 by law enforcement and government officials. (Photo: Police Files)

The Origins of Ghost No. 1

The details of how server A15591 came to be the greatest enemy of Chinese film distributors was first revealed in detail by online news portal Sohu, though with additional reporting from the likes of China News, Xhby and others. What follows was pieced together from multiple sources with the assistance of Google Translate.

Chief suspect Ma Mou registered in June 2014 to operate a drive-in cinema in Anshan City – a steel-town in northern China twinned with UK’s Sheffield – together with former classmates and Ma Mosong. But situated north of Dalien and west of North Korea the northern climate, with its winds and dust, was not conducive for drive-in theatres. So the two former classmates Ma Mou and Ma Mosong started dreaming up new business plans for their “Two Horses” criminal gang. (“Ma” is the Chinese character for horse.) They joined forces in 2015 with local business partner and fixer Huo Molei to add on a screen to the drive-in that could show new films.

Around this time private cinemas (a.k.a. “micro cinemas” or “on-demand cinemas”) were starting to take off throughout China, most of them legitimate but many of them also lax to implement regulations relating to everything from fire safety to IP protection. But how could such venues gain first-mover advantage and attract customers with the latest film releases in regular multiplexes, was Ma’s problem. To obtain first-run releases a pirate high definition camera recording would be required, but this was a risky thing to do for each cinema release. Only instead of using inferior camcorded copies, it would be better to get a pristine DCP directly from the server. So, in 2017 Ma Mou paid CNY ¥50,000 (USD $7,235) for a first-generation GDC digital cinema server with the serial number A15591 from a man named Huo Mou Lei. This was a pre-DCI compliant server. Previously, Huo had started a cinema equipment dealership to sell movie playback equipment for regular cinemas and provide renovation and maintenance services.

This was the server that had been identified the previous year as the source of pirated films and was hence officially blacklisted on TDLs for the creation of security keys (KDMs). So Ma Mou purchased a server that was effectively useless. This is where Huo Mou Lei stepped in to help resolve the problem of how to get pirated copies from the server. He contacted a technician named Liu, who had knowledge of how to “clone” a server certificate. Liu gained entry to a cinema in Tang County, Hebei Province under the pretext of “equipment maintenance,” secretly copied the digital certificate of its server and downloaded the account and password for the KDM storage server. Thus Ghost No.1 was back in business with the newly cloned security certificate with serial number A03783. Thus once the watermark was forensically extracted from the pirated video file it would not be traced back to Ghost No. 1, since the invisible watermark in the image would reveal the registered origin of the playback equipment based on the TDL.

With the equipment issue resolved, it was time to get their hands on some content. The Two Horses checked the Maoyan ticket app for the three upcoming releases with the highest audience scores. They then partnered with Wang Moufei, head of projection at a multiplex in Anshen City, who became their supplier of DCPs taken from hard drives sent legitimately by distributors. For this the Two Horses paid him CNY ¥500-1,000 (USD $75-$150) per month to borrow hard drives for up to 10 films. Back in Ma Mou’s studio the gang used professional HD cameras and sound cards to record the films and used video editing software to tweak, correct and sync the finished film file.

Operation 2.15 - Ghost No. 1
Police arresting the Two Horses and their dozens of piracy accomplices. (Photo: Police File)

The Pirate Cinema Network
Rather than selling physical copies (DVDs) or streaming them online, Ma Mou and Ma Mosong decided to target private cinemas. By the end of 2017 there were estimated to be over 8,000 such “on-demand cinemas” across China, many of which did not respect copyright when it came to competing for customers. The gang adopted the traditional marketing method of contacting the heads of shadowy private cinemas, introduced their business, then offered them a pirated sample to play. They “established a black industrial chain of pirate cinema film production, distribution and encryption management,” in the words of Zhang Zuoliang, deputy director of the Public Security Administration of the Ministry of Public Security.

Knowing that there is no honour among thieves, Ma Mou and Ma Mosong ensured that their pirated films did not get re-pirated by establishing a system similar to that of legitimately licensed cinemas to monitor offline use by adding watermarks, encryption, and transmission to the networked disk storage. “In two years, we have made a total of more than 200 HD pirated movies,” suspect No. 2 Ma Mosong confessed to the police. Advertising and communication was done over WeChat where reporters were shown an exchange between the pirate gang and a private cinema owner who complained about the cost of equipment for his 13-room private cinema. The Two Horses contact replied, “The monthly fee is ¥3,000 yuan (USD $434). The first time you have to buy an encrypted disk. Encrypted disks will be delivered by a courier, and the per-room cost is ¥500 yuan (USD $72), you can re-use it later. Then the usage fee is ¥100 yuan (USD $14.50) a month. No, the encrypted disk can be returned, with a refund of ¥300 yuan (USD $43).” Private cinemas that purchased these pirated HD films have in turn advertised them to customers with: “When you watch a movie, 2 people only need ¥98 yuan (USD $14.18),” thus working out cheaper than a cinema.

