TorrentGuard: stopping scam and malware distribution in the BitTorrent ecosystem

In this paper we conduct a large scale measurement study in order to analyse the fake content publishing phenomenon in the BitTorrent Ecosystem. Our results reveal that fake content represents an important portion (35%) of those files shared in BitTorrent and just a few tens of users are responsible for 90% of this content. Furthermore, more than 99% of the analysed fake files are linked to either malware or scam websites. This creates a serious threat for the BitTorrent ecosystem. To address this issue, we present a new detection tool named TorrentGuard for the early detection of fake content. Based on our evaluation this tool may prevent the download of more than 35 millions of fake files per year. This could help to reduce the number of computer infections and scams suffered by BitTorrent users. TorrentGuard is already available and it can be accessed through both a webpage or a Vuze plugin.

💡 Research Summary

The paper presents a comprehensive measurement study of fake content in the BitTorrent ecosystem and introduces a detection system called TorrentGuard to mitigate the problem. By crawling The Pirate Bay over a 14‑day period in 2011, the authors collected 29,330 torrents, of which 10,206 (35 %) were identified as fake. These fake torrents account for roughly 25 % of all download events, meaning that one in four downloads delivers content that does not match its title. A striking concentration was observed: only 71 IP addresses were responsible for the initial seeding of 4,779 fake torrents, and the top 10 IPs contributed about 75 % of all fake content, while the top 20 IPs accounted for 90 %. The authors classified fake publishers into three groups, but more than 99 % of the fake files belong to two malicious categories: (i) distributors of malware and (ii) operators of scam sites that lure users for financial gain. A small minority of publishers are anti‑piracy agencies uploading decoy files, which have negligible impact. Existing BitTorrent portals rely on user‑reporting and account bans, but fake publishers can create unlimited accounts and continue to operate from the same IP, rendering current defenses ineffective.

TorrentGuard addresses this gap by using the IP address of the initial seeder as the unique identifier of a fake publisher. The system continuously monitors the Pirate Bay RSS feed, extracts the .torrent (or magnet) infohash, contacts the associated tracker, and determines the IP of the first seeder. When a publisher’s account is removed from the portal, TorrentGuard flags the corresponding IP as malicious. From that moment, any torrent uploaded from the flagged IP is automatically labeled as fake, preventing further downloads. The authors evaluated the system and estimate that it could block more than 35 million fake‑content downloads per year, thereby protecting hundreds of thousands of users from malware infections and scam incidents. TorrentGuard is made publicly available through a web interface and a Vuze plugin, allowing easy adoption by end‑users. The paper also discusses the geographic distribution of fake publishers, their resource investment (rented high‑capacity servers), and potential counter‑measures such as ISP cooperation and enhanced tracker verification. Overall, the study quantifies the scale of the fake‑content threat, reveals its highly centralized nature, and demonstrates that an IP‑based early‑warning system can dramatically reduce the risk to the BitTorrent community.