A scammer was found to be manually abusing YouTube’s automated copyright system in an effort to hold YouTube channels ransom.
By submitting multiple fake copyright “flags” on videos, the scammer was able to bring at least two YouTube accounts to the brink of automatic deactivation under YouTube’s “three strikes” policy, even getting past YouTube employees who double-checked the suspicious claim.
“We striked you. Our request is $150 PayPal or $75 [Bitcoin],” read one message received by ObbyRaidz, a small gaming channel with fewer than 8,000 subscribers. “Once we receive our payment we will cancel both strikes on your channel.”
The message, sent by someone calling themselves “VengefulFlame,” went on to threaten a third copyright strike if the victim did not comply, which would result in the victim’s channel being automatically deleted. VengefulFlame also sent a similar warning to Kenzo, another small gaming channel, demanding $200 in Bitcoin or $300 via PayPal—amounts that would double if they were “ignored.”
According to YouTube, anti-abuse teams initially identified the requests as suspicious and asked for more information. VengefulFlame complied with the company's request and YouTube wrongly took down the videos, YouTube told Motherboard.
YouTube confirmed with Motherboard that it has since reinstated the videos, removed the strikes, and terminated the accounts that made the requests from the site, but only after ObbyRaidz and Kenzo both tweeted about their issues.
Automatic scans and manual takedown requests on YouTube often demonetize videos that use a second or two of copyrighted content in compliance with fair use laws, meaning money a creator would've made on the video is taken away, or diverted to the claimant. Sometimes, the video in question might contain no copyrighted material at all. Worse, creators say trying to get in touch with an actual human at the company to reverse the decision can be a nightmare.
“I’m legitimately surprised it took this long” for scammers to start extorting channels, Katharine Trendacosta, a policy analyst at digital rights group the Electronic Frontier Foundation, told Motherboard. “The system is set up to incentivize false reports, and it is so bad at catching them and punishing people for making false reports.”
This has resulted in some truly bizarre scenarios, such as four different copyright holders filing claims against a professor’s video of white noise.
“It’s really preying on someone who’s in a very vulnerable position,” Trendacosta said.
Copyright in the United States is set up incredibly unevenly, on YouTube and off, Trendacosta said. Any company can file as many takedown notices as they want under the Digital Millennium Copyright Act (DMCA), for example, but if creators dispute the claim on YouTube, they must provide all the information needed to file a lawsuit. From there, the company has a choice: it can drop the matter, or sue the creator.
The idea of going up against a multimillion-dollar company in court has led to a climate of fear, Trendacosta said, where creators—who often rely on ad revenue to make a living—are incentivized to give in rather than fight illegitimate requests.
“The way I look at it, YouTube basically just put a Band-Aid on a much bigger issue,” ObbyRaidz said in a video after the strikes were resolved. “This is something that can affect a lot more YouTube channels in the future.”
Another small gaming channel, Br0, said in an interview with ObbyRaidz that other content creators he knows have been hit with the extortion scam.
“Obviously it’s a flawed system. It needs to be changed,” Br0 said in regards to YouTube’s content claim system.
VengefulFlame did not respond to an interview request sent to the email they used to issue the strike. ObbyRaidz and Kenzo also did not respond to interview requests.
Grifts are nothing new to YouTube. A January 30 report by cybersecurity company RiskIQ details a “fake reward” scam, ongoing since 2016, where profiles imitating online celebrities would send users a link, saying they’d won a prize for commenting on the real celeb’s video. In reality, it was a scam to gain users’ personal information and make money off referral links to fake surveys.
Report author Yonathan Klijnsma told Motherboard over the phone that YouTube’s main security problems right now are its scale and processes, which were both exploited in the copyright strike scam targeting ObbyRaidz and Kenzo. The scale of arbitrating copyright disputes on YouTube’s sprawling platform necessitates automated solutions, which allowed the strikes to go through. The security checkup by YouTube’s own employees—the processes—failed to catch the fraudster.
“If that guy, who’s obviously an extortionist, is able to convince the help desk for YouTube that something isn’t fraudulent when it is, you can only imagine what he can get done to those same people…[to] get them to give him certain information he should not have,” Klijnsma said.
The real issue is that people and companies who file false claims often don’t face serious consequences, Trendacosta said.
Claimants already sign a waiver saying their claim is real under penalty of perjury. Regular enforcement of that would be “a really big, substantial way of fixing this problem,” she said.
“Unless you are actually going to have consequences for bad takedown [notices], I don’t really know what else can be done to prevent them,” Trendacosta said.
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.