“StreamJacking” is the latest evolution of a crypto scam circulating for several years now, this time as a complex campaign with hundreds of YouTube channels hijacked each day, pushing fake streams and scam pages that snitch Millions of USD worth of crypto funds in a pro-level of crypto laundering operation. In this write-up, we will shine a light on YouTube channel hijacking As-A-Service, all without any significant response from YouTube and a lifetime of work by high-profile YouTubers with millions of followers lost for good. We will explore how Elon Musk’s brand is once again exploited by threat actors, and follow the money trail to try and find out the source of this fearless and sophisticated campaign.
Our research team in Guardio Labs witnessed a threatening rise in this never-ending Crypto Giveaway scam. We encounter hundreds of YouTube channels hijacked and abused to steal $100,000s from crypto owners around the world — each day! The span of this scam is so alarming, starting with malware that steals your private information and accounts, and later on targets your crypto wallets — all with the potential to do even more damage in the future.
Digging deeper into this scam flow, revealed some interesting techniques and operational concepts — shining light on how those scammers got their hands on so many YouTube channels, abusing yet again one of Google’s biggest distribution channels, and how they exploit the blockchain to cashout and disappear with potentially millions of not so well-earned dollars.
Guardio Labs team deep-dived into this campaign to make sure it won’t harm our users at any point along the attack chain. Leveraging detection of malicious ads and search results, malevolent packages of popular software, and of course, phishing pages and crypto wallet addresses abuse.
Ok, so making sure Elon won’t show up at Guardio’s offices holding a sink, let’s start with making it clear — this scam has nothing to do with Elon Musk or any of his companies. Elon Musk is yet another brand being illegally abused by scammers to gain trust and intent in this social engineering crypto scam plot. He is not the only one, yet indeed most popular of all.
The end story here is making victims believe there is a once-in-a-lifetime opportunity funded by a crypto-related persona (thus, Elon Musk is the best possible figure to choose). Just send X bitcoins to this address, and you will immediately get double the worth back to your wallet. We’ve seen this before in other variants like Twitter accounts of high-profile users hijacked and spreading those kinds of messages around (dated way back to 2018):
In this current variation, the propagation method is abusing hijacked YouTube channels with large volumes of followers, changing the entire channel to “Tesla”, “SpaceX” or other crypto-related themes. This channel is now transformed into a powerful propagation tool in the hands of threat actors, allowing them to get directly to the pockets of millions of followers in a single click:
Once this live stream is activated on a hijacked channel (with a recorded and quite old conference video of Elon Musk) it will notify all subscribers of the original channel with a direct push notification — another extra bonus for the threat actor “sponsored” by YouTube. On the live stream chat the scammers will advise on this new “campaign” to double your crypto deposit in the name of Crypto Currency’s future. The chat is of course locked, giving only the admins the permission to send messages and publish the URL to yet another variant of the phishing page.
A quick search on YouTube will quickly reveal all current live streams — just by looking for “Elon Musk” and filtering live streams. There are tens of live streams any given minute and the volume just keeps on rising:
From here users are directed to scam pages and the plot continues. But first thing first — hijacking those YouTube channels doesn’t seem like an easy task, especially on this scale, not to mention 2FA authentication! This operation actually started months ago, laying the grounds for this blitz of “StreamJacking“ attacks.
We’ve noticed in the past few months a massive rise in stealers' propagation, with the whole purpose of stealing any credentials and personal data it can find on the victim's computers. Those stealers are a piece of advanced software that was bought on the dark market to be distributed as part of malicious packages, game mods, hacked software, and even fake software installers that bring you both the authentic software you wanted with a twist of a silently installed stealer.
As an example, the RedLine stealer is a full-blown package with everything you need to steal data in masses — including YouTube credentials and session cookies directly from your Chrome browser. It comes with a ready to deploy small footprint agent, a C2 server, and even a nice UI — all at a comfortable price:
This brings us back to the MasquerAds campaign we mentioned a month ago that is still ongoing and does exactly that — distribute malevolent installers of authentic software incorporating RedLine/Vidar stealers and propagating with malicious promoted google search results. Moreover, one of the key bad actors, Vermux, also focused their malicious ads on malevolent variants of software that are commonly used by gamers and content creators — OBS, MSI, Nvidia, Grammarly, etc. Part of those targeted are also owners of some of the most followed channels on YouTube.
Adding to that, a stealer called “YTStealer” is propagation as a “bonus” on top of those malevolent software packages, dedicated solely to hijacking YouTube accounts with live bypassing of 2FA. A dedicated stealer — just for YouTube Channels!
