top of page
  • Writer's pictureSvetoslav Vassilev

YouTubers Are Getting Hacked

Yesterday a prominent YouTube channel "Linus Tech Tips" with 15.3 million subscribers was hacked. After the hackers obtained control of the account, they renamed it and posted videos about an apparent crypto-scam. One can hope that no-one fell for the scam, since topically these "get rich fast" crypto videos were very much orthogonal to the channel's original content.

The details about how the attack unveiled are still a bit murky and here is the official statement from Linus Sebastian himself:

" Regarding the YouTube channel hack, we are now on top of it with Google's team now. Everything should be locked down and we are getting to the bottom of the attack vector with the (hopeful) goal of hardening their security around YouTube accounts and preventing this sort of thing from happening to anyone in the future. "

It almost seems like there is some blame thrown in YouTube's direction. Interesting ...

We may not know the details about this recent hack (actually as of 03/24 we do now see the bottom of the blog), but there is plenty of information of other YouTube channels being taken over, so lets look at the common pattern. If you are curious about the details, here is an excellent video on the topic posted by the PC Security Channel

The common pattern seems to be the following:

- YouTuber receives a phishing email about potential sponsorship on the channel. The email has a link for a "sponsorship contract document". In the video above the original email was written in suspiciously poor English. Well ... ChatGPT will take care of this little problem :).

- The YouTuber clicks on the link and downloads a ZIP archive.

- The ZIP archive contains one or more executable files (they may be masqueraded with double extensions).

- The executable files are usually bigger than 700 MB in order to evade legacy AV.

- The YouTuber extracts the files from the archive and clicks on one of them.

- RedLine (or another) info-stealer executes and steals browser passwords, cookies, etc.

- The YouTube channel subscribers start "enjoying" crypto scam videos.

It is important to underline one more time: as of the time of this writing it is not clear how was the "Linus Tech Tips" channel hacked, but if I had to bet ... ^^^.

Call to Action

Are you a content creator? Do you own a thriving YouTube or other social media channel? Do you want to be protected against account take overs? If you answered "yes" to any of the above, don't fall prey to the scammers:

Install UpSight Security

UpSight Security protects you by blocking unwanted programs from accessing your browser cookies, passwords and history. UpSight Security will terminate any info stealer malware that violates more than one of the UpSight account protection rules!

Update - 03/24/2023

Now we have concrete details on how the hack unveiled and my bet turned out to be correct

“Someone on our team downloaded what appeared to be a sponsorship offer from a potential partner. It was an innocent enough mistake for the most part. The email came from a legitimate-looking source and it didn’t raise any immediate red flags,” Linus said, noting that whatever ‘PDF’ was downloading, didn’t launch as it should have and was thus ignored. “What happened in the background took about 30 seconds. The malware accessed all user data from both of their installed browsers, Chrome and Edge, including everything from locally save passwords, cookies, and browser preferences. Giving them effectively an exact copy of those browsers on the target machine that they could export including, that’s right, session tokens for every logged-in website.”

33 views0 comments

Recent Posts

See All

We had the opportunity to present UpSight Security at the WestSide Pitch here in Oregon last Thursday. It was a lot of fun and we walked away with a large novelty check - so even better! Many thanks

bottom of page