Resurrecting a dead torrent tracker and finding 3M peers
88 comments
·June 17, 2025diggan
jekwoooooe
Is this legal isn’t a useful question. The better question is how likely are you to get sued? With civil lawsuits it doesn’t matter if it’s legal you can be sued and harassed by lawyers if you get on their radar.
bilekas
I’m not sure if that’s true actually, you might get a takedown notice, but to sue, and maybe I’m wrong but you have to claim damages, all op has to do is not announce out?
IE he can see the peer pool but they don’t announce the peer list.
dymk
The RIAA doesn't have to sue to make OP's life miserable. They have enough lawyers on the payroll to drown him in perfectly legal demand letters. Go one step further and assume the demand letters are harassment - what's OP going to do, sue the RIAA?
legohead
No need to sue. Send a cease and desist and your average hacker like OP will take it down in a hurry...
gpm
Because knowingly helping people commit crimes generally counts the same as committing the crime yourself. I.e. federally in the U.S. under 18 USC 2a https://www.law.cornell.edu/uscode/text/18/2 The software you're running being "simple" isn't a defence for doing illegal things with it - like aiding others commit crimes.
There are a few internet/copyright safe harbor provisions (in the US) that might maybe (probably not) make it not a crime, I don't know, I'm not a lawyer. But your general thought when you hear "helping someone else commit a crime" ought to be "that's probably a crime itself".
rockskon
Wouldn't particular knowledge be required? I'm sure Google devs know in the abstract that Google search is used by criminals to help them in committing crimes, but that clearly is not illegal in and of itself.
gpm
There's definitely a mens rea requirement here, that you know that a crime is being committed and that you intend to facilitate it. I doubt it requires particularized knowledge that "this specific request" is for a crime... I'm still not a lawyer.
Running a service primarily for legal purposes that some criminals can take advantage of is pretty different with regards to intent than reviving an old domain name that you know is primarily used by old illegal torrents as a tracker.
I spent a few minutes googling, and it seems like that at least as of a decade ago the exact bounds here weren't well defined: https://www.scotusblog.com/2014/03/opinion-analysis-justice-...
> Finally, the possible liability for an “incidental facilitator” – such as a firearms dealer who knows that some customers will use their purchases for crime – is noted but not resolved. Thus, thankfully, there is still some fertile ground for hypotheticals with which we practicing law professors can bedevil our students.
rvnx
Well Google has knowledge about it, but once you reach a certain scale you become safe (e.g. OpenAI with copyright infringment)
awesome_dude
IANAL, but I would think that Google's customers are overwhelmingly using the service for "legitimate" activities, and Google makes attempts to limit use of their tools in the commission of a crime.
It's kind of like Kim Dotcom's defence of his systems where he was saying that he was making attempts to remove content from his systems in compliance with DCMA requests. That is, the claim is his systems were legal because even though people were using them for illegitimate purposes, he was actively working to prevent that from happening.
null
diggan
> knowingly helping people commit crimes generally
Right, that makes sense. Is running a tracker "knowingly helping people commit crimes"? I feel like that's a huge jump, there is a wide range of content coordinated by trackers and the DHT.
gpm
It's not like he just started a random new torrent tracker... he took over an old domain that was previously in use by people pirating stuff after observing that torrents were still pointing to the tracker and ran a tracker on that domain. That's a pretty direct line to "he knew this would be used for copyright infringement".
os2warpman
[flagged]
null
senko
But the OP states he was using the tracker for lawful purposes:
> So I was, uh, downloading some linux isos, like usual.
Nothing to see here, move along.
Seriously though, the OP makes the same argument and concludes that:
> I was spooked. [...] I shut down the VPS and deleted the domain quickly after confirming it works.
IANAL but this clearly shows the OP didn't intend to facilitate crime and shut it down after seeing that was what may have been happening.
gpm
I, and I think OP, were both addressing the hypothetical in which he continued to run the service, not the reality where he quickly shut it down.
> But the OP states he was using the tracker for lawful purposes:
That quote is a confession that he was committing copyright infringement. Courts and juries and not obliged to ignore the ", uh," part.
Probably (in the very unlikely event where he is charged) the best defence would be "this was a joke" not "I didn't literally confess to committing copyright infringement". Even then I'm pretty sure this quote would weigh against him substantially in just about any jury's mind.
KomoD
(IANAL) It can be both legal and illegal
If you don't respond to takedowns, that's probably leaning towards being illegal*
If you respond to takedowns and blacklist the hashes, you're most likely fine*
*obviously depends on the jurisdiction and on whether matching hashes to IP:PORT is considered distribution/facilitation/whatever (take TPB's case as an example)
I know someone who ran a pretty large tracker for years, when he received a takedown he just blacklisted the hashes and he's been fine so far.
leijurv
OP did actually host a tracker.
"I then started the tracker. After about an hour, it peaked at about 1.7 million distinct torrents across 3.1 million peers!"
numpad0
Because music & movie industries hate P2P in general? That basically killed P2P dead in 2000s as it was becoming the next generation of decentralized Web.
Maybe it's about time to revisit it? It's just the matter of how to enforce DRM. They shouldn't care in this day and age with plenty ways to get licensing sorted out.
jedberg
Do you think the police understand this nuance? Especially since most of the traffic that will go through there is probably copyright infringement?
They'll just see tracker and assume it's illegal.
SXX
> Especially since most of the traffic that will go through there is probably copyright infringement?
Copyright infinging materials dont go "though" trackers. Trackers only keep torrent hashes and lists of peers.
jedberg
I'm well aware of how trackers and torrents work. But again, do you think law enforcement understands the nuance of that?