Following is an example of such a stealer output, showing all the details you need to select your most valuable target — and achieve full access to it’s channel:
After months of propagation, and numerous accounts hijacked, the attackers a rolling out the plot and start taking over, one by one, as many channels as they can, spreading this operation over weeks and months. And indeed, we see them picking up the pace lately.
Here is an example we’ve witnessed in real-time. Cobus, a famous drummer that also has more than 1M followers on his channel, got hacked on 17/01/2023. 15 years of videos, reputation, and hard work were lost and probably gone for good!
By this day, almost a week later, the channel is still down and no salvation from YouTube. It was active as the malicious “Tesla” page propagation endless live streams of Elon for at least 3 days, sending victims to this phishing page teslanext[.]com until finally taken down by YouTube:
The actual scam page is quite simple and duplicated using the same template and the same simple static code — changing colors and main brand/character from Elon Musk (in different poses) to other presenters:
In the past weeks some simple hacks and tweaks were introduced by the threat actor to make it look a bit more reliable and trustworthy — Starting with Support Chat services the popup on the bottom right (not answering to anything) and the “Live Feed” of transactions showing blockchain activity to the relevant address (as if doubling the funds and transfers them back) that is completely generated with random values in this simple JS code extracted from the page:
if (coin === 'BTC') {
wallet_from = '1' + randomString(11) + "...";
wallet_to = wallet_btc;
const max_lerp = lerp(min_btc, max_btc, 0.05);
send_amount = randomNumber(min_btc, max_lerp);
get_amount = send_amount * multiplier;
fee = (send_amount / 100000).toFixed(8);
send_amount = send_amount.toFixed(8);
get_amount = get_amount.toFixed(8);
txhash = randomString(10) + '...';The most important part is where you find the relevant wallets to send your crypto funds to — those are set using simple static variables in a short JS snippet:
<script>
window.cdata = {
wallet_btc: '1DXLTwQWbdUXCN2erk*****************',
wallet_eth: '0x0B1DA27d7de**************************',
min_btc: +'0.1',
max_btc: +'30',
min_eth: +'0.5',
max_eth: +'500',
multiplier: +'2',
}
</script>Just change the addresses, and some tweaks in the CSS and you have a brand new phishing page variant.
Because of the simplicity of this page, it was easier for automated security web crawlers to fingerprint it. Thus, in the past few days we see another evolution of this page in the form of an anti-bot landing page as a service by Cloudflare — making it much harder for automated crawlers to actually see the content of the page, thus blocking it.
Where those pages are coming from? Well, this surely seems like this is a well-organized operation by a specific threat actor. The pages are all almost identical, all hijacked channels share the same messages, and seems like an automated script prepares the hijacked channels and publishes the live streams — again and again. The main clue we can use here for the origin is where those scam pages are hosted — and here it becomes interesting!
There are several variants of these pages hosted locally in the US under Cloudflare, Fastly, and other hosting services. Yet the vast majority of scam pages (hundreds of variants in the past weeks only) come from a specific group of ASNs located in Russia:
- 185.149.120.127 (AS57724 DDOS-GUARD, RU)
- 185.149.120.107 (AS57724 DDOS-GUARD, RU)
- 185.149.120.95 (AS57724 DDOS-GUARD, RU)
- 185.149.120.89 (AS57724 DDOS-GUARD, RU)
- 185.149.120.87 (AS57724 DDOS-GUARD, RU)
- 185.149.120.75 (AS57724 DDOS-GUARD, RU)
- 185.149.120.73 (AS57724 DDOS-GUARD, RU)
- 185.149.120.69 (AS57724 DDOS-GUARD, RU)
- 185.149.120.67 (AS57724 DDOS-GUARD, RU)
- 185.149.120.47 (AS57724 DDOS-GUARD, RU)
- 185.149.120.19 (AS57724 DDOS-GUARD, RU)
- 185.149.120.15 (AS57724 DDOS-GUARD, RU)
- 185.149.120.7 (AS57724 DDOS-GUARD, RU)
- 186.2.171.28 (AS262254 DDOS-GUARD CORP, RU)
- 186.2.171.6 (AS262254 DDOS-GUARD CORP, RU)
- 79.137.192.228 (AS204603 PARTNER-AS, RU)
- 79.137.192.33 (AS204603 PARTNER-AS, RU)
- 79.137.192.1 (AS204603 PARTNER-AS, RU)Most note-worthy of the above is the first subnet of 185.149.120.X , to which belongs another infamous IP address (185.149.120.9) used solely by Vermux. The latter is a threat actor we met in late 2022 responsible for many of the stealers infecting those same YouTube channel owners that have fallen to the MasquerAds scam. There are other ASNs, as well as other geo-locations serving the same phishing pages — yet copy-cats are surely trying to grab a piece of the cake, and the suggested completeness of the attack chain here is just too obvious to miss!
