Researchers at Bitdefender Labs have been actively keeping tabs on steam-jacking attacks against high-profile YouTube accounts used to conduct myriad crypto doubling scams.
Fast forward to 2024; their investigation into the fraudulent takeovers and usage of YouTube accounts has rendered new findings as financially motivated threat actors meticulously evolve their attacks.
Over the past couple of months, stream-jacking attacks have steadily evolved, and their research shows how cybercriminals advance their craft to maximise the reach and efficiency of their actions with carefully engineered content that closely mimics legitimate cryptocurrency-related news or announcements.
We know that malicious actors often stay on top of popular events in crypto, and during the last quarter they have made use of multiple announcements to potentially monetise fraudulent livestreams that disguise crypto-doubling scams under popular titles highlighted in mainstream media.
For example, attackers made use of the “SpaceX Starship Integrated Flight Test 2” official event to launch their own fake livestreams under the name SpaceX Launch Starship Flight Test! Elon Musk gives an update on Starship! on’verified’ compromised channels to add credibility to their ruse. Most of the livestreams we analysed also showed signs of artificial boosting of viewers to further increase the trust of potential real viewers.
As previously stated, scammers use variants of the name of the impersonated entity on compromised accounts (instead of @SpaceX, @spacex1[..] is observed).
Other premeditated scams based on official and wide-known events we have found are the following:
1. Nov. 30 was an important date for the SEC-XRP trial in the world of cryptocurrencies. Before, during and after that date, we noticed multiple fake livestreams with the following titles:
2. The USSF-52 flight
3. Changpeng Zhao stepping down from the CEO position of Binance
4. The Cybertruck Launch
5. Bitcoin ETF:
It becomes more obvious that any high-profile news headline can be used for malicious activities. Over time, the scams evolved from the simple use of the names of famous entities to the coordination of scam campaigns based on real events of interest to online communities.
More importantly, we’ve noticed that at the start of these planned campaigns, a considerable number of the compromised channels have many subscribers (some with more than 1 million and one with as much as 12.5 million), which makes them an ideal vector for threat actors to spread their fraudulent schemes.
While the initial iterations of the scams reported in October 2023 used looped videos of famous conference talks or other popular recordings, fraudsters have recently started using deep fake technology to create fake videos of prominent figures in cryptocurrency, adding further credibility to the scams.
A common aspect of these skilfully engineered videos is that they encourage viewers to look for a QR code, scan it, and send an amount of crypto to be doubled.
Some of the observed deep fakes are of decent quality and could easily fool an untrained eye. To prevent any victims or wary community members from blowing the lid on the entire operation, the live chat section of the videos is disabled unless you are a selected member of the channel or have been a subscriber for an extended period of time.
Another new characteristic of these deepfakes is that they occasionally appear in YouTube ads rather than malicious livestreams, giving cybercriminals more freedom to spread the scams (fraudsters can easily pay for these phony ads until YouTube bans them).
While the videos are clearly crafted with deep generative models, the support chats that the malicious websites use do not seem to employ any large language models to answer.
The majority of the time, various stealers used to compromise YouTube access tokens enable these account takeovers. After obtaining the access tokens, the malicious actors proceed to redesign the channel to make it appear as though the entity they want to impersonate owns it. This process is most likely automated and consists of completely changing the original channel by:
In their research, they’ve observed some takeovers live. The name, handle, and avatar of the original channel were changed, but previously existing content is still available despite the start of the malicious broadcast. After a couple of minutes, videos were set to private, and the banner was also changed, but the channel description and special videos are still displayed. After another couple of minutes, the channel is completely stripped of the original content. In this case, the definitive version of the compromised channel barely looks like the official SpaceX channel.
Sometimes, these transformative operations either take too much to happen (and the channel gets banned before it does) or do not happen at all.
Taking advantage of the heavy news coverage of the Bitcoin ETF, malicious actors started broadcasting scams with the same topic in late December 2023. These scams have MicroStrategy (a business intelligence company) and Michael Saylor as central figures and use titles that refer to the Bitcoin ETF potentially reaching high values to gain traction. Hundreds of malicious broadcasts were observed in the last couple of weeks, qualifying it as one of the most intensive scam campaigns we’ve seen so far.
Most of the broadcasts use looped deep fakes, in which MicroStrategy’s former CEO encourages the community to “participate in the giveaway” by scanning the QR code and following the instructions found on the website.
The compromised channels use variations of the official MicroStrategy logo as the avatar and the official banner, and some refer to the playlists of the official MicroStrategy channel to boost credibility. The thumbnails of the videos are also common between instances, with limited diversity. The most common name after the takeover is MicroStrategy US, and other discovered names are: MicroStrategy, Microstrategy, Microstrategy US, Microstrategy Live, and Micro Strategy. The names might include trailing spaces and parentheses (rounded or square) around the US and Live keywords.
The phoney websites are usually hosted on domains that resemble the name of the impersonated company or its former CEO, or simpler domains that include the symbols of the cryptocurrencies used in the fake giveaways, along with multipliers such as 2x or x2. These websites also host animations that give users the impression that multiple transactions are taking place live. While it may seem legitimate, these are in fact randomly generated.
Sometimes, these transformative operations either take too much to happen (and the channel gets banned before it does) or do not happen at all.
Here are some key insights about what a deep-fake Michael Saylor tells viewers in a looped video:
All metrics have grown since their last report on the topic, while some even come close to doubling. The alarming growth indicates that this phenomenon is far from eradicated.
A crucial question arises after observing the surge of these continuously evolving crypto scams: How much do cybercrooks earn that it is so motivating for them to sustain these scams?
The only possible financial gain is the actual amount of cryptocurrency that is received in the promoted crypto wallets. As such, we began an investigation of a subset of malicious domains (focusing on the latest trends—XRP, MicroStrategy, SpaceX, and Binance) that were promoted in livestreams to get an idea of the actual “profits.” After extracting the identifiers of the promoted crypto wallets, the associated transactions were analysed, with the following insights:
In total, potential earnings amount to ~$528,200 and ~$600,500 (depending on what date the coins are evaluated), making these malicious operations highly profitable for threat actors. While the analysis solely relies on the transactions received, it is unclear if these transactions are from the actual victims or transactions from other wallets used in this kind of scam. Nonetheless, the numbers are alarming, and the need to raise awareness of such frauds is paramount.
Justin Lavadia is a content producer and editor at Public Spectrum with a diverse writing background spanning various niches and formats. With a wealth of experience, he brings clarity and concise communication to digital content. His expertise lies in crafting engaging content and delivering impactful narratives that resonate with readers.