Spain’s LALIGA Piracy Blocks Knocked Out 500,000+ Innocent Websites
To shut down illegal football streams, Spain’s LALIGA has internet providers block shared IP addresses on match days. A six-month study by censorship watchdog OONI finds the tactic took down more than 500,000 legitimate sites, from Amnesty International to Greenpeace, and even exposed users to a network interception attack.
The Impact:
July 3, 2026 – 11:40 am
Image by: Pablo Blazquez Dominguez
For much of this year, Spanish internet users have lost access to huge parts of the web on match days. Not pirate streams, but human rights groups, climate charities, and business tools. A new report puts hard numbers on the damage, and they are staggering.
How It Works:
The culprit is Spain’s football league, LALIGA, and its court-backed war on illegal streams. To kill pirate broadcasts, it has internet providers block the IP addresses serving them. The catch is that modern websites share those addresses. Block one, and you can take thousands of innocent sites down with it.
OONI’s Findings:
The Open Observatory of Network Interference (OONI), a nonprofit that measures internet censorship, spent six months tracking the fallout. Its verdict: the blocks hit more than 500,000 legitimate domains between January and June.
- On a match day, blocking just 4 to 20 IP addresses knocked out more than 400,000 unrelated domains. The outage lasted as long as the game.
- Across the six months, the blocks touched 7,441 addresses across 36 hosting providers, including Cloudflare, Amazon, Akamai, Meta, and Microsoft.
- Cloudflare took by far the worst of it. OONI counted 501,305 affected domains on its network, more than 90% of the total. They sat on just 2,218 blocked addresses.
A Single Blocked Address:
A single blocked address on Squarespace accounted for 18,592 sites on its own. The outages switched on when matches kicked off and switched off when they ended, tied to the broadcasts.
Security Concerns:
OONI also detected a TLS man-in-the-middle interception attempt on one operator, Digi Mobil. This technique lets whoever runs it sit between users and the sites they visit. It affected 7,334 addresses and 10,759 domains, many hosted on Amazon and Cloudflare.
A Larger Issue:
None of this is new in kind, only in scale. Courts across Europe have long ordered providers to block pirate sites. Spain runs one of the continent’s most aggressive regimes. What has changed is the plumbing. The web now runs on shared infrastructure, so a crude IP block is a shotgun, not a scalpel.
Companies caught in the blast have started to push back. Vercel documented its own services going down, and European provider groups now argue that these blocks are counterproductive and infringe user privacy.