Russian crooks are stealing YouTube accounts — what to do

A content creator with camera, microphone and laptop accessing YouTube on a smartphone.
(Image credit: Sutipond Somnam/Shutterstock)

Google has busted a Russian gang that was dedicated to swindling YouTube content creators out of their accounts.

The gang's tactic was to befriend successful YouTube "creators" or "YouTubers" — those YouTube uploaders of original content such as PewDiePie who have enough followers to earn a lot of money through ads, merchandising and affiliate links — and propose partnerships or other types of financial or promotional agreements.

According to a post yesterday (Oct. 20) by Google Threat Analysis Group's Ashley Shen, the gang would then send poisoned files to the creators to steal passwords and session cookies, enabling the crooks to take over the creators' accounts.

"The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum," Shen wrote, "lure their target with fake collaboration opportunities (typically a demo for antivirus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams."

The stolen accounts, Shen said, could be resold for up to $4,000 each.

How to protect your YouTube account

To protect your YouTube and other social-media accounts from hackers and hijackers, Google recommends:

  • Paying attention when your browser warns you that a website might not be safe to access
  • Scanning all downloaded files with some of the best antivirus software before opening them
  • Turning on Enhanced Safe Browsing Protection  in your Chrome security settings
  • Using two-factor authentication (2FA) to protect your accounts from hackers who might have your passwords

Tom's Guide would also recommend using one of the best password managers as well, because storing passwords in a browser makes them ripe targets for information-stealing malware.

Promoting poisoned products

Shen provided an example of an email message sent to a YouTube creator proposing to pay the YouTuber to promote a brand of antivirus software. The message said the YouTuber would need to install and demonstrate the antivirus software on video. 

If the YouTuber agreed, the crooks would then send the creator an instant message, email message, PDF or document with links to a website where the creator could download the software. 

Shen said more than 1,000 malicious websites and social-media accounts were created for this purpose, many of which mimicked legitimate brands such as Cisco or Steam.

But the software the YouTuber would download and install contained malware that stole passwords and session cookies, those tiny bits of data that keep you logged into online accounts for long periods of time. Armed with those stolen items, the crooks could take over the YouTube accounts.

The masterminds behind this scheme used Russian-language online forums to recruit lower-level crooks to do the dirty work, promising between 25% and 70% of the revenue from the hijacked channel depending on the amount of evil deeds they'd be willing to do.

Shen said that beginning Nov. 1, YouTube content creators whose channels earn money will need to have 2FA enabled on their Google accounts to access certain YouTube tools.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.