Google’s Threat Analysis Group research: An ongoing phishing campaign against Youtube creators

According to Google’s Threat Analysis Group (TAG), the recent attacks were attributed to a group of hackers recruited in a Russian-speaking forum, who sold hacked YouTube channels to the highest bidder.

Youtube channels hacked and rebranded for live-streaming crypto scams

There is currently an ongoing phishing campaign targeting YouTube creators, which often leads to compromise and sale of crypto scam broadcast channels. This group of hackers, after hijacking YouTube channels, will sell to the highest bidder or be used to spread cryptocurrency scams.


Example phishing email message

“A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming. On account-trading markets, hijacked channels ranged from $3 USD to $4,000 USD depending on the number of subscribers”, the TAG stated.

YouTube accounts are said to have been hacked using cookie-stealing malware, a fake piece of software configured to run on victims’ computers undetected. TAG also reported that hackers have also changed the names, profile pictures, and content of YouTube channels to impersonate major tech or cryptocurrency exchange companies.

The attacker’s live stream promises crypto-currency in exchange for the initial donation. Google has invested in tools to detect and block phishing and social engineering emails, cookie theft, and crypto scam live streams as a countermeasure. With constant efforts, Google has reduced the number of phishing emails in Gmail by 99.6% since May 2021.

“With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly,, and,” the company added.

Google has shared the above findings with the US Federal Bureau of Investigation (FBI) for further investigation. Recently, as AZCoin News reported, more than 3.1 million (3,117,548) users’ email addresses were leaked from CoinMarketCap. They acknowledge the correlation of the leaked data with their user base but maintain that it has found no evidence of a hack on their internal servers.

Despite the confirmation, CoinMarketCap has yet to identify the exact cause of the hack:

“As no passwords are included in the data we have seen, we believe that it is most likely sourced from another platform where users may have reused passwords across multiple sites.”

The information came into light after the hacked email addresses were found to be traded and sold online on various hacking forums, and revealed by Have I Been Pwned, a website dedicated to tracking hacks and compromised online accounts.

Read more:

Join us on Telegram

Follow us on Twitter

Follow us on Facebook

You might also like