CaptchaLa Blog

Appearance

Binge, Bot, Repeat: Unpacking the Ecosystem of Video Piracy on Telegram

Source: arXiv:2605.08418 · Published 2026-05-08 · By Sadikshya Gyawali, Jaishnoor Kaur, Taylor Graham, Josef Horacek, Nowshin Tabassum, Shirin Nilizadeh et al.

TL;DR

This paper presents the first comprehensive large-scale analysis of the video piracy ecosystem on Telegram, focusing on structural, operational, and behavioral patterns of 1,057 piracy-related channels that shared 209,000 posts over a 26-month period from December 2023 to January 2026. The authors develop a fine-grained, multi-layer taxonomy categorizing types of piracy activity on a per-post basis, including distribution strategies (direct uploads, multi-channel routing, external cloud/storage links, bots) and operational ecosystem signals (resilience, monetization, access facilitation). They find that Telegram piracy spans 19,033 unique copyrighted titles from 175 countries, accruing over 4.85 billion views and causing an estimated minimum financial loss of $17.49 billion. Importantly, the ecosystem is deliberately engineered for resilience against takedown by fragmenting content across interlinked channels and automated bots facilitating hosting, access control, and monetization. To translate their insights into practical tooling, the authors develop Anti-RIP, a real-time open-source detection framework leveraging their taxonomy to automatically identify emerging piracy communities and generate contextual triaging reports. Over a 61-day evaluation, Anti-RIP enabled the takedown of 524 previously unknown piracy channels and 71 bots, demonstrating its value in scaling and improving enforcement efforts.

Key findings

  • The ecosystem includes 1,057 piracy-related Telegram channels and 209,000 unique posts between Dec 2023–Jan 2026.
  • Channels distributed 19,033 unique copyrighted video titles across 175 countries.
  • Piracy posts accumulated over 4.85 billion unique views, with an estimated minimum financial loss of $17.49 billion to rights holders.
  • Direct file uploads within Telegram accounted for 579 posts, leveraging Telegram's 2GB file upload limit.
  • 642 posts used multi-channel distribution, redirecting users through intermediary channels or backup channels.
  • 728 unique external links were identified; 412 pointed to less mainstream cloud storage providers like TeraBox and Terashare, not popular platforms like Google Drive.
  • Fifty-two unique content delivery bots were found, including dynamic retrieval bots, channel promotion bots, and content ingestion bots.
  • Over a 61-day deployment, Anti-RIP facilitated the takedown of 524 piracy channels and 71 automated bots previously unknown to enforcement stakeholders.

Threat model

The adversary is an organized piracy operator or group leveraging Telegram channels and automated bots to distribute copyrighted video content illicitly. They possess the capability to create multiple channels, deploy bots with interactive workflows, fragment content across channels to evade detection, utilize less prominent cloud storage providers, and monetize through credit or payment systems integrated into the platform. They cannot fully prevent identification and takedown by large-scale monitoring but actively seek to complicate enforcement by decentralizing infrastructure, using multi-hop redirection, backup channels, and ephemeral bot response deletion.

Methodology — deep read

  1. Threat Model & Assumptions: The adversary consists of Telegram piracy channel operators who distribute copyrighted video content illicitly. They actively attempt to evade detection through multi-hop redirection, channel fragmentation, bot automation, and monetization obfuscation. The adversary can upload large files, control multiple channels and bots, use backups, and access external cloud storage or streaming sites. They cannot fully prevent identification by large-scale monitoring but aim to slow enforcement.

  2. Data: The authors collected data spanning 26 months (Dec 2023 - Jan 2026), covering 1,057 Telegram channels identified as piracy-related, which produced 209k unique posts. The initial seed of 74 channels was identified manually from a popular Telegram aggregator (Telemetrio) using qualitative analysis by two independent coders to confirm piracy activity based on post contents and links. This manual analysis coded post-level behaviors to develop the taxonomy. Subsequently, the taxonomy was applied to automate large-scale classification across nearly 1,000 channels and their posts. External links embedded in posts were manually visited and categorized by coders.

  3. Architecture/Algorithm: Central to the approach is a fine-grained hierarchical taxonomy capturing piracy behavior at the post level. The taxonomy builds from two primary layers: Distribution Strategies (direct Telegram uploads, multi-channel routing, external cloud storage, streaming, torrent links) and Operational Ecosystem Signals (resilience strategies like backup channels, monetization schemes, bot types, access facilitation through modded apps or stolen credentials). Four bot categories were identified: content delivery, dynamic retrieval, channel promotion, and content ingestion bots. The taxonomy supports automated classification and generates interpretable insights on channel activity.

  4. Training Regime: While not focused on standard model training, the study involved independent manual coding by two coders for seed data with reported Cohen’s Kappa = 0.82 to ensure annotation reliability. The automated classification methodology details were not fully transparent but informed by qualitative insights.

  5. Evaluation Protocol: The framework was evaluated through a 61-day deployment (Anti-RIP) that monitored newly emerging channels on Telegram, generating reports for rights holders and platforms. Effectiveness was quantified in terms of the number of previously unknown piracy channels and bots identified and takedown actions enabled (524 channels and 71 bots). There was no report of formal statistical testing or closed-loop adversarial evaluation. The evaluation focused on real-world operational impact.

  6. Reproducibility: The authors publicly released their dataset and Anti-RIP framework via GitHub, supporting further academic and operational research. Hardware infrastructure or seed choice details were not exhaustively detailed.

