An Elaborate Cryptocurrency Scam
The Verge recently revisited “The Great Twitter Hack”, where high profile Twitter accounts were made to tweet a Bitcoin scam.
However, a quick online search revealed that these scam messages were not restricted to Twitter, and were prevalent on Facebook posts, Medium articles, and Quora answers.
Recently, there are more and more sightings of YouTube LIVE videos pushing out these scam messages. Bitcoin.com reported seeing videos using the names of Chamath Palihapitiya and Elon Musk to entice viewers to send their bitcoins.
These LIVE videos have high viewership (>10k views) and were posted from channels with large subscribers count (>100k). I was curious on how these videos could obtain such high traction.
The Great T̶w̶i̶t̶t̶e̶r̶ YouTube Hack?
Using two approaches, I realized that these were actually legit YouTube channels that were hacked, taken over and made to post these scam videos.
Approach 1: Finding remnants of original YouTube channel
Approach 2: Observing takeover of YouTube Channel, as it happens
What I find most alarming is that the original channel owner may be oblivious that their accounts were taken over. These two channels are still active today.
Scam Tactics
So let’s see what happens when unsuspecting viewers click into the website in the YouTube video…
They will be asked to send some bitcoins to a BTC address, and in return, they will get 5 times bonus in return. Also, there is a table that showed past transactions i.e. many people have already sent in some BTC and got their 5x bonus.
But a look at the source code revealed that these are hardcoded to spoof as legit transactions. Senders’ addresses and BTC values are randomly generated, and refresh periodically to give the illusion that many others had successfully sent and received their bonuses.
Although most scams were unsuccessful in getting any cryptocurrency, there were some that received BTC.
As the Bitcoin Ledger is public, we can trace the transactions. The diagram below shows the simplified partial transaction network. We can see that the Red Geminidrop.fund’s address sent all the 1.237 BTC to another address (Black bc1qz). This Black address also received 0.855 BTC from another address (Green 1WoodNZh).
A search of the Green 1WoodNZh address showed that it is from another scam YouTube video that was using an interview with Cathie Wood.
Hence, it is likely that the Black bc1qz address is collating the earnings from several YouTube scams, and have received more than 10 BTC.
Challenging to Identify Scammer
WHOIS information is often unreliable to pinpoint the origin of the scammer. Although domain information points to locations in Belize and Russia, it is important to note that registrants may not provide accurate information.
Let’s look at the source code of the webpage to see if we can find where they come from. Here, we took a phrase in the JavaScript snippet: “Hurry up, not much more BTC left!” and did a Google Search.
This lead to a task posting on a Russian freelancer site (https://freelance.habr.com/), with a sample snippet JavaScript code that is eerily similar to the codes on the scam site.
The diagram on the left shows his profile on https://freelance.habr.com/, and a reverse image search of his portfolio revealed another profile on another Russian freelancer site (https://www.weblancer.net/) with the same portfolio.
How common is this YouTube Hack + Scam?
As Bitcoin keeps breaking all-time-high records, interest in Bitcoin is reigniting, and some of the growing pool of new cryptocurrency holders may fall into such scam. It doesn’t help when YouTube ranks these scam videos at the top (possibly because they a̶r̶e̶ were really legit channels).
The scammers also rode on high-key events for higher clickthrough rates on their videos.
Also, it is easy for the scammers to spin up scam webpages. On the scam websites, one can sometimes find code comments that were automatically added by website copier programs. These programs were used to download a webpage wholesale, for re-upload to another domain later on.
Ending Statement
Google indexes these scam websites. As these websites often use the same structure and keywords, identifying and then downgrading them on the Search Engine Result Page seems feasible for Google.
To identify hacked channels and scam videos, YouTube could possibly perform a series of rule base filters based on the following:
- Did the channel and profile picture change suddenly?
- Did all the past videos get delisted except for the newly published LIVE video?
- Did the video OCR content or description match any keywords that usually suggest a high probability of scam?
- Did the language of the content posted or the comments change?
- Did the viewership demographic of the LIVE video differ drastically from past videos?
Lastly, it is critical to investigate how these scammers gain access to YouTube channels.
Thank you for reading.