Hijacking of YouTube accounts to promote fake cryptocurrency schemes is nothing new. At Netcraft, we previously blogged about the scale of cryptocurrency scams and saw attacks on at least 2,000 different IP addresses every month for the past year. Cryptocurrency-themed attacks are still popular with cybercriminals, but yesterday we had the chance to take a look at the recent high-profile attack on LinusTechTips as it unfolded.
This blog post explains what we saw and how we protected our users from scam sites hours before the compromised channels were removed. All times in this publication are GMT.
Timeline of the attack
On March 23, at approximately 10:30am, we noticed that LinusTechTips (LTT), a popular YouTube channel with over 15 million subscribers, had been compromised to promote a Tesla-themed cryptocurrency scam. Two of LTT’s related channels (Techquickie and TechLinked) were also compromised. The attack began in the middle of the night Vancouver time (where LTT is located), possibly to maximize the amount of time before account holders were made aware of it.
Three domains were used while the YouTube hack was active, which potential victims were directed to while the fake video was being broadcast (via live chat and a QR code displayed on the screen). These domains were:
All three of these domains were registered with the same registrar (NiceNIC) and registrant details. While the first domain was registered on March 18 (a few days before the attack), the other two were registered on March 23, that is, while the attack was in progress. These two domains also include “ltt” to imply a relationship with LinusTechTips.
Shortly after the attack was activated, Cloudflare placed a phishing warning on the first domain used for the attack (tesla-online[.]net). In response, the attacker registered and deployed the other two domains (tesla-ltt[.]com and teslalt[.]com), and updated the links being promoted in the compromised channels accordingly. This shows that the attacker behind it was actively “behind the wheel” and making reactive changes as the attack unfolded, unlike phishing attacks where a fraudster can deploy a phishing site and then collect credentials passive over time.
Around 11:30am, YouTube completely shut down the main LTT channel for “violating the YouTube Community Guidelines.” The other affected channels, TechLinked and Techquickie, ended at 1:30 p.m.
Netcraft blocked the initial domain used for the attack (tesla-online[.]net) 4 days before the YouTube hack, and we also blocked the two new domains (tesla-ltt[.]com and teslalt[.]com) within two hours of its registration and implementation. Even before YouTube took notice and cracked down on live channels, users of Netcraft extensions and feeds were already protected.
Summary of the LTT attack observed by Netcraft (all times in GMT)
March 18 23:09 Attacker records tesla-online[.]net. March 19 01:06 Netcraft blocks tesla-online[.]net. March 23 Shortly before 10:30 LTT, the YouTube channel and related channels (Techquickie and TechLinked) start promoting the scam, initially using tesla-online[.]net. 10:30 Netcraft notices that the main LTT channel is hacked and starts monitoring. tesla online[.]net was not showing the Cloudflare warning at this time. Sometime after 10:30, Cloudflare adds a warning to tesla-online[.]net. Around 11:30am LTT, YouTube shuts down the channel, but the attack is still active on the sub-channels. 11:33 Attacker records and deploys tesla-ltt[.]com. 12:09 Attacker logs and displays teslaltt[.]com. 12:10 Netcraft warns that new domains are promoted in related channels. 12:17 Netcraft blocks tesla-ltt[.]com. 13:08 Netcraft blocks teslaltt[.]com. 13:30 All remaining affected channels canceled by YouTube.
In order to profit from a YouTube account hijacking to promote a cryptocurrency scam, the attacker intends to convey two things to his victim:
it is the legitimate account of a well-known brand or person, such as Tesla or Elon Musk, promising them a sum of cryptocurrencies. they must visit a promoted linked scam URL to get this sum of money, which has the actual payload (i.e., the wallets the attacker wants victims to send their cryptocurrency to).
The compromised channel was renamed teslaaliveonline1, with convincing-looking branding.
To promote the scam URL, the attacker started live streams of a discussion between Elon Musk, Cathie Wood, and Jack Dorsey about cryptocurrency. While it is intended to look like a live discussion, it is pre-recorded video stolen from a previous live stream on the ARK Invest channel. ARK Invest claims in a comment that it is aware of hacked third-party YouTube channels using video in this way.
Victims were directed to the scam URLs in two ways:
In an overlay over the video, there was an image of a faked tweet from Elon that read: “Your life will change in minutes if you scan the QR code.” The QR code goes to the URL of the scam.
In the live chat, the hacked account was used to claim that users can double their cryptocurrency and that some cryptocurrency had already been sent to viewers, along with a link to the scam URL.
The attacker actively restricted live posts from other accounts, to discourage people from warning other users about the scam.
Additionally, descriptions of previously recorded live streams have been renamed to include a link to the fraudulent URL(s):
Once Cloudflare posted a warning page on tesla-online[.]net, the links in the QR code and in the live stream were updated while the stream was live, to point to the new domains (tesla-ltt[.]com and teslalt[.]com).
The scam URLs claim that Tesla is hosting a giveaway of $100,000,000 worth of cryptocurrency. On the page are addresses of various cryptocurrency wallets that victims were instructed to send their cryptocurrency to, which allegedly return double the amount of the sent currency to participants:
When Netcraft visited the sites, the same wallet addresses were being advertised on tesla-online[.]net and teslalt[.]net. In his rush to set up new sites for the scam, the attacker had broken the wallet links on tesla-ltt[.]net (the corresponding QR codes are also broken and do not contain wallet addresses):
We also found that the wallet addresses advertised on the sites were updated at least once during the course of the attack. Based on transactions made on the wallet addresses we observed, the attacker managed to generate more than $14,000 worth of BTC and ETH on March 23, despite the fact that the attack lasted only a few hours.
LinusTechTips explained how the attacker compromised his YouTube account in a video posted today.
How can Netcraft help?
Netcraft is the world leader in cybercrime detection, disruption, and removal, and has been protecting businesses online since 1996. We scan millions of suspected malicious sites every day, typically blocking an attack within minutes of being launched. discovered.
Netcraft provides cybercrime detection, disruption, and suppression services to organizations around the world, including 12 of the top 50 global banks and the largest cryptocurrency exchange ranked by volume. We take down around a third of the world’s phishing attacks and take down over 90 types of attacks at a rate of 1 attack every 15 seconds. We can help defend your organization against cryptocurrency scams by leveraging your brand identity.
The Netcraft browser extension and mobile apps block fraudulent sites, including the cryptocurrency scam sites that were used in this attack. Our malicious site feeds protect billions of people around the world from phishing, malware, and other cybercrime activity.