Ike.ninja

The hijacking of YouTube accounts to promote bogus cryptocurrency schemes is nothing new. At Netcraft, we’ve previously blogged about the scale of cryptocurrency scams, and we saw attacks on at least 2,000 distinct IP addresses every month in the past year. Cryptocurrency-themed attacks remain popular with cybercriminals, but yesterday we had the opportunity to observe the recent high-profile attack on LinusTechTips as it unfolded.

This blog post explains what we saw, and how we protected our users from the scam sites hours before the compromised channels were taken down. All times in this post are GMT.

Timeline of the attack

On March 23rd, at approximately 10.30am, we noticed that LinusTechTips (LTT), a popular YouTube channel with over 15 million subscribers, had been compromised to promote a Tesla-themed cryptocurrency scam. Two of LTT’s related channels (Techquickie and TechLinked) were also compromised. The attack started in the middle of the night Vancouver time (where LTT is based), possibly to maximise the amount of time before the account holders noticed.

Three domains were used while the YouTube hack was active, which potential victims were directed to while the fake video was streaming (via the live chat and a QR code displayed on the screen). These domains were:

• tesla-online[.]net (site report)
• tesla-ltt[.]com (site report)
• teslaltt[.]com (site report)

All three of these domains were registered with the same registrar (NiceNIC) and registrant details. While the first domain was registered on March 18th (a few days before the attack), the other two were registered on March 23rd – that is, while the attack was ongoing. These two domains also include “ltt” to imply a relationship with LinusTechTips.

Shortly after the attack went live, Cloudflare placed a phishing warning on the first domain being used for the attack (tesla-online[.]net). In response, the attacker registered and deployed the other two domains (tesla-ltt[.]com and teslaltt[.]com), and updated the links being promoted on the compromised channels accordingly. This shows that the attacker behind this was actively “behind the wheel” and making reactive changes as the attack unfolded, unlike phishing attacks where a fraudster may deploy a phishing site and then passively harvest credentials over time.

Around 11:30am, the main LTT channel was completely terminated by YouTube for “violating YouTube’s Community Guidelines”. The other affected channels, TechLinked and Techquickie, were terminated by 1:30pm.

Netcraft blocked the initial domain used for the attack (tesla-online[.]net) 4 days before the YouTube hack, and we also blocked the two new domains (tesla-ltt[.]com and teslaltt[.]com) within two hours of them being registered and deployed. Even before YouTube noticed and took action against the live channels, users of Netcraft’s extensions and feeds were already protected.

Summary of the LTT attack observed by Netcraft (all times in GMT)

March 18th	23:09	Attacker registers tesla-online[.]net.
March 19th	01:06	Netcraft blocks tesla-online[.]net.
March 23rd	Shortly before 10:30	LTT YouTube channel and related channels (Techquickie and TechLinked) begin to promote the scam, initially using tesla-online[.]net.
	10:30	Netcraft notices the main LTT channel is hacked and begins monitoring. tesla-online[.]net was not displaying the Cloudflare warning at this point.
	Sometime after 10:30	Cloudflare adds warning to tesla-online[.]net.
	Around 11:30	LTT channel is terminated by YouTube, but the attack is still active on sub-channels.
	11:33	Attacker registers and deploys tesla-ltt[.]com.
	12:09	Attacker registers and deploys teslaltt[.]com.
	12:10	Netcraft notices new domains being promoted on related channels.
	12:17	Netcraft blocks tesla-ltt[.]com.
	13:08	Netcraft blocks teslaltt[.]com.
	13:30	All remaining affected channels terminated by YouTube.

Anatomy of the attack

In order to profit from hijacking a YouTube account to promote a cryptocurrency scam, the attacker aims to convey two things to their victim:

• it is the legitimate account of a well-known brand or person, such as Tesla or Elon Musk, promising them a sum of cryptocurrency.
• they should visit a linked scam URL being promoted to get this sum of money, which has the actual payload (i.e. the wallets the attacker wants victims to send their cryptocurrency to).

The compromised channel was renamed to teslaaliveonline1, with convincing-looking branding.

To promote the scam URL, the attacker started livestreams of a discussion between Elon Musk, Cathie Wood and Jack Dorsey about cryptocurrency. While the intention is to appear like a live discussion, it is a pre-recorded video stolen from an older livestream by the channel ARK Invest. ARK Invest state in a comment that it is aware of hacked third-party YouTube channels making use of the video in this manner.

Victims were directed to the scam URL(s) in two ways:

• In an overlay above the video, there was a picture of a spoofed tweet from Elon saying that “Your life will change within minutes if you scan the QR code”. The QR code goes to the scam URL.

• In the live chat, the hacked account was used to make claims that users can double their cryptocurrency and that some cryptocurrency had already been sent to stream viewers, along with a link to the scam URL.

The attacker actively restricted live posting from other accounts, to deter people from warning other users of the scam.

Additionally, the descriptions of previous recorded livestreams were renamed to include a link to the scam URL(s):

Once Cloudflare placed a warning page on tesla-online[.]net, the links from the QR code and in the livestream were updated while the stream was live, to point to the new domains (tesla-ltt[.]com and teslaltt[.]com).

The scam URLs claim Tesla is hosting a giveaway of $100,000,000 in cryptocurrency. On the page are addresses of the various cryptocurrency wallets that victims were instructed to send their cryptocurrency to, which allegedly return participants twice the amount of the currency sent:

When Netcraft visited the sites, the same wallet addresses were being advertised on tesla-online[.]net and teslaltt[.]net. In their haste to set up new sites for the scam, the attacker had broken wallet links on tesla-ltt[.]net (the corresponding QR codes are also broken and do not contain wallet addresses):

We also spotted the wallet addresses advertised on the sites being updated at least once over the course of the attack. Based on the transactions made to the wallet addresses we observed, the attacker managed to generate over $14,000 in BTC and ETH on March 23rd, despite the attack being live for only a small number of hours.

LinusTechTips explained how its YouTube account was compromised by the attacker in a video posted today.

How can Netcraft help?

Netcraft is the world leader in cybercrime detection, disruption, and takedown, and has been protecting companies online since 1996. We analyze millions of suspected malicious sites each day, typically blocking an attack within minutes of discovery.

• Netcraft provides cybercrime detection, disruption and takedown services to organizations worldwide including 12 of the top 50 global banks and the biggest cryptocurrency exchange ranked by volume. We perform takedowns for around one third of the world’s phishing attacks and take down 90+ attack types at a rate of 1 attack every 15 seconds. We can help defend your organization against cryptocurrency scams leveraging your brand’s identity.

• The Netcraft browser extension and mobile apps block fraudulent sites, including the cryptocurrency scam sites that were used in this attack. Our malicious site feeds protect billions of people around the world from phishing, malware, and other cybercrime activities.