Also the government and private companies have argued in the past that the hashes and lists of peers is inducement and enablement for copyright infringement.
jeroenhd
So do torrent websites like the pirate bay. That doesn't protect pirates from getting sued to hell and back or even receiving prison sentences from the court.
hungryhobbit
Do you think the police are actually policing the internet?
Even if you didn't mean your local police, and meant a national body like the FBI, the truth is they focus on other crimes (eg. child abuse), and even then they are woefully unable to handle even most of those crimes.
The vast, vast majority of copyright enforcement comes from copyright holders ... not the internet copyright police.
jedberg
Of course not. But first a copyright holder tells the police, and then the police enforce it.
The police rarely find crimes on their own -- they are almost always acting on a request from someone else.
nneonneo
Now I'm wondering: with the wide range of bittorrent clients out there, and the fact that many are written in unsafe languages, could it be possible for some of them to be exploited through a malicious tracker? It would not surprise me if some of these clients misbehave if fed malformed data from a tracker.
treyd
Most torrent clients that people use (though not all) are actually wrappers around libtorrent, which is very well tested and has even been audited.
asa400
I've written hobby-quality clients and I think the answer is yes. First, you're dealing with input from a server you don't control, and second, you're doing quite a bit of interaction with the filesystem. It's hard enough to write a functional client in a memory safe language, getting it correct in C or C++ is bound to be pretty tough.
fshafique
That's what I was hoping the author would explore.
jldugger
In other words, you can DDoS any ip for the cost of registering a domain and publishing a specific DNS record.
57473m3n7Fur7h3
Is it really going to be all that bad?
The BitTorrent clients I’ve used all seemed pretty polite, backing off for like 60s at least for each tracker they can’t connect to.
If you buy one of the dead tracker domains and point it at an IP of someone else, but their services aren’t even listening on the port client wants to connect to (and don’t speak BitTorrent even if the port happened to coincide), I can’t imagine that even with a million BitTorrent clients wanting to connect it would really be all that much of a problem.
Scoundreller
Could one just register one of these domains and point it at another active torrent tracker?
Did OP cause millions of unfinished torrents to finally connect to a peer and complete or is it likely they were already talking to “live” tracker anyway unless they were really unlucky?
ck45
My first thought is, how many BitTorrent clients have vulnerable parsing code? Could a malicious actor register the domain and infect clients?
EvanAnderson
I'm thinking of the Jon Evans novel "Invisible Armies" and the "bug" / backdoor in the P2P software that it's author users to pwm machines.
SSLy
utorrent v2.1 is still widely used by too many people, and it certainly is exploitable.
mystraline
That's easy. Register the domain in Russia, China, Iran, or similar country. Run the website in Alibaba.
Let them attempt to send legal toilet paper to Russia or China. I'm sure that will end well.
haunter
There is a tracker masterlist here updated daily so you can find another dead ones probably https://github.com/ngosang/trackerslist
jedberg
This is like when cloudflare picked up the IP address 1.1.1.1. They saw a ton of traffic to it as soon as it went hot, because a bunch of people had scripts pointing at it.
jauntywundrkind
I actually ran a very-short-lived private use tracker briefly, for some exploration doing p2p watch partying. But it was a toy, never got serious enough to look deeper at how the tracker worked (was using the rust Aquatic tracker, which kindly added webtorrent support on request! https://github.com/greatest-ape/aquatic )
Does the tracker know what it's tracking? Is there any attempt to make the tracker unaware of what peer rendezvous it's doing?
My gut is that it seems some kind of hash/magnet that folks are asking to peers on. And that the magnet itself is sufficient, and doesn't have to include anything identifying (although I believe many magnet links included some human readable description). The tracker could likely try to download this hash from the peer itself, to get the torrent info, but wouldn't really know what the torrent is or what's in it without doing the download itself.
Does that check out? How much of the magnet link is key to rendezvous? Could a tracker ignore human friendly fields, block them at ingress, to shield it's eyes?
aidenn0
IANAL, but my understanding is that running a content-neutral tracker is legal in the US.
In other jurisdictions it most certainly is not, and the VPS maybe in a different jurisdiction and the .si TLD definitely is.
jrochkind1
Googling, there's been at least one tracker shut down by US law enforcement, EliteTorrents [2005] https://www.latimes.com/archives/la-xpm-2005-may-26-fi-torre...
I think there have probably been more. There are definitely more that had civil suits with MPAA etc suing for damages.
It may be somewhat harder to make the case in the US, but a tracker where a great majority of what's listed is copyrighted, I'm pretty sure it can be shut down in the US.
NoMoreNicksLeft
Was that the actual tracker and tracker only, or was there a web front end that hosted all the torrent files and forums and so forth? Because the latter will make you a big target.
God I miss rarbg. And KAT.
lossolo
I remember the day they shut down ET. It was because they released some major blockbuster movie before its premiere.
ZYbCRq22HbJ2y7
VPS is from https://cockbox.org/ (as referenced in the article), which says it is based in Moldova?
rickcarlino
Why didn’t they use a protocol like Gnutella to serve as a non-centralized tracker? Or did they?
iaaan
I wonder if there are any known vulnerabilities in various torrent clients' handling of tracker responses, e.g. buffer overflows. One could potentially amass a pretty large botnet.
abigail95
interesting choice of hosting provider...
> Is this legal?
Why wouldn't it be? You're not actually hosting a tracker in this case, only looking at incoming connections. And even if you do run a tracker, hard to make the case that the tracker itself is illega. Hosting something like opentrackr is like hosting a search engine, how they respond to legal takedown requests is where the crux is at, and whatever infra sits around the tracker, so police and courts can see/assume the intent. But trackers are pretty stupid coordination server software, would be crazy if they became illegal.