Cybercriminals are hijacking popular YouTube accounts and using them to spread deepfake videos promoting phony crypto-doubling schemes, according to Bitdefender.
In a report on Jan. 18, Bitdefender said its researchers have been monitoring stream-jacking attacks on YouTube since Oct. 2023. This year, they’ve observed cybercriminals changing their tactics by capitalizing on crypto news and other high-profile events to push crypto scams.
“Over the past couple of months, stream-jacking attacks have steadily evolved, and our research shows how cybercriminals advance their craft to maximize the reach and efficiency of their actions with carefully engineered content that closely mimics legitimate cryptocurrency-related news or announcement,” the report said.
According to Bitdefender, the scam starts with an account takeover. Cybercriminals use info-stealing malware to hijack verified YouTube channels with many subscribers. They then change the channel’s details to impersonate reputable organizations like Tesla and MicroStrategy.
While cybercriminals previously used looped videos from conferences to promote fraudulent crypto schemes, they’re now using deepfake videos showing reputable figures like MicroStrategy’s former CEO Michael Saylor endorsing the scam, Bitdefender said.
Victims are directed to scan a QR code in the video and deposit cryptocurrency into a wallet to have it doubled. While tracking the crypto wallets used in the scam, Bitdefender found that they’ve received Bitcoin (BTC) and Ethereum (ETH) cryptocurrencies worth about $600,000 since Jan. 1. It’s unclear if these transfers are from victims or other accounts used in the scam.
An Elaborate Scam
Cybercriminals are hijacking high-profile YouTube accounts for this scam, ostensibly to reach more victims. One compromised channel had over 12.5 million subscribers, and another had up to three billion views, Bitdefender revealed.
While stream-jacking attacks are not uncommon, the use of coordinated campaigns that exploit real-world events sets these attacks apart. Cybercriminals are creating fake YouTube livestreams “that disguise crypto-doubling scams under popular titles highlighted in mainstream media,” Bitdefender said.
In one instance, the researchers found a fake livestream of SpaceX’s Starship launch on a compromised verified YouTube channel. “Most of the livestreams we analyzed were also showing signs of artificial boosting of viewers to further increase the trust of potential real viewers,” the report said.
Some other major news events that cybercriminals have exploited to promote crypto scams include the SEC vs. Ripple (XRP) case, the launch of Tesla’s Cybertruck, Changpeng Zhao stepping down as CEO of Binance, and the launch of SpaceX USSF-52 flight.
In some instances, cybercriminals even purchased YouTube ads to spread their deepfake videos and reach more victims, Bitdefender said, explaining that these attacks have a global reach. Popular YouTube channels across multiple countries — including the U.S., Brazil, India, and Indonesia — have been hijacked for this scam, the report said.
While it’s unclear how these threat actors hijacked YouTube channels, in a report published in March 2023, CloudSEK said cybercriminals are using AI-generated videos on YouTube to spread info-stealing malware.
Deepfake Videos of MicroStrategy’s Saylor
Amid the excitement about the Bitcoin exchange-traded fund (ETF) in recent weeks, Bitdefender said there have been “hundreds of malicious broadcasts” featuring MicroStrategy’s Saylor. These videos, which usually include “Bitcoin ETF” in their titles, are published on accounts that impersonate MicroStrategy’s official YouTube channel.
“Most of the broadcasts use looped deep fakes in which MicroStrategy’s former CEO encourages the community to “participate in the giveaway” by scanning the QR code and following the instructions found on the website,” Bitdefender said.
Some of these deepfake videos direct users to external sites with domains that impersonate MicroStrategy and other companies/individuals. Some of these domains also “include the symbols of the cryptocurrencies used in the fake giveaways, along with multipliers such as 2x or x2,” Bitdefender said.
“These websites host animations that give users the impression that multiple transactions are taking place live. While it may seem legitimate, these are in fact randomly generated,” the report reads.
How to Avoid Crypto Scams
Bitdefender recommends being wary of YouTube channels with “unexpected characters or misspellings” in their names and videos with suspect messages. The cybersecurity company also warns against scanning QR codes from dubious sources. And, if you encounter an enticing giveaway online from a well-known company, double-check their official website and ensure it’s legitimate.
Bitdefender also stressed the importance of proper cyber hygiene and community vigilance, urging the public to report suspicious activities to Google and stay informed through reliable sources.
We recommend using a solid antivirus tool to block malware and defend your system from other cyber threats.
For more news, follow us on X (Twitter), Threads, and Mastodon!
