You Wouldn't Download a Thumb Tip

What I learned from pirating my own magic trick

March 2, 2021

If you're a "normal" person that hasn't owned a magic kit since you were 12, you might not be aware that magic shops, like everything else these days, have moved online. From the old school Penguin Magic (who recommend using Netscape Navigator for the best experience) to the more "hip" sites like Ellusionist and Theory11, the latest magic is only a few clicks away.

penguinmagic.com homepage
This is what Penguin's homepage looks like in 2021. Really.

So now, instead of driving 40 minutes to some cigarette-smoke-filled store on the third floor of an office building (or, heaven forbid, going to a library), you can just fire up a web browser and start learning "The World's Toughest Card Trick" without ever leaving your couch.

But maybe $10 (at time of writing) seems like a lot of money for one card trick. No worries, if you just Google the name, you'll find that it's available from other sites for considerably cheaper.

Screenshot of mind2mind showing a trick for $3.59

Wow, "mind2mind" has it for only $3.59, what a bargain!

Yarr!

If you saw that this post was about a "magic pirate" and were waiting for the spell-casting sailor to come into the story, then I'm sorry to disappoint you. Because yes, this site is selling stolen magic. How do I know? Two things:

Screenshot of mind2mind selling Unlisted for $8.95

Yup, my trick, which normally goes for $24.99, is for sale on some website I've never heard of for less than $9. There are several of them, actually.

Screenshot of Smith Magic selling Unlisted for $8.95
Screenshot of 68 Magic selling Unlisted for $8.45

Extended Warranty, How Can I Lose?

A normal person's thought after seeing this might be something like "how dare they!" My first thought was "Huh, I wonder what happens when I buy it?"

See, you might assume that it's just a scam, where they take your money through some un-recoverable means and then never send you anything. On closer inspection that doesn't make a lot of sense though. Firstly, these sites only sell downloadable products, not anything that would require shipping. If the whole thing is just a lie, they'd have no need to restrict the inventory that way since they wouldn't actually have to ship anything regardless.

Secondly, they generally don't accept the kinds of cash-equivalent payment methods (Western Union, iTunes Gift Cards, etc.) that scammers use. I have seen a few that take Bitcoin, but by far the most common method is PayPal.

Payment instructions for a website, explaining how to send money using PayPal

PayPal transactions can be hard to reverse in certain scenarios, but if you knew in advance that most of your customers would try to refund their purchase then it wouldn't be your first pick.

One Magic Please

I decided that the only way to satisfy my curiosity would be to actually put in an order for my own product, and see what (if anything) they would send me. To be clear: don't try this at home. I used burner contact and payment information, along with a VPN and some other safeguards. Even so, I'm sending money to criminals, which is generally a bad idea. But I had to know.

Buying something from these sites wasn't as easy as you'd think. The first one I tried, "Smith Magic", required an account but wouldn't let me create one. I then tried "Super Magic", which on reflection is pretty clearly the same website with a different name.

Screenshot of Smith Magic selling Unlisted for $8.95
Screenshot of Super Magic, which looks exactly the same as Smith Magic
Hmm...

This time it let me make an account and check out, but the payment instructions said they'd email me a link to pay, which they never did. My order number was apparently "2" though, so it's possible they've never actually had a customer before.

Payment instructions for Super Magic, saying to write your PayPal email address in the order comments
Email receipt from Super Magic

Having failed twice, I moved on to "68Magic", whose name I love because it suggests that they operate at least 67 more of these sites. The price there is actually 50 cents cheaper, at only $8.45. And they take normal credit/debit cards in addition to PayPal, although they seem to have a lot of rules regarding their use:

Payment instructions for 68 Magic, explaining that the billing address, phone number, and IP address must all match the credit card

In theory none of that should have mattered, since my burner credit card doesn't have a specific billing address, but for whatever reason it wouldn't go through:

An error message that says: Sorry, payment failure, the reason is: MerNo is not available! Please pay again!

Luckily, they actually have a PayPal business account (rather than the personal paypal.me link that a lot of these sites use) so I was able to use my same card through there, which worked fine.

A PayPal receipt for $8.45
Name blurred in case they're using a stolen account.
It was a regular first/last name in Chinese.

You've Got Mail

Around 8 hours later, I got an email.

An email message containing only a link

This must've been manually sent, since it took so long and came from an @qq.com email address (Tencent's webmail service). But there's no signature, no "thank you for your order", nothing but a Mega link. I guess if you change the name of your website every couple weeks then customer service isn't a priority. But hey, they did indeed send me something. And I was pretty shocked by what it was.

A comic featuring two birds. The first bird says 'Here's where things get weird'. The second bird replies'Things have been weird for a while'. The first bird says 'Here's where things continue in that direction'.
From Poorly Drawn Lines by Reza Farazmand

For context, Unlisted is an app that allows you to make someone else's phone ring and play a recorded message, without knowing their phone number. When you buy it legitimately, you receive a PDF explaining how to install it on your phone, as well as a product key that you use to create your account. Once you're signed in, the app has an instructions page that tells you how to actually perform with it.

Unlisted is available on its own website, as well as from Penguin and a few other legitimate third-party retailers. Looking at the knock-off sites, it's clear that the product descriptions are copied from Penguin, since that description is slightly different than the one on my own site. These knock-off sites have thousands of tricks on them, so I figured they'd probably found some sort of exploit for Penguin that allows them to download the tutorials en masse without paying for them. I think things like that have happened in the past, but it turns out that's not what happened to me.

