IP-Filtered Multi-Domain IPTV Cloaking Funnel

IP-Filtered Multi-Domain Funnel is a sophisticated segmentation-based cloaking technique. It uses a dedicated "Bridge Server" to perform real-time IP reputation checks before routing users to either a compliant payment page or a manual payment flow.

📝 Summary

Technique: IP Reputation Filtering & Multi-Domain Routing.
Goal: Segregate traffic so PSP/Compliance bots never see the payment page linked to the high-risk product, while real users get a seamless experience.
Risk Score: Medium–High.

The system splits users based on their digital fingerprint. Residential users (potential customers) are routed to a "Clean SaaS" checkout, while Corporate/Bot IPs (risk analysts) are routed to a manual or dead-end flow.

🏢 Business Behavior

The merchant operates a constellation of three distinct domains:

Site A (High-Risk Landing Page):
- Publicly advertises IPTV packages, channel lists, and "unlocked" streaming.
- Optimized for SEO and Ads.
- No payment processing happens here.
Site B (Bridge Server / Traffic Filter):
- An invisible middleware server.
- Performs deep inspection of the incoming request:
  - IP Reputation Check (Residential vs. Datacenter).
  - ASN/ISP Identification.
  - Known PSP/Bank IP Blocklists.
  - Proxy/VPN Detection.
Site C (Low-Risk SaaS App Store):
- The actual Merchant of Record (MOR).
- Sells a generic "Premium Media Player" or "Cross-Platform App License" (Low Risk Digital Goods).
- Conditional Fulfillment: Only users routed from Site B with a valid signature receive the IPTV credentials. Direct visitors get just the empty player app.

🚦 Traffic Segmentation Table

Visitor Type	Resulting Experience
Residential IP (Real Customer)	Routed to Site C with a special token. Purchases "Player License" but receives IPTV credentials + activation key.
Corporate / Datacenter IP (PSP Crawler)	Blocked from Site C. Redirected to a Manual Payment page (or a 404).
Direct Visitor (Auditor)	Visits Site C directly. Purchases "Player License" and receives only the empty player. No illegal content is delivered.

🏗 Technical Architecture

mermaid

flowchart LR
    User((Buyer)) --> A[Site A<br/>IPTV Landing]

    A -->|Click Buy| B[Bridge Server B<br/>IP Reputation Engine]

    B -->|Residential IP| C[Site C<br/>Player SaaS Checkout]
    B -->|Bank/PSP IP| Manual[Manual Payment Page]

    C --> PSP[Payment Gateway]

    PSP --> C

    C -->|Activation Key| PlayerApp[Cross-Platform Player]
    PlayerApp -->|Unlocks IPTV| IPTV[IPTV Service]

    Manual -->|Offline Payment| ManualFlow[Manual Verification]

Backend Logic (Pseudocode)

Routing Logic — Bridge Server B

typescript

function handleTraffic(req, res) {
    const ip = req.ip;
    
    // Check if IP belongs to a known crawler, datacenter, or PSP
    if (isBankIP(ip) || isPSP(ip) || isDatacenter(ip)) {
        // Divert risk to offline/manual channels
        return res.redirect("https://siteA.com/manual-payment-instructions");
    } else {
        // Sign the request for the safe site
        const signature = hmacSign(ip, SECRET_KEY);
        return res.redirect(`https://siteC.com/checkout?source=A&sig=${signature}`);
    }
}

Activation Logic — Site C

typescript

function fulfillOrder(order, user) {
    // Check if the user came from the approved Bridge
    if (req.query.source === "A" && verifyHMAC(req.query.sig)) {
        // Grant the cover product AND the high-risk service
        grantPlayerLicense(user);
        emailIPTVCredentials(user);
    } else {
        // Grant ONLY the cover product (Safe)
        grantPlayerLicenseOnly(user);
    }
}

🕵️‍♂️ Why PSP Detection Struggles

Blindness: The PSP only holds the account for Site C. Their crawlers see a compliant SaaS business selling a media player.
Pre-Emptive Blocking: The Bridge Server (Site B) blocks known PSP IP ranges before they ever reach the checkout.
Post-Transaction Fulfillment: The illegal component (IPTV subscription) is delivered after the payment is successful, via email or app activation, which is invisible to the payment gateway.
Plausible Deniability: Site C sells a functional media player. If a test shopper buys it without the specific referrer token, they get exactly what is advertised—a legal player.

💰 Crypto & Manual Payment Pattern

For restricted IPs (users detected as "Risky" or "Corporate"), the system degrades to manual methods to avoid burning the Site C merchant account.

PayPal Manual Invoice: "Service Fee".
Stripe Invoice: Manually generated link.
Bank Transfer: Direct IBAN/SEPA details.
Digital Banks: Revolut / Wise / N26 tags.
Crypto: USDT / BTC / ETH direct wallet addresses.

🏦 PSP Detection Probability

PSP	Probability	Detection Analysis
Stripe	35%	Weak. Stripe primarily scans the Merchant URL (Site C). If Site C looks legit and sells a working player, it passes.
PayPal	40%	Weak/Medium. Relies on disputes. If "Item Not Described" claims rise, manual review might spot the pattern.
Adyen	55%	Medium. Uses stronger residential proxy networks for crawling, which might pass the Bridge Server's filter.
Checkout.com	45%	Medium. Behavioral detection only. If chargebacks are low, the technical setup is hard to spot.
Shopify Payments	60%	Strong. If Site C is on Shopify, they scan the catalog and metadata deeply.
Crypto Processors	10%	None. Binance Pay / Coinbase Commerce are fully blind to the upstream funnel.
Manual (Bank/F&F)	20%	Very Weak. Only exposed if customers explicitly mention "IPTV" in the transfer description.

⚠️ Risk Score

Medium–High.

While this method is technically robust against automated crawling, behavioral correlation (e.g., users complaining about "channels buffering" on a "Player App" merchant account) can eventually expose the funnel.

IP-Filtered Multi-Domain IPTV Cloaking Funnel ​

📝 Summary ​

🏢 Business Behavior ​

🚦 Traffic Segmentation Table ​

🏗 Technical Architecture ​

Backend Logic (Pseudocode) ​

Routing Logic — Bridge Server B ​

Activation Logic — Site C ​

🕵️‍♂️ Why PSP Detection Struggles ​

💰 Crypto & Manual Payment Pattern ​

🏦 PSP Detection Probability ​

⚠️ Risk Score ​