A Concrete Example: The authors initially examined 74 channels manually, extracting various post metadata such as title, resolution versions (480p, 720p, 1080p, 4K), subtitles, language localization, and access methods. They observed direct Telegram uploads and complex redirection chains through multi-stage channel links and bots. For instance, a post might advertise a US TV show with multiple file quality options and links redirecting the user through several intermediary channels before finally delivering a download link hosted on a cloud storage platform like TeraBox. Parallel qualitative and quantitative coding of thousands of such posts led to the formulation of the taxonomy. This taxonomy then powered the Anti-RIP system which automatically parses newly created channels and posts to flag suspicious activity, enabling focused takedown interventions.

Technical innovations

  • Development of a novel fine-grained behavioral taxonomy of piracy activity on Telegram capturing post-level distribution, resilience, monetization, and access facilitation strategies.
  • Identification and categorization of multi-hop, multi-channel redirection and backup channel strategies as a deliberate design for takedown resilience.
  • Discovery and classification of automated bots (content delivery, dynamic retrieval, channel promotion, content ingestion) as integral infrastructure sustaining piracy at scale.
  • Design and deployment of Anti-RIP, an open-source, real-time detection framework leveraging the taxonomy to generate actionable, interpretable reports to facilitate efficient triaging and takedown of piracy channels and bots.

Datasets

  • Telegram piracy channels dataset — 1,057 channels and 209k posts — Collected from December 2023 to January 2026, shared publicly via GitHub.

Baselines vs proposed

  • Prior work by Roy et al. analyzed 360 posts from 36 Telegram piracy channels focusing only on direct-download models versus this work analyzing 209k posts from 1,057 channels revealing multi-hop routing and bot-based infrastructure.
  • Anti-RIP detection over a 61-day period: enabled takedown of 524 previously unknown piracy channels and 71 bots; compared to prior reactive, ad-hoc manual detection approaches without automation.

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2605.08418.

Fig 1

Fig 1: (A) A post sharing a link to download a popular US-

Fig 2

Fig 2: (Left) A channel with an alphabetical index, where

Fig 3

Fig 3: (Left) A channel providing a title from Japan with

Fig 4

Fig 4: in the Appendix illustrates one such example, where

Fig 5

Fig 5: (Top) A channel promotion bot which provides the

Fig 6

Fig 6 (page 4).

Fig 6

Fig 6: Taxonomy of piracy-related posts on Telegram derived from our insights in Section III.

Fig 7

Fig 7: Prompt used to classify posts using Taxonomy.

Limitations

  • The manual coding and taxonomy development focused initially on highly visible, large piracy channels indexed by Telemetrio, potentially missing smaller, emerging, or less public channels.
  • Automated classification and detection details are lightly specified; the robustness of the taxonomy-based system to adversarial evasion or novel strategies is untested.
  • No explicit adversarial evaluation or analysis of ecosystem evolution in response to enforcement and takedown actions was conducted.
  • Unclear treatment of temporally dynamic content—the dataset spans over 2 years, but shifts over time in behavior or operator tactics are not deeply analyzed.
  • Monetization and payment flows analysis are preliminary; detailed forensic tracing of financial transactions was outside scope.
  • External links were categorized manually; large-scale, automated crawling and analysis of off-platform infrastructure remains a challenge.

Open questions / follow-ons

  • How will piracy operators adapt or evolve tactics in response to sustained deployment of taxonomy- and bot-driven detection frameworks like Anti-RIP?
  • Can machine learning or automated interaction techniques be developed to reliably detect and analyze dynamic bot workflows to scale detection?
  • What is the full scope and structure of the payment and monetization pipelines within Telegram piracy ecosystems, and can they be disrupted effectively?
  • How do temporal patterns and shifts in piracy content types, regions of origin, and distribution channels evolve over longer periods?

Why it matters for bot defense

For bot-defense and CAPTCHA practitioners, this work highlights how modern illicit content ecosystems dynamically leverage multi-layered automation and multi-channel redirection to resist enforcement. The extensive use of interactive Telegram bots requiring user interaction, dynamic retrieval workflows, and ephemeral content responses presents challenges analogous to detecting malicious bot activities hidden behind seemingly legitimate or interactive interfaces. Developing detection methods that incorporate detailed behavioral taxonomies and interaction-based monitoring—as demonstrated by Anti-RIP—can inform the design of more robust defenses against sophisticated automated abuse in messaging and social platforms. Moreover, the paper underscores that relying solely on static content analysis or first-hop observations is insufficient; multi-hop, multi-entity ecosystem models and contextual, fine-grained behavior classification are required to scale intervention. Finally, monetization-obscuring mechanisms via platform-native payment APIs exemplify challenges in operational attribution that CAPTCHAs and bot defenses alone cannot solve but must integrate with broader ecosystem analysis.

Cite

bibtex
@article{arxiv2605_08418,
  title={ Binge, Bot, Repeat: Unpacking the Ecosystem of Video Piracy on Telegram },
  author={ Sadikshya Gyawali and Jaishnoor Kaur and Taylor Graham and Josef Horacek and Nowshin Tabassum and Shirin Nilizadeh and Sayak Saha Roy },
  journal={arXiv preprint arXiv:2605.08418},
  year={ 2026 },
  url={https://arxiv.org/abs/2605.08418}
}

Read the full paper

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa