Cybercriminals are using AI to create deepfakes of known figures and celebrities, hijack YouTube channels, and steal money from victims using classic “Double Your Crypto” scams.
After months of investigation, Bitdefender released its new Steam-Jacking 2.0 report on January 18, revealing sophisticated cybercriminal tactics, including using AI to create deepfakes in a new twist on classic ‘stream-jacking’ and crypto scams.
We asked Bitdefender to dig further into their findings with us.
Who is Behind the New Wave of Crypto Stream-Jacking Attacks?
Bitdefender tracked the crypto wallets in the latest scam campaigns and concluded that criminals have netted over $600,000 so far.
“It is unknown if there is only one threat actor behind these scams.
“The more plausible scenario is that there is a collaboration between multiple threat actors who specialize in distinct parts of the process: credential stealing, creating phishing/fraud templates and infrastructure for the malicious websites and distribution on online social networks.
“In our research, we found information about the group that is creating and selling the templates and infrastructure for the malicious websites.
“They present their “products” on various “official” Telegram groups in which they make announcements in the Russian language.
“Another common detail is that the actors use a Russian registrar to register the malicious domains before their use.”
Blueprint and Anatomy of the Doubling-Crypto Stream-Jacking Crime
Before we dive into the attack and its specifics, it’s worth mentioning that crypto-doubling scams are exactly what they sound like; criminals promise victims to double whatever amount of crypto they send to an unknown digital wallet.
Given the irreversible nature of blockchain transactions, once the allure of a quick double-up tempts you to send your funds, you will only realize too late that it is a one-way street.
What would make someone fall for an attempt? The answer to that question can be found in the level of sophisticated malicious technology used by criminals and their mastery of social engineering techniques — a fancy way of saying falling for a con.
And with 2.7 billion active YouTube users, con artists can cast the net quite wide for unsuspecting targets.
So let’s dive into that and lay out a blueprint on how criminals play out this con to shine some necessary light on it.
How Stream-Jacking to Steal Crypto Works
1. Take over a Hot YouTube Account and Prepare it for Fraud
The first step in this hack involves taking over a YouTube account. But it’s not just any YouTube account that criminals are breaching.
Bitdefender explains that they target content makers from different countries, including the US, Brazil, India, Indonesia, Mexico, Vietnam, UK, France, Spain, and many others.
More importantly, the YouTube accounts these bad actors look for already have many subscribers — running from 1 million to 12.5 million. By hijacking these high-value YouTube accounts, they secure a large audience and a powerful attack vector.
To breach YouTube accounts, bad actors are using several stealer malware versions that can access user tokens. They usually do this by illegally accessing a user’s browser data, where cookies and tokens that store passwords are found. But the work for them does not end there.
Once they breach the YouTube account that meets their specific demands for this fraud, in just a matter of minutes, criminals will:
- Change the channel name and handle.
- Set all videos to private to hide previous existing content.
- Replace the channel avatar and banner with content designed to impersonate the entity they are pretending to be to conduct the fraud.
- Change or eliminate the channel’s description, links, featured channels, and anything that might lead to the identification of the original channel.
- Add a channel link to redirect users to a malicious website that promotes the crypto doubling scam.
- Turn off the Live chat section of videos to prevent someone from “blowing the lid” during a livestream.
- Set settings for some videos to only be seen by users signed into YouTube.
Bitdefender says they witnessed how hackers did all this in just a matter of seconds to avoid being banned or shut down by YouTube.
Criminals will also sometimes create a malicious site with information on the fake crypto giveaway. Bizga told Techopedia that the bad actors could also gather personal data from those visiting the streams and malicious sites.
“Threat actors could also be collecting user traffic data generated by the individuals who visit their websites, including IP addresses, User Agents, and so on. It is also likely that they use analytic data offered by default on YouTube (for both ads and livestreams). ”
As stream-jacking evolves, criminals leverage crypto, blockchain, and popular events news to lure in potential victims, creating streams aligning with these time-sensitive events.
Premeditated scams based on official and widely-known events discovered by Bitdefender since October 2023 include:
- The SEC-XRP trial
- SpaceX USSF-52 flight
- Changpeng Zhao stepping down as CEO of Binance
- BitCoin price predictions
- Elon Musk crypto, SpaceX, and Tesla news
- The Tesla Cyber Truck launch
- Michael Saylor, MicroStrategy news
The reasons why this technique is used are pretty obvious — it draws in a bigger crowd, creates a fake sense of trust, and instills a sense of urgency while clouding the minds of viewers.
Once criminals find the perfect news event, they develop and launch fake YouTube streams, along with malicious QR codes, fake YouTube ads, and the accompanying crypto-doubling scam websites.
