How hackers are hijacking YouTube accounts to run ads for cryptocurrency scams

Google’s Threat Analysis Group has shared details about a long-running phishing campaign targeting YouTubers. The campaign, apparently being carried out by hackers recruited in a Russian-speaking forum, uses “fake collaboration opportunities” to attract YouTubers, then hijacks their channel using a “pass-the-cookie attack,” with the goal of either selling it off or using it to broadcast—of course—cryptocurrency scams.

The attacks begin with a phishing email offering a promotional collaboration. Once the deal is agreed, the YouTuber is sent a link to a malware page disguised to look like a download URL. This is where the real action begins: When the target runs the software, it pulls cookies from their PCs and uploads them to “command and control servers” operated by the hackers.