Cybercriminals are taking over high-profile YouTube accounts to promote crypto scams, researchers have found.
Suspicious live streams on YouTube, often featuring Elon Musk and his electric car maker Tesla, repost legitimate content while including QR codes or malicious links in the video or comments section, directing users to websites fraud linked to cryptocurrencies.
Cybersecurity company Bitdefender, which investigation the campaign, called the technique “stream-jacking.”
According to the researchers, the scammers used phishing kits to automate the attacks. The identity of the person behind the kit remains unknown.
Many YouTube channels running these scams have been hijacked or stolen, and their original videos made private or deleted. Channel descriptions have been changed to resemble the official Tesla channel.
A screenshot of a fraudulent video discovered by researchers. Credit: Bitdefender
To gain control of these channels, hackers sent phishing emails to their owners, which likely offered collaboration opportunities, sponsorships, or fake copyright notices from YouTube.
A malicious file in the email installed Redline Infostealer malware, which collected important data from victims’ computers, including session tokens and cookies, even if two-factor authentication was enabled.
In most cases analyzed, YouTube removed channels when it identified suspicious activity. This means that the real owner of the channel could lose all their videos, playlists, views, subscribers and monetization. A few of these channels had millions of subscribers and billions of total views.
The comments sections of all suspicious live streams have either been disabled or limited to subscribers 10 or 15 years old, making it difficult for users with knowledge of the scam to warn others, according to Bitdefender.
Malicious links distributed via compromised YouTube channels have enabled a common scam: fraudsters typically ask individuals to send any amount of cryptocurrency with the promise of doubling the amount sent.
Researchers also found videos containing deepfakes of Elon Musk, advocating the importance of cryptocurrencies. These deepfakes were so well done that they could appear authentic to the average viewer, according to the report.
Researchers also discovered a Russian-language Telegram channel that appears to be selling the phishing kit. In July, she had only 11 subscribers.
In total, Bitdefender discovered 1,300 videos promoting crypto scams on malicious websites, likely originating from the same phishing kit.
All promoted fraudulent websites were protected by Cloudflare, making it more difficult to analyze them automatically.
“YouTube channels with a significant number of subscribers are highly sought after by cybercriminals who can monetize them either by demanding a ransom from the rightful owner or by distributing scams and malware to the accounts’ audience,” Bitdefender said .
Future saved
Intelligence cloud.
No previous articles
No new articles
Daryna Antoniuk
Daryna Antoniuk is a freelance journalist for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the Ukraine-Russia cyberwar. She was previously a tech journalist for Forbes Ukraine. His work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.