Cybercriminals are taking over high-profile YouTube accounts to promote crypto scams, researchers have found.
Suspicious live streams on YouTube, often featuring Elon Musk and his electric car company Tesla, rebroadcast legitimate content while including malicious QR codes or links in the video or comments section, directing users to cryptocurrency scam websites.
Cybersecurity firm Bitdefender, which investigated the campaign, called the technique "stream-jacking."
According to the researchers, the scammers used phishing kits to automate the attacks. The identity of the person behind the kit remains unknown.
Many of the YouTube channels broadcasting these scams were hijacked or stolen, with their original videos either made private or deleted. The channel descriptions were edited to resemble the official Tesla channel.
A screenshot of a scam video discovered by researchers. Credit: Bitdefender
To take control of these channels, hackers sent phishing emails to their owners, which likely offered opportunities for collaborations, sponsorships, or fake copyright notices from YouTube.
A malicious file in the email installed Redline Infostealer malware, which collected important data from victims’ computers, including session tokens and cookies, even if two-factor authentication was activated.
In most of the analyzed cases, YouTube deleted the channels when it identified suspicious activity. This means that the genuine channel owner could lose all their videos, playlists, views, subscribers, and monetization. A few of these channels had millions of subscribers and billions of total views.
The comment sections of all the suspicious live streams were either turned off or limited to subscribers of 10 or 15 years, making it difficult for users who know about the scam to warn others, according to Bitdefender.
Malicious links spread through compromised YouTube channels promoted a common scam: the fraudsters typically ask individuals to send any amount of cryptocurrency with the promise of doubling the amount sent.
The researchers also found videos with deepfakes of Elon Musk, advocating for the importance of cryptocurrencies. These deepfakes were so well-made that they could appear genuine to the average viewer, according to the report.
Researchers also found a Telegram channel in Russian that appears to be selling the phishing kit. As of July, it only had 11 subscribers.
In all, Bitdefender discovered 1,300 videos promoting crypto scams on malicious websites that probably came from the same phishing kit.
All of the promoted scam websites were protected by Cloudflare, making it more difficult to analyze them automatically.
“YouTube channels with a sizable subscriber count are highly desirable to cybercriminals who can monetize them by either demanding ransom from the legitimate owner or distributing scams and malware to the accounts’ audience,” Bitdefender said.
Get more insights with the
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.