Between April and June 2017 Ma Mosong groomed Lu Mou and Wen Moujie as his second-tier lieutenants in the criminal group headed by Ma Mou. For the next 13 months, until July 2018, they built out their pirate network of private cinemas through WeChat groups. Once private cinemas had signed up and been connected, they authorized pirated films to be played via remote control software. According to Beijing News, “Two Horses colluded with a Shanghai technology company to encrypt their pirated movies. Liu Wei said that this company is a ‘one-person company’ and there is only one boss/employee.” It is no small irony that the head of this tech company even applied for a patent for his encryption technology. There was even an invisible watermark for each private cinema, to trace the source of any re-pirated pirate copy.

The private cinemas were thus unable to spread the films a second time and had no choice but to pay a monthly CNY ¥20,000 (USD $2,900) franchise fee. Though they got access to the film copies early, Ma Mou banned the private cinemas from screening the films before they had been released in legitimate multiplexes. If the film was first shown in a legitimate cinema in the morning, the pirate cinemas would have a copy ready to go around one or two o’clock that same afternoon. Customers just needed to enter the private cinema room or booth, order up the film and play it after the pirate’s own verification and decryption took place behind the scenes.

The sheer industrial scale of this piracy operation is as breathtaking as the finesse with which everything from sales, distribution, promotion and billing was handled. At its height the gang operated a distribution network that encompassed 330 private cinemas in 20 provinces. Each one of these had been equipped with HD film sources, playback devices and encryption technology, in addition to the mechanisms for collecting franchise fees, equipment service fees, per-film fees and more. Yet it was this very elaborate control system that became part of the pirate gangs undoing.

Hard Drives from Operation 2.15
Seized hard drives from the Two Horses piracy network. (Photo: Ministry of Public Security)

Hoisted By Their Own Decrypted Petard
With the biggest blockbusters slated for the Chinese New Year Festival the pressure was on for Two Horses to deliver. On 27 January Ma Masong paid for three hard drives containing the latest films, including “The Wandering Earth,” sourced from Du Mou, a multiplex in Anshan, Liaoning Province. The Two Horses had simultaneously ramped up the publicity campaign for the New Year releases that would be made available in pristine HD copies. One of the private cinema operators who was lured in by the publicity campaign in mid-January was Xiao Mouping, who operated a private cinema in Hengdian, Zhejiang.

When Xiao Mouping loaded the encryption software he discovered a loophole that enabled the pirated film to be copied again. The software was not registered and lacked a patch, meaning that Xiao could use the vulnerability to download a new copy without encryption. As promised by the pirates, all eight of the big releases were delivered on the afternoon of New Year’s Eve to Xiao Mouping and all other franchisees. On February 4th and 5th, Xiao Mouping re-recorded the pirated films and sold it on to six other private cinemas. That’s when the spread became uncontrollable through an initial Baidu cloud sharing link. Having previously contained pristine HD copies of pirated new releases to the closed and monetised Two Horses private cinema network, the very same copies were now being made available freely online. Why pay for a private cinema, let alone an actual multiplex, when you can watch the film for free on your smartphone.

Seeing their films spread like wildfire online the distributors of “Wandering Earth,” “Bonnie Bears: Blast into the Past” and “Integrity” issued a joint take-down letter on the evening of 12 February to a mobile sites/app called Twist Film & TV accused of hosting the films. By this time it is estimated that “Wandering Earth” had been watched 5.262 million times online, “Integrity” 738,000 times and “Bonnie Bears” 1,059,000 times. The app charged a micro-payment for access to the films, as well as placing adverts for gambling and pornography sites in the film image itself. Even the Great Firewall of China could not keep up with the full extent of this online criminal activity as China Copyright Association’s Copyright Monitoring Center estimates that 79.7% of the 585 pirated websites monitored for the eight films during the New Year Festival were located outside of China.

