Hackers Hijacked Popular YouTube Channels to Promote Bitcoin Scams

Last week, hackers took control of several popular YouTube channels to broadcast a scam,  asking people to send in Bitcoin with the empty promise of sending more cryptocurrency back. 

The hackers hijacked at least eight popular channels, such as FrontPageTech and PapaFearRaiser—a channel with 1.8 million subscribers—and started live streaming clips of Elon Musk. For example, in the video title for a channel called “Live News,” the hackers used popular terms such as NASA, SpaceX, and Tesla, to improve the chances that YouTube users would stumble upon their live streams searching for those terms. The videos were surrounded by a message asking viewers to send Bitcoin or Ethereum, with a link to a custom made scam website SpaceXBitcoin.org, which is now down.  

“It’s a nightmare,” Jon Prosser, the host of FrontPageTech, told Motherboard in an online chat.  

After hackers deleted his original channel, Prosser has been forced to use an alternative YouTube account to broadcast his show, where he’s been discussing the incident. 

Prosser said in a video that a friend of his noticed the channel was hacked and alerted him. The hackers took control of everything associated with the FrontPageTech account, including Gmail, Google Drive, and AdSense, according to Prosser. On Twitter, Prosser said the hackers bypassed two-factor authentication on the account. This could mean that the criminals took control of the cellphone number and then reset the password in what’s commonly known as a SIM swapping hack. 

According to Prosser, the hackers made around $10,000 in Bitcoin after two hours of livestream.

Prosser said he got in touch with YouTube in an attempt to regain control of his channel. YouTube told him they would investigate and asked him to fill out a form, according to a screenshot of the direct message YouTube sent him on Twitter. 

“They just let it happen even after I established contact with YouTube employees,” Prosser said in a video. “They didn’t even stop the stream.”

At this point, it’s unclear if the same hackers are behind all these hacks. 

A YouTube spokesperson declined to comment on the FrontPageTech’s hack and the other seemingly related hijackings. Instead, the spokesperson shared some generic statistics on removals of videos that violated the platform’s spam, scams, and deceptives practices policies.

“We take account security very seriously by automatically protecting users and notifying them when we detect suspicious activity,” Alex Joseph, the YouTube spokesperson, said in an email. “We also encourage users to enable two-factor authentication as part of Google's Account Security Checkup, which decreases the risk of hacking. If a user has reason to believe their account was compromised, they can notify us to secure the account and regain control.”

Five days after the hack, Prosser has yet to regain control of his YouTube account, according to his latest video, where he said he “hasn’t heard anything yet” from the company. 

“Nah, it’s ok, it’s fine. YouTube, don’t worry about it, it’s fine just take your time. Take your time,” Prosser said. “It’s not like our livelihood or anything like that.” 

This series of YouTube channel hijackins come just a couple of weeks after hackers took control of several high-profile Twitter accounts—including those of Tesla and Elon Musk—in an attempt to promote a similar Bitcoin scam. In that case, hackers convinced a Twitter employee to help them gain access to an internal Twitter tool that gave them control of more than 100 accounts. 

Subscribe to our cybersecurity podcast, CYBER.