3. You Will Never Get the Real Thing, So Deepfake It With AI
Up until a couple of months ago, in October 2023, criminals were merely using looped videos of famous conferences or celebrities of the crypto world talking.
On top of these loops, they would insert their malicious links, QRs, and other material to trick users into giving away their crypto with the illusionary hope of seeing it double.
But now things are really starting to heat up thanks to the progress of AI. Bitdefender explains that criminals are using deepfakes that impersonate known public figures.
An example includes a deepfake video of MicroStrategy’s former CEO where he can be seen “encouraging the community to participate in the giveaway (fraud) by scanning the QR code and following the instructions found on the website”. BitDedender explains more.
“Some of the observed deepfakes are of decent quality and could easily fool an untrained eye. Another new commonality of these deepfakes is that they are sometimes used in YouTube ads instead of malicious livestreams, giving cybercriminals more leeway for spreading the scams (fraudsters can easily pay for these phony ads until they are banned by YouTube).”
We asked Bizga what AI software or app the criminals are using.
“The deepfakes were not thoroughly analyzed to infer the possible technologies that were used.
“However, there are plenty of free/open-source software that allows the creation of deepfakes that can be seen all over the internet.
“While it is very common to see deepfakes that entertain social media audiences, nothing stops the users from creating malicious or misleading content with these technologies.
Bizga added: “Given the fact that some of the observed deepfakes are of poor quality, it would be safe to say that the cybercriminals are not using bleeding edge technologies to generate fraudulent deepfakes.”
4. It’s a Hit and an Illegal Money-Maker! So Run It Again and Spam It
The success of this crypto-scam illegal stream show is mostly based on numbers.
Bitdefender identified that the top 3 hijacked accounts alone equate to over 31 million subscribers. According to Bitdefender’s conservative estimates, criminals have taken over $600,000 so far.
Another number that is key to the success of this criminal enterprise is the number of fake streams released into the wild. Cybercriminals are going for the big kill using spam techniques, as Bitdefender explains:
“Hundreds of malicious broadcasts were observed in the last couple of weeks (of December 2023), qualifying it as one of the most intensive scam campaigns we’ve seen so far.”
At this point, any users would wonder what role YouTube plays in all of this, as it is natural to assume that malicious content streamed over hijacked accounts should be fairly easy to identify and shut down by the giant streaming media platform owned by Google. We asked Bizga to enlight us on that particular issue.
“YouTube manages to delete most of the malicious livestreams and channels relatively fast (although there are instances in which the livestreams stay up for more than 10 hours).
“However, it doesn’t seem like YouTube is taking any preventive measures to stop the proliferation of the scams, with cyber criminals posting hundreds of malicious livestreams daily, most of which share common details (same title, same description, same video thumbnail, and so on).
As one part of the solution, Bizga said: “YouTube ads that contain deepfakes and flash QR codes should also be audited more thoroughly before they are shown to potentially millions of users worldwide.”
Keeping Safe, Spotting Deep Fakes and the Fool and His Crypto
While cybercriminals continue to use technological advancements and AI to create more legitimate-looking messages and videos to defraud internet users, steal personal data, and take over their digital lives, we also see the new AI-powered scam detectors, AI deepfake identifiers, and new security solutions, that hopefully will rise to the occasion.
Bizga explains that the future of stream-jacking is one that is expected to evolve.
“As the prevalence of these scams continues to increase, we expect that cybercrooks will continue to evolve them into more credible schemes. Stream-jacking alone will be possible as long as the credentials of the end users end up being compromised and sold on the dark web.”
Despite all of this, the truth is that no matter how complicated the technology criminals use is or how expert these gangs are in conning crypto enthusiasts, this scam requires a high degree of human foolishness.
Bizga told Techopedia that users can also spot compromised or suspicious accounts by scrutinizing videos with click-bait titles that encourage you to invest in crypto or promise hefty returns in Bitcoin investments.
Naturally, Bizga adds that users should never scan QR codes seen in videos promoting free crypto giveaways. In the end, it all comes down to simple advice, as Bizga says;
“If it sounds too good to be true, it probably is! Stop and think before you rashly click on links you see in the description of videos.”
Crypto giveaways are common, but no legitimate company, organization, or person would ever seriously offer someone to double their crypto. Therefore, the biggest protection that users have against this type of scam is merely common sense.
Additionally, good hygiene security practices like setting browsers to the highest security levels, using strong passwords and multi-factor authentication (including biometrics if possible), and exercising caution when interacting with livestreams, videos, websites, links, and downloads go a long way too.
It is also important for those who spot a scam like this to report it immediately. All it really takes is clicking on one button. Yes, that would be the one that says “Block and Report”.