Sophos Cloud Optix
Crypto scammers hijacked three YouTube channels to impersonate Elon Musk’s SpaceX channel, offering bogus BTC giveaways that earned them nearly USD $150,000 over the course of two days.
The scamming channels were first reported on Hacker News. Bleeping Computer followed up with a full report.
According to Bleeping Computer and the reports filed in the BitcoinAbuse database, the scammers took over legitimate YouTube accounts and changed the branding to look like that of Elon Musk’s rocket company. They were caught live-streaming footage of the founder as he spoke at conferences and during interviews.
The hijacked YouTube channels – previously known as Juice TV, Right Human, and MaximSakulevich – were renamed Space X Live or SpaceX after crooks got control of them. Then, the channels were used to push scams that asked for a small amount of Bitcoin in exchange for double their money back.
The hijacked accounts came with sizable numbers of subscribers: one had 230,000 followers, while another had 131,000. The legitimate SpaceX YouTube channel has 4.33 million subscribers.
The ruse worked. As of Tuesday, there were 80,000 people watching the live stream. Since 8 June, the scam had generated close to $150,000 in bitcoins.
Before they got yanked for violating YouTube policy, the channels running these scams were asking people to send bitcoins to two addresses. One wallet recorded 85 transactions, receiving 11.25 BTC, while a second, with 37 transactions, took in 5.51 BTC.
The bitcoin addresses were reported to the BitcoinAbuse database – a good place to check on whether an address has been reported for milking people.
Musk is a tasty target
With a following as big as the legitimate SpaceX, it’s easy to see why this isn’t the first time that Musk and his rocket company have been used to promote a crypto scam.
In October 2018, we saw it happen on Twitter. In spite of only being up for 12 hours, 17 people fell for it. The scammers made 1.623 BTC, which at the time was worth over $10,000 USD.
Cryptocurrency giveaway scams are popular among fraudsters. They typically target users of Ethereum and Bitcoin, two of the most popular cryptocurrencies. They lure in victims by offering free coins online. All the victims have to do is first send a small amount of the cryptocurrency to the address before they receive a beaucoup return. Of course, victims get no beaucoup. Instead, they get bupkus: no double-your-money-back, no return of the money originally sent.
It’s a variant of the age-old 419 scams that have plagued email users. In 419 scams, the crooks claim to be high-ranking officials needing to get money overseas. They ask victims to send them a small amount of money in exchange for millions. Predictably enough, the money never comes.
How scammers hijack accounts
If you’re a scammer looking to fleece a crowd of loyal followers to pitch one of these scams to – as in, somebody else’s loyal followers – the easiest thing to do is take over an existing account. We don’t know how the SpaceX scammers got hold of the YouTube channels they hijacked, but one (unfortunately likely!) possibility is that the channel owners reused their credentials somewhere else.
If there was a breach at one of the other places where the rightful account holders used the same username/password, then automated tools could have made it a snap for crooks to take the breached credentials and plug them in to see what other accounts they’d unlock. It’s why password reuse=rotten idea!
Another possibility: the rightful account holders might have used flimsy passwords that were easy to guess. Don’t know how to pick a strong password? Here’s how.
Overwhelmed by your ever-swelling collection of passwords? By all means, use a password manager. They might not be perfect, but they’ve stood strong against flaws.
While you’re at it, turn on two-factor authentication (2FA) for any online accounts that support it – it’s a minor inconvenience for you, but a significant stick to poke between crooks’ spokes.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
I was rather disturbing to see the ‘Space X channel’ with this one as the top video when I logged into Youtube on my Xbox, pretty poor how long this stayed as a featured channel. I did take part in the live comments just repeating it is a scam but there are so many bot comments saying they got BTC back. It’s poor form on Youtube for not getting on top of this with any urgency whatsoever, I reported it but nowt happened. Big corps like Facebook and Google have a hard task with so much content out there but they also have vast reserves of money, easy to employ humans to monitor and remove this stuff. It will cost the if they don’t, Facebook ignore the Cambridge analytic scandal and look where it got them.
Can confirm, I also reported several channels, but they stayed online for at least further 30 minutes, until they were taken down. Many bitcoins (=dollars) were lost due to the slow reaction of youtube itself…
Where is YouTube’s accountability in this???? It’s July 7th and I just had an ad for one of these scams play on my YouTube – as an ad before legit content. YouTube is liable.
Part of the issue is that YouTube does not have an easy reporting system for scams like this – and no way to flag fraud ads (this came up as an ad not a channel)