Meanwhile Ma Mou and Ma Mosong must have been watching the online re-pirated spread of their laboriously pirated films with gritted teeth. More importantly, they must have realised that their entire criminal enterprise was about to crumble. First to go in the 2.15 operation were the many online apps and websites that spread the films for free or for small payments. But the criminal masterminds who had managed to do what was supposed to be impossible – to clone a digital cinema server certificate were not far behind. On 13 March the police started raiding private cinemas and, amongst those investigated, the Zhongshan Public Security Bureau (located just inland from Macau and the organization with geographic jurisdiction) homed in on a private cinema called “Pony Pictures.” Zhou Xiaomou, the operator of Pony Pictures, admitted that he ran an illegitimate cinema showing films from a pirate distribution network which did not respect copyright.

The two Ma’s distribution platform infrastructure and technology came from Hong Kong, Macao and Taiwan-registered company in Suzhou, west of Shanghai. The company had agents across China and elaborate advertising websites. At the time of the arrests it had a presence in 200 cities across Mainland China and comprised of more than 800 private cinemas, which between them operated more than 10,000 screening rooms. On 19 March the order was given for the Zhongshan Task Force to go to Suzhou and Shanghai under the coordination of the Provincial Public Security Bureau. Taking down the criminal enterprise began the following day. On 23 March the task force arrested representatives of the Taiwan-registered company in Suzhou: Chen Mouyu (a 30 year old female from Taiwan), marketing manager Zhang Mouxuan (a 25 year old man from Taiwan) and three accompanying interns. These individuals had allegedly sold the playback servers and platforms to the private theatres that enabled the showing of the pirated films. This, in turn, led to further arrests culminating in the apprehension of Ma Mou and his top accomplices.

The April 29th press conference held by the Ministry of Public Security to brief journalists about the “2.15” operation.

Unanswered Questions
After the resounding success of the 2.15 operation a press conference on April 29th brought together law enforcement and the film distributors whose releases had been stolen, re-sold and disseminated online. Li Jingsheng, director of the Public Security Bureau of the Ministry of Public Security, told the assembled reporters about the pressure to smash China’s biggest ever piracy ring, “We had to solve the problem this time. To solve the problem from the root cause, the focus was on finding the source, so this time we proposed to chase the source, check the chain, fight the first evil, and destroy the network.”

Wu Jing, director and star of “Wolf Warrior 2” as well star of “The Wandering Earth” said, “I feel that to really solve this [piracy] problem, it is not enough to rely solely on the efforts of the public security organizations. This requires all of us to strengthen the awareness of protecting intellectual property rights and the entire society needs to work together,” before concluding that “China will surely get better and better in intellectual property protection.”

However for all the accomplishments of Chinese authorities in closing this piracy network, the larger question remains whether this could ever happen again. More specifically, could we see a Ghost No. 2 or even three or four. Here is what Sohu has to say about it, presented below as translated by Google form the original article:

According to the police handling the case, the projection servers involved in the series were all Hong Kong-based GDC brands, and most required the maintenance technicians of the manufacturer to carry out cloning the server. According to the investigation, the brand’s digital cinema server currently has a market share of 67% on the Chinese mainland. In addition, the above-referenced technician Liu, one of the suspects arrested in the case, mentioned that this digital cinema server also has a vulnerability; the old version can change the time on the server. The pirate gang used this to allow them to copy movies in advance of their release, so that private cinemas could screen new films at the same time as regular theaters.

GDC was the first software-based digital cinema server to be released and there have been questions raised about how vulnerable such technology might be to attempts to compromise its security. When we contacted GDC we eventually got this response: “GDC is aware of the piracy matter in China. During the interviews on China TV with the suspects, it was confirmed they purchased decommissioned, second hand pre-DCI media servers. From the other information collected by authorities, we learned they altered the servers to carry out camcording in an illegal private, make-up cinema [sic]. GDC is actively working with the stakeholders in China and US to devise a viable solution to eradicate the second hand, pre-DCI/non-DCI compliant servers from the market.”

It is not known how many “pre-DCI/non-DCI compliant servers” exist in the market, or even how GDC defines and categorises them, but it could be anywhere between hundreds to thousands. GDC did not elaborate how it is working to “eradicate” this second-hand market.

Pirating content from a DCI compliant server, on the other hand, is theoretically impossible. However it wasn’t just that server A15591 was not DCI compliant which enabled an illicit content piracy ring to flourish. Somehow the operational and logistical industry standards designed to securely distribute and playback content were manipulated. They were exploited in a fashion that was unforeseen and which took numerous resources to uncover. Unless lessons are learned from a case in which one digital cinema server led to copyright infringement on an industrial scale, many more “ghosts” may turn up to haunt the industry at some point in the future.

Patrick von Sychowski
Follow me