Stream-jacking attacks have gained significant traction on large streaming services in recent months, with cybercriminals targeting high-profile accounts (with a large follower count) to send their fraudulent ‘messages’ across to the masses.

Starting from the fact that various takeovers in the past resulted in channels morphing into impersonations of known public figures (e.g. Elon Musk, Changpeng Zhao) that promoted various scams (e.g. crypto doubling scam), we began a thorough analysis.

This writeup will focus on the takeovers and impersonations found on the YouTube platform.

Modus Operandi

YouTube channels with a sizable subscriber count are highly desirable to cybercriminals who can monetize them by either demanding ransom from the legitimate owner or distributing scams and malware to the accounts’ audience.

The lifecycle of YouTube scams proliferated via high-profile can differ, but no matter the case, hackers usually follow the same MO – attracting their prey by leveraging big brand names or personalities to defraud unwary viewers.

The first step of the attack
This scam, faced by more and more YouTube channels, often originates from targeted phishing attacks. The malicious actors send emails that present opportunities ranging from brand collaborations and sponsorship deals to fake copyright notices from YouTube.

The deception lies in the email’s authenticity. It’s presented as a legitimate business proposition. Cybercriminals, especially those targeting popular channels, mimic communications from trusted third-party vendors or use email addresses that don’t raise immediate suspicion.

The attacker’s main aim is to lead the recipient to download a malicious file. This file is presented as an integral component of the brand collaboration or an important document. While it looks like a regular PDF, it carries the Redline Infostealer malware. This malware is known in certain online circles and is traded in underground markets. Its large size, sometimes over 300MB, is designed to slip past many standard security checks.

When the recipient opens this file, it has no immediate visible effects. However, in just 30 seconds, it gathers vital data from the victim’s computer, focusing on session tokens, cookies, and other valuable information.

After this data is collected, even with two-factor authentication activated, the stolen session tokens grant the attacker direct access to the YouTube account, eliminating the need for passwords or other verification. As a result, the channel becomes compromised.

Red flags to look out for in emails

  • Unexpected emails or text messages that look like they’re from a company you know or trust
  • Emails that use broad greetings like “Dear User” instead of your name/channel.
  • Email addresses that look similar to legitimate ones but might have slight misspellings or different domain extensions.
  • Emails that prompt urgent action through links or documents attached.
  • Messages with noticeable spelling or grammar mistakes.
  • Promotions or offers that seem overly generous or implausible.
  • Unexpected email attachments, such as PDFs or .scv files (usually its malware disguised as a screenshot), especially if you didn’t request them.

Signs your YouTube channel has been hijacked

  • You can’t sign into your account
  • Your account settings have been altered
  • Your profile picture, description and handle have been changed
  • Videos you did not upload appear on your channel
  • You receive notifications about unfamiliar devices or locations that access your account

Tips to help protect your YouTube channel from hijackers

  • Ensure that your account is set up using a unique and strong password – never recycle passwords, you can opt for a dedicated password manager service to help generate and manage secure passwords across all your online accounts
  • Enable additional layers of security such as 2FA or MFA
  • Use caution when interacting with links you see in the comment section of your videos
  • nstall a security solution to protect against phishing and malicious attacks
  • Immediately contact the platform’s support team to report suspicious activity or if you have been logged out of your account
  • Periodically review the list of individuals who have access to your YouTube channel and ensure that only necessary users have access, and limit permissions based on roles and responsibilities.
  • Review the list of third-party applications connected to your account and remove any apps you don’t use, and only keep those that are trustworthy and essential for your channel.
  • Consider using digital identity protection services. These services monitor the web for any data breaches involving your information. If your data is compromised, promptly change the passwords of the affected accounts.
  • Practice good password hygiene by changing your YouTube password account every three months.

Internet users also need to be vigilant and learn how to spot compromised or suspicious accounts by:

  • Scrutinizing videos with click-bait titles that encourage you to invest in crypto or promise hefty returns in Bitcoin investments
  • If it sounds too good to be true, it probably is! Stop and think before you rashly click on links you see in the description of videos
  • Never scan QR codes you see in videos promoting free crypto giveaways
  • Closely inspect the channel for suspicious activity, such as missing or hidden videos
  • Pay close attention to the comment section in videos or livestreams – if the comment section is closed it could be a sign of compromise
  • Use a security solution with anti-phishing technology that detects and blocks phishing attempts before they can damage your finances and identity


If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.




Follow us to learn more


Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

6 + 9 =