- Police Crackdown: European authorities have dismantled nine illegal-streaming crime groups and arrested 29 suspects in Operation KRATOS 2.
- Infrastructure Target: Investigators pursued domains, IP addresses, payment routes, and server infrastructure across several jurisdictions.
- User Risk: Illegal IPTV services can expose viewers to malware, spyware, data theft, and unstable replacement domains.
- Legal Follow-Up: The case now includes 59 referrals and 72 ongoing criminal investigations beyond the first arrests.
From September 2025 to April 2026, Europol and Bulgarian authorities coordinated Operation KRATOS 2, a seven-month action that dismantled nine illegal-streaming crime groups, produced 29 arrests, and removed more than 27,000 piracy URLs, authorities said.
URL removals were the clearest public part of a case that investigators treated as more than a simple access problem. Illegal streaming networks sold or distributed unauthorized online access to premium sports, film, and television content, then moved sites and technical systems across borders when investigators or rights holders intervened.
Europol, the European Union law enforcement agency, supported the operation and warned that illegal streaming services can expose users to malware, spyware, and data theft. User risk gives the case a security dimension beyond the loss of licensed sports, film, and television revenue.
How the Operation Hit the Streaming Networks
Operation KRATOS 2 ran from September 2025 to April 2026. Authorities were summarizing months of police, judicial, and technical work when they released the results. Investigators pursued networks that made money from illegal access to live sport, films, and television channels.
Public URL removals sat beside a broader effort to identify operators and technical managers. Operation KRATOS 2 brought together authorities from 13 countries, including European enforcement teams and partners in the United Kingdom and the United States.
Cross-border participation mattered because subscribers, sales pages, hosting infrastructure, and operators could sit in different legal systems. Officers identified 86 suspects, conducted 148 house searches, referred 59 cases to prosecutors or courts, and kept 72 other criminal investigations open.
Searches, referrals, domain work, and continuing cases each move through different legal or technical channels, which makes the operation more substantial than a website-blocking exercise. Private-sector intelligence helped investigators identify 4,370 piracy-linked domains, 18,331 IP addresses associated with illegal services, 397,384 URLs for suspension or removal, and 126,979 additional infringing objects.
Infringing objects usually include files, streams, or related digital items tied to unauthorized distribution, so the count captures more than public web addresses. Investigators received both public-facing targets and backend identifiers that can be matched against hosting, payment, and subscriber records.
The investigators targeted the wider criminal ecosystem behind the services rather than only removing public websites. Mapping payment channels, hosting systems, operators, and replacement sites gives police more durable evidence than a URL list alone. Public domains can disappear while the same audience keeps receiving streams through new entry points.
Why Illegal IPTV Infrastructure Is Hard to Police
Criminal streaming services can separate customer-facing websites from servers, spreading the sales page and the actual video infrastructure across borders. For investigators, that split turns a piracy case into a jurisdictional problem: one country may see the customer portal, another may host the streams, and a third may hold evidence tied to payment or management.
Illegal IPTV, short for internet-delivered television, can look like ordinary streaming access to a viewer even when the distribution chain is unauthorized. Operators can move the sales site, content server, payment route, and customer list separately, forcing investigators to coordinate technical analysis with local searches and judicial referrals.
User exposure also extends beyond copyright: illegal services can expose viewers to malware, spyware, and data theft. A seized domain does not necessarily remove servers, payment accounts, reseller lists, or subscriber relationships, which gives operators more ways to recover after a takedown.
Targeted networks were tied to premium sports broadcasts, film, and television channels, including soccer content in a World Cup year. Live sport gives illegal access a commercial edge because fans want real-time viewing, replacement domains can appear quickly, and rights holders lose value when high-demand events are redistributed outside authorized channels.
Rights owners also face a short enforcement window because an unauthorized live stream loses much of its commercial value once the match or event ends.
What Comes Next for the Cases
A prior AI music streaming fraud prosecution shows how fraud can build around digital distribution systems. A 2024 cross-border takedown of the LockBit ransomware network shows why investigators often try to identify operators, payment routes, and technical systems rather than only seize public-facing web pages.
The operation’s legal follow-up now includes 59 referrals and 72 ongoing criminal investigations, built on technical mapping, domain work, and suspect identification. Legal handoffs will determine whether the police action produces convictions, asset recoveries, or further disruption of replacement services.
Remaining investigations also give authorities a path to pursue operators who were identified during searches but were not part of the initial 29 arrests.
