UpGuard links pirate football streams to offshore betting

UpGuard has published research linking exposed customer data to illegal streaming and offshore gambling operations tied to football viewing. The findings focus on systems associated with activity around the 2026 FIFA World Cup.

Researchers found publicly accessible Elasticsearch and Graylog servers containing large volumes of logs from both types of operation. In one streaming system, a single 1.2GB log file held 5.5 million documents. Gambling backend logs ranged from 7GB to 10GB per index, with between 31 million and 38 million records each.

According to the research, the two operations were directly connected. Logs tied to gambling sites included references to illegal streaming URLs, showing how pirate streams can direct viewers to offshore betting services.

Pirate streams

UpGuard sampled 1,000 documents from the streaming index and found the records covered just 56 seconds of activity. Of those documents, 84% exposed usernames and passwords in plain text, and 18% included users' IP addresses.

The data also showed what devices viewers were using. A significant share of traffic came from MAG200 set-top box user agents, while 21 records showed Python scripts accessing the streaming endpoints, suggesting automated activity alongside normal user traffic.

UpGuard described the streaming market as layered, with platform software sold to operators who run servers on their own infrastructure and lease access to resellers. Those resellers then sell subscriptions to end users, often with payments handled through crypto transactions arranged over private messaging channels rather than through the streaming platform itself.

One index identified by researchers was dedicated to resellers and included usernames and possible identity information. That suggests the exposed data was not limited to viewers, but also covered parts of the commercial network behind the streams.

The broader backdrop is the scale of sports piracy during major tournaments. UpGuard cited a report on the UEFA Champions League Final that found 16.2 million illegal stream views, compared with 7 million legal viewers, underscoring the size of the audience available to criminal operators.

Law enforcement agencies have tried to disrupt that trade. A multinational operation led by Europol and Bulgaria's General Directorate Combating Organised Crime dismantled nine organised criminal groups and shut down more than 27,000 illegal streaming URLs across 13 countries. Other national authorities have also targeted regional piracy networks.

Betting link

The gambling logs raised a different set of privacy concerns. UpGuard found the exposed records included account IDs, bet amounts and crypto wallet references, which could allow a user's betting history to be reconstructed if the account could be linked to an identity.

That matters because the World Cup is expected to generate huge betting volumes across both regulated and unregulated markets. Analysts estimate legal wagering on the tournament will reach about USD $60 billion, while industry groups and law enforcement have warned that illegal betting is also growing quickly.

In Germany, the domestic sports betting association DSWV estimates more than €1 billion will be wagered on the tournament, with €300 million to €400 million expected to go to illegal offshore sites. Such platforms often attract customers by offering anonymous betting with fewer checks than licensed operators.

Yet the research argues that this lack of regulation leaves users exposed rather than protected. The concern is not only financial loss or fraud, but also the possibility that personal credentials, device information and transaction records are collected and left visible through poorly secured systems.

UpGuard also pointed to the commercial relationship between streaming piracy and black-market gambling. It found that 89% of adverts shown on illegal football streams belonged to unlicensed offshore gambling operators, making the free stream effectively a customer acquisition route.

Enforcement agencies have noted that link for years, but the exposed logs provide a clearer view of how closely the two markets can overlap in practice. A user seeking a free match stream may end up entering credentials into one service, then being pushed towards another that stores detailed betting records.

The findings come as cyber security concerns around the tournament extend beyond stadium systems and official digital platforms. They suggest ordinary viewers can also become part of the risk landscape through common online behaviour tied to major sporting events.

"No ID checks don't mean no risk - it means no protection," said Kai Cantwell, Chief Executive Officer, Responsible Wagering Australia.