How hackers hijacked thousands of high-profile YouTube accounts

How hackers hijacked thousands of high-profile YouTube accounts

Future Publishing | Getty Images

reader comments

50 with 36 posters participating

Since at least 2019, hackers have been hijacking high-profile YouTube channels. Sometimes they broadcast cryptocurrency scams, sometimes they simply auction off access to the account. Now, Google has detailed the technique that hackers-for-hire used to compromise thousands of YouTube creators in just the past couple of years.

Cryptocurrency scams and account takeovers themselves aren’t a rarity; look no further than last fall’s Twitter hack for an example of that chaos at scale. But the sustained assault against YouTube accounts stands out both for its breadth and for the methods the hackers used, and an old maneuver that’s nonetheless incredibly tricky to defend against.

It all starts with a phish. Attackers send YouTube creators an email that appears to be from a real service—like a VPN, photo editing app, or antivirus offering—and offer to collaborate. They propose a standard promotional arrangement: Show our product to your viewers and we’ll pay you a fee. It’s the kind of transaction that happens every day for YouTube’s luminaries, a bustling industry of influencer payouts.

Clicking the link to download the product, though, takes the creator to a malware landing site instead of the real deal. In some cases the hackers impersonated known quantities like Cisco VPN and Steam games, or pretended to be media outlets focused on COVID-19. Google says it has found over 1,000 domains to date that were purpose-built for infecting unwitting YouTubers. And that only hints at the scale. The company also found 15,000 email accounts associated with the attackers behind the scheme. The attacks don’t appear to have been the work of a single entity; rather, Google says, various hackers advertised account takeover services on Russian-language forums.

August 2020, when hackers hijacked multiple accounts with hundreds of thousands of followers and changed the channel names to variations on “Elon Musk” or “Space X,” then livestreamed bitcoin giveaway scams. It’s unclear how much revenue any of them generated, but presumably these attacks have been at least moderately successful given how pervasive they became.

blog post. “The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms. The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.”

Though two-factor authentication can’t stop these malware-based cookie thefts, it’s an important protection for other types of scams and phishing. Beginning on November 1, Google will require YouTube creators who monetize their channels to turn on two-factor for the Google account associated with their YouTube Studio or YouTube Studio Content Manager. It’s also important to heed Google’s “Safe Browsing” warnings about potentially malicious pages. And as always, be careful what you click and which attachments you download from your email.

The advice for YouTube viewers is even simpler: If your favorite channel is pushing a cryptocurrency deal that seems too good to be true, give it some Dramatic Chipmunk side eye and move on.

This story originally appeared on

Article Tags:
Article Categories: