Stream-jacking attacks have gained significant traction on large streaming services in recent months, with cybercriminals targeting high-profile accounts (with a large follower count) to send their fraudulent ‘messages’ across to the masses.
Starting from the fact that various takeovers in the past resulted in channels morphing into impersonations of known public figures (e.g. Elon Musk, Changpeng Zhao) that promoted various scams (e.g. crypto doubling scam), we began a thorough analysis.
This writeup will focus on the takeovers and impersonations found on the YouTube platform.
Lately, there have been many instances of suspicious YouTube livestream pop-ups in the feeds of the end-users that promote the same content. Although distinct, these channels seem to have a lot in common:
A) The names of the channels try to portray them as Tesla, with variations that include: Tesla Official, Tesla US, Tesla News, Tesla (Inc)
l is replaced with capital
I): TesIa, TesIa Factory, TesIa Motors, etc.
B) The handles of the channels are also variations of Tesla. Some of them include noise characters like
C) The titles are the same and are relatively limited in diversity:
Upon discovering these similarities, it would be rather clear to say that something malicious is happening in the distribution of such generic and misleading content.
On manual inspection, it seems that the content of the livestreams is usually a looped video that’s proprietary to Tesla or that includes Elon Musk (for example, 2023 Annual Shareholder Meeting)
The titles of these livestreams seem to be inspired by official Tesla streams.
These, however, are not ordinary re-broadcasts/re-uploads by fan channels, but rather re-broadcasts that embed a scam in themselves. The commentary sections of all detected malicious livestreams are either disabled or enabled. But here’s the catch: only subscribers of 10 or 15 years can comment (typically long periods of time that wouldn’t allow most of the community to reply). This prevents users who are aware of the scam from commenting and alerting others.
Observing such a “large-scale operation” made us wonder about the channels behind these scams and, upon closer inspection, we noticed that most of the YouTube channels were in fact hijacked/stolen.
The bulk of these “malicious” channels have no other content than the livestream scams themselves – it is assumed that all the original videos were either set to private or deleted because they are not discoverable by any means. The channel description also seems to have been edited to resemble the official Tesla channel, and other relevant contents such as playlists are also presumably deleted.
The process is very likely automated, as conducting an operation on such a large scale would be time-consuming and could potentially give the actual owner of the channel enough time to spot suspicious behavior.
Furthermore, some of the hijacked channels list official Tesla playlists for an air of legitimacy. But this also means the attackers sometimes leave evidence behind.
In some instances, the channel name or handle was not changed (thankfully YouTube has a limit of two changes in two weeks), or instances in which playlists, community posts or even channel videos are still present. Sadly, in most of cases analyzed, it seems that, if the malicious activity is detected by YouTube, the actual channels are deleted altogether. This means that the legitimate owner of the channel will lose everything (videos, playlists, views, subscribers, monetization, and everything that goes beyond the YouTube channel itself while still being related) unless talks are undertaken with YouTube.
In the cases in which the comment section is subscriber-only, either the actual channel hosting the livestream or specific moderators selected by the channel can leave comments that lead users to crypto scam websites promising life-changing gains on a reduced availability. These moderators also use channel avatars portraying Elon Musk.
One other common detail of both livestreams with enabled and disabled comments is that attackers embed a QR code in portions of the video that leads to a phishing/fraudulent website. If the comment section is enabled, the moderators post the same link that can be found in the QR code.
Links propagated via hijacked YouTube channels promote a similar and well-known scam. The ruse involves sending any amount of cryptocurrency (Bitcoin, Ethereum, USDT, Dogecoin, BNB, Shiba Inu, etc.) and promises to send double the amount back to the scammed person. In rare cases, phishing links are written directly in the video.
We’ve also spotted some instances in which the audio and the video looped in the livestream are deep fakes of Elon Musk, through which the hackers try to promote the importance of cryptocurrencies and any event promoted in the referenced links (the crypto doubling scam). The audio deep fakes are of high quality and might seem genuine to the average viewer. During our analysis, we also concluded that some of the livestreams are view-boosted at the beginning of the broadcast, making it look more trustworthy to the public. However, as soon as the view-boosting stops, we see numerous fraudulent livestreams with only 1 or 2 viewers.
The same applies to the number of subscribers – even though there are enough occurrences of channels that have a low number of subscribers, the median value seen in our analysis is close to 2,300. This indicates potential subscriber boosting.
We have also deduced that all of the pages we investigated were created using automated software (phishing kits).
Another interesting detail is that these websites try to prevent saving the content of the page to the disk or opening developer tools by keyboard shortcuts. Doing so redirects (either knowingly or mistakenly) to a page that gives details about the potential actor behind the creation of the phishing kits:
Furthermore, a Telegram channel is suggested and generic details of the kit are mentioned (number of templates, ease of installation and configuration etc.).
Upon searching for the mentioned Telegram group, another one of interest is found, in which the threat actor promotes the phishing kits:
The kits promoted on the telegram group are identical to those found on the hijacked YouTube channels. The websites usually portray Elon Musk as a central figure and are designed to be visually attractive. Moreover, these websites seem to have live chat plugins that would allow the end user to communicate with a so-called “support team.”
Receiving replies is not that common, but when it occurs, they usually try to lead you to send an amount of cryptocurrency to the indicated addresses while also giving reassurances with regard to the legitimacy of the procedure.
It is unclear whether real people are responding on the live chats, or if the procedure is automated using Large Language Models.
Using both automated and manual procedures, we have found more than 1300 videos that promoted crypto scams on similar websites that likely came from the same phishing kit. It is rather common for videos to point to the same website, but more than 150 distinct websites have been found so far.
All of the promoted scam websites have Cloudflare protection, which increases the difficulty of automatically analyzing them.
A safe assumption would be that lots of videos that also fall in the same category as the aforementioned ones were missed, for various reasons:
The impact of such fraudulent schemes can be seen in the community of the channels that were recovered. While some channels recover in multiple steps by stopping the livestreams and setting videos back to public status, the name of the channel remains unchanged, even though the handle was successfully reverted to the original name.
Other channels don’t recover immediately, with significant evidence of getting banned or completely removed due to breaches of YouTube’s terms of service. The specifics of recovering an account after it has been officially removed by YouTube aren’t widely known, but it seems possible.
Having an account completely removed from YouTube for several days could result in both emotional and financial losses (SocialBlade reports indicate that channels with a large number of views, for example in the hundreds of millions, might end up losing tens of thousands of dollars).
Accounts that do not have huge amounts of subscribers or views might never end up recovering the data.
The phenomenon – in numbers
Note: data was collected between 27.07.2023 and 28.09.2023
Further analysis of the obtained data leads to the following interesting measurements:
Top 10 most subscribed hijacked channels
|Channel name when discovered
Top 10 most viewed hijacked channels (total channel views)
|Channel name when discovered
Note: mentions of [Unchanged Name] in hijacked channel tables refers to the fact that the original channel name was not changed following the account takeover attack
Top 10 most common channel names after hijack
|**Channel name **
YouTube channels with a sizable subscriber count are highly desirable to cybercriminals who can monetize them by either demanding ransom from the legitimate owner or distributing scams and malware to the accounts’ audience.
The lifecycle of YouTube scams proliferated via high-profile can differ, but no matter the case, hackers usually follow the same MO – attracting their prey by leveraging big brand names or personalities to defraud unwary viewers.
The first step of the attack
This scam, faced by more and more YouTube channels, often originates from targeted phishing attacks. The malicious actors send emails that present opportunities ranging from brand collaborations and sponsorship deals to fake copyright notices from YouTube.
The deception lies in the email’s authenticity. It’s presented as a legitimate business proposition. Cybercriminals, especially those targeting popular channels, mimic communications from trusted third-party vendors or use email addresses that don’t raise immediate suspicion.
The attacker’s main aim is to lead the recipient to download a malicious file. This file is presented as an integral component of the brand collaboration or an important document. While it looks like a regular PDF, it carries the Redline Infostealer malware. This malware is known in certain online circles and is traded in underground markets. Its large size, sometimes over 300MB, is designed to slip past many standard security checks.
When the recipient opens this file, it has no immediate visible effects. However, in just 30 seconds, it gathers vital data from the victim’s computer, focusing on session tokens, cookies, and other valuable information.
After this data is collected, even with two-factor authentication activated, the stolen session tokens grant the attacker direct access to the YouTube account, eliminating the need for passwords or other verification. As a result, the channel becomes compromised.
Red flags to look out for in emails
Signs your YouTube channel has been hijacked
Tips to help protect your YouTube channel from hijackers
Internet users also need to be vigilant and learn how to spot compromised or suspicious accounts by: