The 3 Year Hunt for the ‘Ghost No1’ Piracy Server

Pirated content is big business in China, but the authorities are taking an increasingly hard stand against its architects. Patrick von Sychowski traces the lengths they went to in catching the criminals masterminding a major piracy operation.


Somewhere in China, digital cinema projection server No. A15591 was letting pirates make pristine HD copies the very same day that new releases opened in cinemas. The piracy tracking team within China’s Central Propaganda Department’s Film Technology Quality Inspection Institute even had a nickname for the server: ‘Ghost No. 1’. It was their job to find it — and stop it. But the criminal gang had found a way to exploit a flaw in the server architecture that made it untraceable.

In June 2014, Mr Ma Mou registered to operate a drive-in cinema in Anshan City — a steel-town in northern China twinned with UK’s Sheffield — together with his former classmate, one Mr Ma Mosong. But situated as it was just west of North Korea, the northern climate with its winds and dust, was not conducive for drive-in theatres. So Ma Mou and Ma Mosong dreamt up new business plans for their “Two Horses” criminal gang. (The surname “Ma” is also the Chinese character for horse.) They joined forces in 2015 with a local business partner and fixer, Huo Molei, to add on a screen to the drive-in that could show new release films.

First, get your hands on the content

Around this time private cinemas (a.k.a. “micro cinemas” or “on-demand cinemas”) were starting to take off throughout China, most of them legitimate, but many of them also lax to implement regulations relating to IP protection. To obtain first-run releases a pirate high definition camera recording would be required, but this was a risky thing to do for each cinema release. So, in 2017 Ma Mou paid CNY ¥50,000 (USD $7,235) for a first-generation pre-DCI digital cinema server, a model built by GDC Technology with the serial number A15591 from a man named Huo Mou Lei. 

This was the server that had been identified the year previously as the source of pirated films. As such, it was consequently officially blacklisted on Trusted Device Lists (TDLs) for the creation of the security keys (KDMs) that unlock content legitimately on authorised cinema screens worldwide. Ma Mou purchased a server that was effectively useless. This is where Huo Mou Lei stepped in to help resolve the problem of how to get pirated copies from the server. He contacted a technician named Liu, who had knowledge of how to “clone” a server certificate. Liu gained entry to a cinema in Tang County, Hebei Province under the pretext of “equipment maintenance”. There he secretly copied the digital certificate of its server and downloaded the account and password for the KDM storage server. 

Thus Ghost No.1 was back in business with a newly cloned security certificate with serial number A03783. Once the watermark was forensically extracted from the pirated video file it would not be traced back to Ghost No. 1, since the invisible watermark in the image would reveal the registered origin of the playback equipment based on the TDL. With the equipment issue resolved, it was time to get their hands on some content. The ‘Two Horses’ checked the Maoyan ticket app for the three upcoming releases with the highest audience scores. They then partnered with Wang Moufei, head of projection at a multiplex in Anshen City, who became their supplier of DCPs taken from hard drives sent legitimately by distributors. For this, Two Horses paid him CNY ¥500-1,000 (USD $75-$150) per month to borrow hard drives for up to 10 films. Back in Ma Mou’s studio the gang used professional HD cameras and sound cards to record the films and used video editing software to tweak, correct and sync the finished film file.

The pirate cinema network

Rather than selling physical copies (DVDs) or streaming them online, Ma Mou and Ma Mosong decided to target private cinemas. By the end of 2017, there were estimated to be over 8,000 such “on-demand cinemas” across China, many of which did not respect copyright when it came to competing for customers. The gang adopted the traditional marketing method of contacting the heads of shadowy private cinemas, introduced their business, then offered them a pirated sample to play. In reality, they “established a black industrial chain of pirate cinema film production, distribution and encryption management,” in the words of Zhang Zuoliang, deputy director of the Public Security Administration of the Ministry of Public Security.

Knowing that there is no honour among thieves, Ma Mou and Ma Mosong ensured that their pirated films did not get re-pirated by establishing a system similar to that of legitimately licensed cinemas to monitor offline use by adding watermarks, encryption, and transmission to the networked disk storage. “In two years, we’ve made a total of more than 200 HD pirated movies,” suspect No.2, Ma Mosong, confessed. Advertising and communication was done over WeChat — reporters were shown an exchange between the pirate gang and a private cinema owner who complained about the cost of equipment for his 13-room private cinema. The Two Horses contact replied, “The monthly fee is ¥3,000 yuan (USD $434). The first time you have to buy an encrypted disk. Encrypted disks will be delivered by a courier, and the per-room cost is ¥500 yuan (USD $72), you can re-use it later. Then the usage fee is ¥100 yuan (USD $14.50) a month. No, the encrypted disk can be returned, with a refund of ¥300 yuan (USD $43).” Private cinemas that purchased these pirated HD films have in turn advertised them to customers with: “When you watch a movie, two people only need ¥98 yuan (USD $14.18),” thus working out cheaper than a cinema.