A screenshot of Mega showing some video and pdf files

The Mega link contains four files. The first one is the PDF that I include with the trick giving some ideas on different ways to present it in a routine. The second file is the trailer video, which seems kind of pointless but whatever. The last two are where it gets interesting. Rather than the information about how to install it, you get a PDF capture of the performance instructions from inside the actual app. That means someone must have purchased my trick legitimately, created an account, then manually captured the instructions page. They even ripped the little video that shows which buttons to press.

And as it turns out, I know who it was.

See, there's a part of the instructions where it mentions a URL. That URL is unique for each user. Whoever made this PDF clearly knew that, because they drew a black rectangle over that part of the text.

A portion of the instructions from the app. The URL has been blacked out
Pixelation added by me, but the black bar was in the file.

If you remember the Snowden NSA leaks, then you know where this is going. PDFs aren't just images, they contain the actual text of the document along with information about fonts, formatting, etc. When you draw a black box over part of the document, the text underneath is still part of the file, and you can read it by copy/pasting somewhere else. So I was able to read the redacted URL, which told me which account the screenshot had come from.

Ironically, the black bar itself reveals the screenshotter's identity as well. It turns out that it's a PDF "annotation", made using MacOS's built in tool which adds the author's name to the annotation metadata by default.

The annotation metadata for the PDF, showing the blurred-out name of the person who made it
Lucky for them, I do know how to redact an image properly.

I won't share their name here, but it was actually someone I know. They're not a super close friend or anything, but we've talked online a few times. They purchased Unlisted legitimately, and as far as I know they're pretty strongly against piracy. They're also not in China, so clearly there's more to the story of how these files ended up where they did.

I reached out to them, and they said they didn't even remember having made the PDF, but they later found it in their backup files. From what they told me, it sounds like at some point they sent the PDF to a friend who was looking for information about the trick, and from there it ended up in some big collection of magic torrents. They could be lying of course, but I don't find that story entirely implausible, and in any case that's all the information they gave me.

I did try just asking 68Magic where they got the files, but you'll be shocked to hear that they weren't very helpful.

An email exchange. I asked where they got the PDF, they said it was from their supplier
Does your supplier rhyme with "Schmidt Norrent"?

Who Are You People

So who runs these websites? 68Magic's footer actually lists a physical address in Guangzhou, which appears to be some kind of giant office building, but I couldn't find much information about it. I suppose they could have some sort of office or P.O. box there, but it also seems like exactly the kind of place you'd pick if you were going to just make up an address.

A large office building
47 Baohua Road, Guangzhou, China

I did try looking up the name from the PayPal account, but it's not a very unique name and again I don't have any way to know if it's real, stolen, or just made up.

The site (and even the HTML source code underlying it) doesn't contain any obvious references to a specific CMS, but based on some of the CSS class names and URL formats I determined that they're using the open source Zen Cart e-commerce system.

The domain for 68magic.com is registered with eName, a Chinese registrar who are reasonably legit from what I can tell. The IP address points to WorldStream, an IaaS provider in The Netherlands who are apparently fairly popular for torrent seedboxes and the like.

WHOIS data for 68magic.com, showing that it is registered with ename
Screenshot of WorldStream's website

Not all of the sites are the same, though. Super Magic (the one that never sent me a payment form) also uses Zen Cart, but their domain is registered with GoDaddy. Their site uses CloudFlare's CDN, so the server's IP address isn't public, but GoDaddy told me they're just the registrar and not the host. Meanwhile "mind2mind" seems to be registered and hosted through Alibaba Cloud.

The differences in site design, payment method, and hosting suggest that the sites are run by different owners. It makes me wonder if somewhere on the internet there are people sharing tips for how to set up your own pirated magic store.

I didn't find anything exactly like that on the Zen Cart forums, but I did find this post, in which someone complains about problems with what appears to be that same payment processor that told me to "pay again".

Screenshot of a post on the Zen Cart forum asking about an issue with credit card processing

And what site are they using it on?

Screenshot of eStandards website selling IEEE Electrical Safety Code for $65

It's a website that sells PDFs of technical standards for suspiciously low prices (this one would cost around $200 if purchased from the IEEE directly). So basically the same thing as the magic sites, just a different industry. Fair enough.

No Need to Feel Down

Having done all the investigation I could (short of flying to China), I figured it was about time I sent out DMCA notices and moved on with my life. Apparently I'm not the first person to do so.

A list of people who have issued DMCA complaints about 68Magic
Google's record of DMCA takedown requests for 68Magic

To their credit, Google and WorldStream processed my reports very quickly. CloudFlare never wrote me back explicitly, but Unlisted seems to have been removed from the sites they were proxying so maybe they passed my message along to the right people. For now, the first page of search results for my trick is free of scams, at least until this person moves on to "69Magic" (although that domain might already be used for... something else).

I do wonder if there's more that could be done though. If the images/text are all being ripped from Penguin, maybe they could be helping their creators detect these knock-off sites, or even issuing DMCA notices on their behalf. And if Google has gotten hundreds of complaints about a certain domain, why do they continue to rank it so highly in search results? Stolen magic tricks aren't a big deal in the scheme of things, but for how much time and effort goes into detecting music in the background of livestreams with 10 viewers, you'd think this kind of obvious theft would be harder to pull off.

So Remember Kids

What's the takeaway from all this? Well first of all, if you want to buy my magic trick you should get it from somewhere that will actually give you a product key. But more broadly:

If you have any additional information about any of this, or you think I got something wrong, let me know.