{"id":8615,"date":"2024-07-01T12:00:00","date_gmt":"2024-07-01T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8615"},"modified":"2026-06-14T19:39:40","modified_gmt":"2026-06-14T16:39:40","slug":"hijacked-how-hacked-youtube-channels-spread-scams-and-malware-2","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2024\/07\/01\/hijacked-how-hacked-youtube-channels-spread-scams-and-malware-2\/","title":{"rendered":"Hijacked: How hacked YouTube channels spread scams and malware"},"content":{"rendered":"

As one of today\u2019s most popular social media platforms<\/a>, YouTube is often in the crosshairs of cybercriminals who exploit it to peddle scams and distribute malware. The lures run the gamut, but often involve videos posing as tutorials about popular software or ads for crypto giveaways. In other scenarios, fraudsters embed links to malicious websites in video descriptions or comments, disguising them as genuine resources related to the video\u2019s content.<\/p>\n

Thefts of popular YouTube channels up the game further. By extending the reach of the fraudulent campaigns to untold numbers of regular YouTube users, they give the attackers the most bang for their buck. Cybercriminals have long been known to repurpose these channels<\/a> to spread crypto and other scams<\/a> and a variety of info-stealing malware<\/a>, often through links to pirated and malware-laden software, movies and game cheats.<\/p>\n

Meanwhile, YouTubers who have had their accounts stolen are in for a highly distressing experience, with the consequences ranging from loss of income to lasting reputational damage.<\/p>\n

How can cybercriminals take over YouTube channels?<\/h2>\n

More often than not, it all starts with good ol\u2019 phishing. Attackers create fake websites and send emails that look like they are from YouTube or Google and attempt to trick the targets into surrendering their \u201ckeys to the kingdom\u201d. In many cases, they also tout sponsorship or collaboration deals as the lure \u2013 the message includes an attachment or a link to a file where the terms and conditions are said to be detailed.<\/p>\n

Nothing could be further from the truth, however, with the threat becoming even more acute where the accounts were not protected by two-factor authentication<\/a> (2FA) or where attackers circumvented this extra safeguard. (Since late 2021, content creators need to use 2FA<\/a> on the Google account associated with their YouTube channel).<\/p>\n

In some cases (cue the breach of Linus Tech Tips<\/a>, a channel with 15 million subscribers at the time), attackers needed neither passwords nor 2FA codes to hijack the channels. Instead, they stole session cookies<\/a> from the victims\u2019 browsers that ultimately enabled them to bypass the additional security checks involved in the authentication process.<\/p>\n

In another tried-and-tested technique, attackers leverage lists of usernames and passwords from past data breaches<\/a> to break into existing accounts, relying on the fact that many people reuse passwords across different sites<\/a>. In brute-force attempts, meanwhile, attackers use automated tools to try numerous password combinations<\/a> until they find the correct one. This method yields fruits especially if people use weak or common passwords<\/a> and skimp on 2FA.<\/p>\n

\"Figure
Figure 1. Example of a phishing email sent to a YouTuber. It delivers malware that deletes the user\u2019s browser cookies, forcing them to re-enter their login credentials. Those are then sent to the attacker. (Source: The PC Security Channel<\/a>)<\/em><\/figcaption><\/figure>\n

Just weeks ago, the AhnLab Security Intelligence Center (ASEC) wrote about a growing number of cases<\/a> where cybercriminals hijack popular YouTube channels, including one with 800,000 subscribers, and exploit them to distribute malware such as RedLine Stealer<\/a>, Vidar and Lumma Stealer<\/a>.<\/p>\n

As described in the ESET Threat Report H2 2023<\/a>, Lumma Stealer made a splash particularly in the second half of last year. This infostealer-for-hire is known for targeting crypto wallets<\/a>, login credentials and 2FA browser extensions, as well as for exfiltrating information from compromised machines. As the ESET Threat Report H1 2024<\/a> shows, both tools remain a major menace and often pose as cheating software or video game cracks, including via YouTube.<\/p>\n

\"Figure
Figure 2. YouTube video offering a cracked version of Adobe After Effects and downloading RedLine<\/em><\/figcaption><\/figure>\n
\"Figure
Figure 3. Cracked \u2013 and malicious \u2013 version of Adobe After Effects<\/em><\/figcaption><\/figure>\n

In some scenarios, criminals hijack existing Google accounts and in the span of minutes create and post thousands of videos that distribute info-stealing malware. People who fall victim to the attacks may end up having their devices compromised with malware that also steals their accounts on other major platforms such as Instagram, Facebook, X, Twitch and Steam.<\/p>\n

Staying out of harm\u2019s way on YouTube<\/h2>\n

These tips will go a long way towards keeping you safe on the platform, including if you\u2019re a YouTuber yourself.<\/p>\n