LinusTechTips YouTube channels hacked to promote cryptoscams

The hijacking of YouTube accounts to beforehand bogus cryptocurrency schemes is thing new. At Netcraft, we’ve antecedently blogged astir nan scale of cryptocurrency scams, and we saw attacks connected astatine slightest 2,000 chopped IP addresses each period successful nan past year. Cryptocurrency-themed attacks stay celebrated pinch cybercriminals, but yesterday we had nan opportunity to observe nan caller high-profile onslaught connected LinusTechTips arsenic it unfolded.

This blog station explains what we saw, and really we protected our users from nan scam sites hours earlier nan compromised channels were taken down. All times successful this station are GMT.

Timeline of nan attack

On March 23rd, astatine astir 10.30am, we noticed that LinusTechTips (LTT), a celebrated YouTube transmission pinch complete 15 cardinal subscribers, had been compromised to beforehand a Tesla-themed cryptocurrency scam. Two of LTT’s related channels (Techquickie and TechLinked) were besides compromised. The onslaught started successful nan mediate of nan nighttime Vancouver clip (where LTT is based), perchance to maximise nan magnitude of clip earlier nan relationship holders noticed.

Three domains were utilized while nan YouTube hack was active, which imaginable victims were directed to while nan clone video was streaming (via nan unrecorded chat and a QR codification displayed connected nan screen). These domains were:

• tesla-online[.]net (site report)
• tesla-ltt[.]com (site report)
• teslaltt[.]com (site report)

All 3 of these domains were registered pinch nan aforesaid registrar (NiceNIC) and registrant details. While nan first domain was registered connected March 18th (a fewer days earlier nan attack), nan different 2 were registered connected March 23rd – that is, while nan onslaught was ongoing. These 2 domains besides see “ltt” to connote a narration pinch LinusTechTips.

Shortly aft nan onslaught went live, Cloudflare placed a phishing informing connected nan first domain being utilized for nan onslaught (tesla-online[.]net). In response, nan attacker registered and deployed nan different 2 domains (tesla-ltt[.]com and teslaltt[.]com), and updated nan links being promoted connected nan compromised channels accordingly. This shows that nan attacker down this was actively “behind nan wheel” and making reactive changes arsenic nan onslaught unfolded, dissimilar phishing attacks wherever a fraudster whitethorn deploy a phishing tract and past passively harvest credentials complete time.

Around 11:30am, nan main LTT transmission was wholly terminated by YouTube for “violating YouTube’s Community Guidelines”. The different affected channels, TechLinked and Techquickie, were terminated by 1:30pm.

Netcraft blocked nan first domain utilized for nan onslaught (tesla-online[.]net) 4 days earlier nan YouTube hack, and we besides blocked nan 2 caller domains (tesla-ltt[.]com and teslaltt[.]com) wrong 2 hours of them being registered and deployed. Even earlier YouTube noticed and took action against nan unrecorded channels, users of Netcraft’s extensions and feeds were already protected.

Summary of nan LTT onslaught observed by Netcraft (all times successful GMT)

March 18th	23:09	Attacker registers tesla-online[.]net.
March 19th	01:06	Netcraft blocks tesla-online[.]net.
March 23rd	Shortly earlier 10:30	LTT YouTube transmission and related channels (Techquickie and TechLinked) statesman to beforehand nan scam, initially utilizing tesla-online[.]net.
	10:30	Netcraft notices nan main LTT transmission is hacked and originates monitoring. tesla-online[.]net was not displaying nan Cloudflare informing astatine this point.
	Sometime aft 10:30	Cloudflare adds informing to tesla-online[.]net.
	Around 11:30	LTT transmission is terminated by YouTube, but nan onslaught is still progressive connected sub-channels.
	11:33	Attacker registers and deploys tesla-ltt[.]com.
	12:09	Attacker registers and deploys teslaltt[.]com.
	12:10	Netcraft notices caller domains being promoted connected related channels.
	12:17	Netcraft blocks tesla-ltt[.]com.
	13:08	Netcraft blocks teslaltt[.]com.
	13:30	All remaining affected channels terminated by YouTube.

Anatomy of nan attack

In bid to profit from hijacking a YouTube relationship to beforehand a cryptocurrency scam, nan attacker intends to convey 2 things to their victim:

• it is nan morganatic relationship of a well-known marque aliases person, specified arsenic Tesla aliases Elon Musk, promising them a sum of cryptocurrency.
• they should sojourn a linked scam URL being promoted to get this sum of money, which has nan existent payload (i.e. nan wallets nan attacker wants victims to nonstop their cryptocurrency to).

The compromised transmission was renamed to teslaaliveonline1, pinch convincing-looking branding.

Screenshot from Wayback Machine showing a seizure of nan renamed transmission arsenic of 10:21am connected March 23rd.

To beforehand nan scam URL, nan attacker started livestreams of a chat betwixt Elon Musk, Cathie Wood and Jack Dorsey astir cryptocurrency. While nan volition is to look for illustration a unrecorded discussion, it is simply a pre-recorded video stolen from an older livestream by nan transmission ARK Invest. ARK Invest authorities successful a remark that it is alert of hacked third-party YouTube channels making usage of nan video successful this manner.

Victims were directed to nan scam URL(s) successful 2 ways:

• In an overlay supra nan video, location was a image of a spoofed tweet from Elon saying that “Your life will alteration wrong minutes if you scan nan QR code”. The QR codification goes to nan scam URL.

• In nan unrecorded chat, nan hacked relationship was utilized to make claims that users tin double their cryptocurrency and that immoderate cryptocurrency had already been sent to watercourse viewers, on pinch a nexus to nan scam URL.

Screenshot while nan onslaught was progressive showing nan scam URL being promoted successful nan unrecorded chat and via QR code. At this point, nan transmission had been renamed to LinusTechTipsTemp.

The attacker actively restricted unrecorded posting from different accounts, to deter group from informing different users of nan scam.

Additionally, nan descriptions of erstwhile recorded livestreams were renamed to see a nexus to nan scam URL(s):

An older watercourse from LTT pinch an updated explanation containing nan scam URL.

Once Cloudflare placed a informing page connected tesla-online[.]net, nan links from nan QR codification and successful nan livestream were updated while nan watercourse was live, to constituent to nan caller domains (tesla-ltt[.]com and teslaltt[.]com).

The scam URLs declare Tesla is hosting a giveaway of $100,000,000 successful cryptocurrency. On nan page are addresses of nan various cryptocurrency wallets that victims were instructed to nonstop their cryptocurrency to, which allegedly return participants doubly nan magnitude of nan rate sent:

Screenshots of contented connected nan scam URLs being promoted.

When Netcraft visited nan sites, nan aforesaid wallet addresses were being advertised connected tesla-online[.]net and teslaltt[.]net. In their haste to group up caller sites for nan scam, nan attacker had surgery wallet links connected tesla-ltt[.]net (the corresponding QR codes are besides surgery and do not incorporate wallet addresses):

Broken links connected tesla-ltt[.]com, displaying placeholders wherever nan wallet links should be.

We besides spotted nan wallet addresses advertised connected nan sites being updated astatine slightest erstwhile complete nan people of nan attack. Based connected nan transactions made to nan wallet addresses we observed, nan attacker managed to make complete $14,000 successful BTC and ETH connected March 23rd, contempt nan onslaught being unrecorded for only a mini number of hours.

LinusTechTips explained really its YouTube relationship was compromised by nan attacker in a video posted today.

How tin Netcraft help?

Netcraft is nan world leader successful cybercrime detection, disruption, and takedown, and has been protecting companies online since 1996. We analyse millions of suspected malicious sites each day, typically blocking an onslaught wrong minutes of discovery.

• Netcraft provides cybercrime detection, disruption and takedown services to organizations worldwide including 12 of nan apical 50 world banks and nan biggest cryptocurrency speech classed by volume. We execute takedowns for astir 1 3rd of nan world’s phishing attacks and return down 90+ onslaught types astatine a complaint of 1 onslaught each 15 seconds. We tin thief take sides your statement against cryptocurrency scams leveraging your brand’s identity.

• The Netcraft browser hold and mobile apps block fraudulent sites, including nan cryptocurrency scam sites that were utilized successful this attack. Our malicious tract feeds protect billions of group astir nan world from phishing, malware, and different cybercrime activities.