So now to the real magical part — the blockchain. We are already well aware that crypto transactions, although fully public, are hard to darn impossible to trace back for their real owners. Yet, more and more security firms as well as governmental organizations are now trying to fill in the gap and doing their fair share to stop the abuse of this growing currency market. As an example, and yet again abusing Google Ads, we’ve heard lately about a seizure of almost 1.4M USD in Ethereum at gate.io depositor, detected and blocked by FORDEFI.
Going back to the hijacked YouTube channel of Cobus, we had a deeper look at the specific BTC wallet address that was pushed to victims from the phishing page at teslanext[.]com:
1DXLTwQWbdUXCN2erkxTjPw921PiPQRzoQThe following is just one partial example, yet we observed similar patterns in all other crypto wallets used on other variants. The Initial process to setup the scam page includes:
From this point on, funds go through different transaction paths — the more complex, the better it is for scammers to launder their funds and hide their identity. Some repeated concepts we’ve observed include:
Altogether, we are witnessing here the full glory (as well as obscurity) of the blockchain. Once funds leave the scam page’s wallet address (the Entry Point) they are practically lost. Yet, we do see patterns in the Entry Point that can be easily observed by anyone — prior to making any transaction to an unknown target. This is a good practice in general — and finally a secure and useful feature we have only on the blockchain.
There are plenty of checkpoints that need more robust and secure handling in this “StreamJacking” campaign. It includes us, the potential victims, that need to be much more aware of the risks and simple checks we need to do before downloading software or transferring funds to an unknown address, yet much of the responsibility is again set aside by the big names here — who allow malicious ads and promoted search results as well as mishandling hijacked channels and taking their time in removing those so obvious scams off of their biggest distribution channels.
Our advice here is even simpler — there are no free gifts! Especially with crypto. Use its power to validate the services and people you do business with, use services like blockchain.com to review wallet activities, double check you downloaded your software from the right place, and don’t — just don’t click on the first search result you get…
More robust and unbiased security measures are needed today, more than ever before. This is why here at Guardio we never blindly trust anyone — Google ads can redirect to malicious malware and phishing sites, Youtube channels can suddenly change skin and intentions — and we are already on the lookout for what’s next.
Following a partial list of the most active IOCs in the past few weeks.
Active IP Addresses dedicated to StreamJacking scam pages:
185.149.120.127
185.149.120.107
185.149.120.95
185.149.120.89
185.149.120.87
185.149.120.75
185.149.120.73
185.149.120.69
185.149.120.67
185.149.120.47
185.149.120.19
185.149.120.15
185.149.120.7
186.2.171.28
186.2.171.6
79.137.192.228
79.137.192.33
79.137.192.1Example list of scammers crypto wallets used in past week:
BTC:
1DXLTwQWbdUXCN2erkxTjPw921PiPQRzoQ