For the next 13 months, until July 2018, they built out their pirate network of private cinemas through WeChat groups. Once private cinemas had signed up and been connected, they authorised pirated films to be played via remote control software. According to Beijing News, “Two Horses colluded with a Shanghai technology company to encrypt their pirated movies. It is no small irony that the head of this tech company even applied for a patent for
his encryption technology. There was even an invisible watermark for each private cinema, to trace the source of any re-pirated pirate copy.

On screen on the day of release…

The private cinemas were thus unable to spread the films a second time and had no choice but to pay a monthly CNY ¥20,000 (USD $2,900) franchise fee. Though they got access to film copies early, Ma Mou banned private cinemas from screening films before they had been released in legitimate multiplexes. If the film was first shown in a legitimate cinema in the morning, pirate cinemas would have a copy ready to go around one or two o’clock that same afternoon. 

The industrial scale of this operation is as breathtaking as the finesse with which everything from sales, distribution, promotion and billing was handled. At its height the gang operated a distribution network that encompassed 330 private cinemas in 20 provinces. Each one of these had been equipped with HD film sources, playback devices and encryption technology, in addition to the mechanisms for collecting franchise fees, equipment service fees, per-film fees and more. Yet it was this highly elaborate control system that became part of the pirate gang’s undoing.


The gang that couldn’t pirate straight

With the biggest blockbusters slated for the Chinese New Year Festival the pressure was on for the Two Horses to deliver. On 27 January this year, Ma Masong paid for three hard drives containing the latest films, including “The Wandering Earth,” from a multiplex in Anshan, Liaoning Province. At the same time, the Two Horses had ramped up their publicity campaign for the New Year releases that would be made available in pristine HD copies. One of the private cinema operators who was lured in by the publicity campaign in mid-January was Xiao Mouping, the operator of a private cinema in Hengdian, Zhejiang.


When Xiao Mouping loaded the encryption software, ironically he discovered a loophole that enabled the pirated film to be copied again. The software was not registered and it lacked a patch, meaning that Xiao could use this vulnerability to download a new copy without encryption. As promised by the pirates, all eight of the big releases were delivered on the afternoon of New Year’s Eve to Xiao Mouping and all other franchisees. On 4 and 5 February, Xiao Mouping re-recorded the pirated films and sold it on to six further private cinemas. That’s when the spread became quite uncontrollable through an initial Baidu cloud-sharing link. 


Seeing their films spreading like wildfire online the distributors of “Wandering Earth,” “Bonnie Bears: Blast into the Past” and “Integrity” issued a joint take-down letter on the evening of 12 February to a mobile sites/app called Twist Film & TV accused of hosting the films. By this time it is estimated that “Wandering Earth” had been watched 5.262 million times online, “Integrity” 738,000 times and “Bonnie Bears” 1,059,000 times. The app charged a micro-payment for access to the films, as well as placing adverts for gambling and pornography sites within the film image itself.  Meanwhile, Ma Mou and Ma Mosong must have been watching the online re-pirated spread of their laboriously pirated films through gritted teeth. More importantly, they must also have realised that their entire criminal enterprise was about to crumble. On 13 March, the police started a series of raids on private cinemas and, among those investigated, the Zhongshan Public Security Bureau homed in on a private cinema called “Pony Pictures.” Zhou Xiaomou, the operator of Pony Pictures, then admitted that he ran an illegitimate cinema showing films from a pirate distribution network.


The two Ma’s distribution platform infrastructure and technology came from a Hong Kong, Macao and Taiwan-registered company in Suzhou, to the west of Shanghai. The company had agents across China and elaborate advertising websites. At the time of their  arrests it had a presence in 200 cities across mainland China and comprised more than 800 private cinemas, which, between them, operated more than 10,000 screening rooms. On 19 March the order was given for the Zhongshan Task Force to go to Suzhou and Shanghai under the coordination of the Provincial Public Security Bureau. Taking down the criminal enterprise began the following day, culminating in the apprehension of Ma Mou and his top accomplices.


After the success of the operation, a press conference on 29 April brought together law enforcement and the affected film distributors. Li Jingsheng, director of the Public Security Bureau, told the assembled reporters about the pressure to smash China’s biggest-ever film piracy ring, “We had to solve the problem this time. To solve the problem from the root cause, the focus was on finding the source, so this time we proposed to chase the source, check the chain, fight the first evil, and destroy the network.”


However, for all the accomplishments of Chinese authorities in closing this piracy network, the larger question remains whether this could ever happen again. More specifically, could we see a Ghost No. 2 or even 3 or 4?


Pirating content from a DCI-compliant server is theoretically impossible. However it wasn’t simply that server A15591 was not DCI-compliant that enabled an illicit content piracy ring to flourish. Somehow, the operational and logistical industry standards designed  to distribute and playback content securely were manipulated. They were exploited in a fashion that was unforeseen and which took numerous resources to uncover. Unless lessons are learned from a case in which one digital cinema server led to copyright infringement on an industrial scale, many more “ghosts” may turn up to haunt the industry at some point in the future.



This is an edited version of an article that first appeared on