Warning: Hackers Are Hijacking YouTube Channels to Run Crypto Scams

Google’s Threat Analysis Group (TAG) has been fending off hackers attacking the accounts of YouTubers to hijack and repurpose them to run ads for cryptocurrency scams.

According to an update from TAG, the team has been disrupting phishing campaigns targeting YouTubers with Cookie Theft malware since 2019. The team has recently shared details about these “financially motivated phishing campaigns” that are used to trick YouTubers in various ways to hijack their accounts and then “either sell [them] to the highest bidder or use [them] to broadcast cryptocurrency scams”.

A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming. On account-trading markets, hijacked channels ranged from US$3 to US$4,000 depending on the number of subscribers.

Ashley Shen, Threat Analysis Group (TAG)

The channels would be customised to look like those of large crypto firms or crypto exchanges where the attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.

Google’s Steps to Protect Users

In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, TAG’s protective measures have “decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts”.

As a result, attackers are starting to move to non-Gmail providers, “mostly email.cz, seznam.cz, post.cz and aol.com”. Phishing emails can be remarkably deceptive, and once the wheels start turning on the process it can be very difficult to stop and recover an account. 

How Accounts Can Be Hacked

TAG had found that the perpetrators of the campaign were recruiting hackers from a “Russian-speaking forum”. The hackers would “lure their target(s) with fake collaboration opportunities”, usually in the form of a demo for anti-virus software, VPN, music players, photo editing or online games, and then gain access to their accounts through Cookie Theft, also known as “pass-the-cookie attack”.

Once the target agreed to the deal, a malware landing page disguised as a software download URL [would be] sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically.

Ashley Shen, Threat Analysis Group (TAG)

There have also been cases of malware that can copy information on your clipboard to get your crypto information.