Hackers Blackmail YouTubers to Spread Crypto Malware

Cybersecurity firm Kaspersky has uncovered a sophisticated scheme where hackers are blackmailing YouTubers to spread crypto malware. The attackers exploit the platform’s copyright strike system to coerce influencers into adding malicious links to their video descriptions, directing unsuspecting viewers to malware-infected downloads.

Kaspersky’s report highlights that hackers are leveraging the trust that YouTubers have built with their audiences, making this campaign particularly dangerous. The malware campaign involves distributing malware disguised as tools for bypassing digital restrictions. Specifically, the hackers exploit copyright complaints, threatening and blackmailing YouTubers into promoting SilentCryptoMiner, a sophisticated crypto-mining Trojan based on the popular open-source mining software XMRig.

The malware mines cryptocurrencies such as Ethereum (ETH), Ethereum Classic (ETC), MoneroMNRO-- (XMR), and Ravencoin (RVN). It also uses the Bitcoin blockchain to maintain control over botnets. Over the past six months, Kaspersky has detected more than 2.4 million Windows Packet Divert driver instances, which cybercriminals leverage to manipulate network traffic. These tools are presented as legitimate software solutions but contain hidden malicious payloads.

Once installed, the malware persists on a victim’s system, bypassing security measures and modifying critical system files. In one case, a YouTuber with 60,000 subscribers unknowingly helped distribute the malware. The creator initially posted videos demonstrating how to bypass certain online restrictions and included a link to a supposed restriction bypass tool. However, the file was infected with SilentCryptoMiner. Later, the creator edited the infected video description to remove the link, replacing it with a warning stating that the program “does not work.”

The attackers then threatened the content creators under the pretext of copyright infringement, demanding that they post videos with malicious links or risk shutdown of their YouTube channels. This way, the scammers were able to manipulate the reputation of popular YouTubers to force them to post links to infected files. In a more insidious move, hackers have also filed false copyright claims against YouTubers who refuse to cooperate. By threatening content creators with channelCHRO-- takedowns, cybercriminals have forced them into distributing the malware.

Cybersecurity experts warn that YouTube and other social media platforms may not be the only targets of such blackmail schemes. Bad actors could soon deploy similar tactics on Telegram and other messaging platforms where influencers engage with their communities. Therefore, users should remain cautious when downloading software from unverified sources. What appear to be seemingly helpful tools can serve as a gateway for malicious activities.

This discovery comes just a month after Kaspersky exposed another major cybersecurity threat. The firm claimed to have discovered a new data-stealing Trojan, SparkCat, active in the App Store and GoogleGOOGL-- Play since at least March 2024. SparkCat leverages machine learning to scan image galleries, stealing cryptocurrency wallet recovery phrases, passwords, and other sensitive data hidden in screenshots. This highlights the growing risks that cryptocurrency investors face. As YouTube influencers become prime targets for cybercriminals, blockchain intelligence platform Arkham has begun tracking their portfolios. The new feature, dubbed “Key Opinion Leader (KOL) Label,” tracks the wallets of influencers with over 100,000 followers on X. This means investors can monitor whether influencers genuinely back the tokens they promote or if their endorsements are merely paid advertising. This highlights how influencers’ role extends beyond social media.