1Nn7TNxbV8d2CHm81Endokq1ChEy57bE2R
19PaPp5YpPdQvwotooi3dR2WBdGRfA427J
6nNwE5N4EetPPBb3wsAgvux7ZbBBqw1UG
1HAxpac6rswyMS1RLK8ueujFNRKWaZXsBe
1JeX6RTysJSkfbbwEf7X95Xfdo7SFoXPED
1PGwcT2RLDS15vw52fcrAGLKtvCU97F2x8
16GAGfSG9MXq12te6Bt7NM9PUAFc39Gufc
1Jd7dRxHjM1HRKgBYJHQHdif6wYFMfzJNN
18UgJ7sa1USxWWjQiFkQYfghRPaCRQun3B
19Bs9WefvtSqCBQTs5M9Tk76qHVNp8CRLK
14BUo3DMAmw7z1NNrG3rLZBXdpw28oJCR3
1JWxXQCRWSav2qi29wSiE7W1JTFerKB7mN
1EGL5Jmpdu99sdyuDUyYQMyzBjHYiZEsvK
1KxGCZByhj1mqexTjXvkuD7mksqv8aKtu
1E5F5CrxQkoQWzAFzfnTdpGVdHLhQj1QYZ
1D3NLa3pPnjKmo2Kbuvw95xnEemV9fmwUX
bc1q4r7naze9yhd0qmngdxq4r54xn228eh5tgv3rhu
1JYEoYeAg6JLY8PhTKC2UfVcwKUqWnXwH2
1GFaeZBshU2A8ph9NcXUUU5QHAVCqJmgQU
ETH:
0xE0Fa757d6b9cFE7d476b2d565e97437c9c55a528
0x5e3C51C3a243C805CBF8FCc4030140d0fE2B8B58
0x90D8AD44e01b94F8E18f578942c63d76702D851d
0x5508588241137752340eD99cF5A958A0beF05552
0x3aCfa34F66Bd9D6B9046d03A6F98b2b3d22cdFcb
0x66B6cC702B18377D45D763a7019606ff7315F11E
0xB0a0b74DcB7912b12FDa4d33Acbe9439b8c63ab5
0x9dfFe33B36f9021a1b23df173988d879700Be76a
0x6881D06DEec5575485cb437E669a904420ACE2C6
0x93E576f195Cbc5b977D8E7155b4D0206d9ce7321
0x03e89f0540645FFFFdF295Cf59d75d6C76e836c5
0x20dD0BbDB0C005f48022C9104a622C5D257aF339
0x9855173FC288785D34C7e9D3D570AE99767d22B3
0x37C78b068FB102a2d499F06E589b34779a17bb06
0x0C68F5C87dC4dC1501d6CEd1d4162d3ba2ade5a2
0x64668E1e4328790eBD5b5Ca39828363987bf321f
0x591F197Fbd1D013a6A691853da59e98A5BEbbda1
0x766AE03BFd9d4548d17FD9cE1b66F2114336E055
0xdd849D70A509d7489dF6eB37b3C14d9D2F00b774
SHIB:
0x3aCfa34F66Bd9D6B9046d03A6F98b2b3d22cdFcb
0x03e89f0540645FFFFdF295Cf59d75d6C76e836c5Domains used for scam pages following the above IP list:
2023musk[.]com
20ethereum[.]org
23tesla[.]com
23tesla[.]net
23tesla[.]org
2xark[.]pro
2xspacex[.]com
arkace[.]pro
arkjust[.]io
arkrage[.]pro
binance[.]us[.]cryptox2[.]org
bonustesla[.]io
btcrise[.]org
btcvolume[.]net
btcvolumes[.]net
ceotesla[.]io
claim-x2[.]livea
coinlistx2[.]com
coinlistx2[.]net
crypto2x[.]ltd
cryptopromo[.]org
dotesla[.]io
elon2btc[.]net
elon2finance[.]com
elon2x[.]net
elonusdt[.]com
elonx2[.]com
ether2x[.]pro
ethstake[.]pro
ethtesla[.]io
ethupdate[.]pro
events-x2[.]net
futuremusk[.]net
gift-musk[.]net
givetsla[.]io
infotesla[.]io
infotesla[.]pro
livetesla[.]io
mergeark[.]com
mergex2[.]com
microstrategy-gift[.]net
musk4u[.]com
musketh[.]io
muskstocks[.]com
muskx2[.]net
muskx2[.]org
newtesla[.]io
newtesla23[.]pro
promo-x2[.]com
riseeth[.]tech
shiba-now[.]com
shibaelon22[.]net
space-x23[.]net
space2tesla[.]com
stakedub[.]com
take-tesla[.]com
tesla-2xbtc[.]com
tesla-crypto[.]site
tesla-cryptos[.]site
tesla-foundation[.]top
tesla-pump[.]site
tesla-rich[.]info
tesla2023[.]net
tesla2023[.]pro
tesla2024[.]top
tesla23[.]io
tesla23[.]org
tesla23[.]pro
tesla23new[.]pro
tesla2space[.]com
teslabull[.]io
teslaceo[.]io
teslado[.]io
teslagives[.]io
teslahigh[.]io
teslalive23[.]io
teslanext[.]com
teslapump[.]io
teslarep[.]com
teslarich[.]io
teslatake[.]io
teslaup[.]io
teslause[.]net
teslax2[.]site
teslayear[.]com
timetesla[.]io
tsladoge[.]io
tslaeth[.]io
tslatake[.]net
tslausdt[.]com
tslausdt[.]io
twittertake[.]com
uptesla[.]io
usdmusk[.]org
vechain2x[.]top
vitalikusdt[.]com
waytesla[.]com
waytesla[.]io
x2-cryptocurrency[.]com
x2-invest[.]net
x2ether[.]io
x2merge[.]com
x2pal[.]com
x2safu[.]com
x2space[.]com
x2spacex[.]io
x2tate[.]net
x2tesla[.]com
xrp-hold[.]org
