Hackers Using Cookie Stealing Malware to Hijack High-Profile YouTube Accounts

Google has recently reported that its Threat Analysis Group (TAG) has tracked hackers who were implicated in disinformation campaigns, government-backed hacking, and financially induced abuse. Just by using Cookie Stealing malware hackers managed to hack thousands of high-profile YouTube channels.

However, Google has stopped an attack that has been conducted by the”Russian-speaking hackers” on thousands of YouTube bloggers.

In this attack, the threat attack has attracted their target with fake collaboration opportunities, soon after that, they have hijacked their channel.

Once the threat actors are done with the hijacking process they either sell the channel to the highest bidder or the threat actors use it to broadcast cryptocurrency scams.


Here are the Tactics, techniques, and procedures (TTPs) used by the hacker to hack thousands of high-profile YouTube channels:-

  • Social engineering YouTubers with advertisements offer
  • Fake software landing pages and social media accounts
  • Delivering cookie theft malware
  • Cryptocurrency scams and channel selling

Channels Hacked in pass-the-cookie Attacks

The malware that has been detected by Google’s threat analysis group also involves some commodity exertions like:-

  • RedLine
  • Vidar
  • Predator The Thief
  • Nexus stealer
  • Azorult
  • Raccoon
  • Grand Stealer
  • Vikro Stealer
  • Masad
  • Kantar

Open-source ones like:- 

  • AdamantiumThief
  • Sorano

This malware conducts its operation very efficiently like once the threat actor passed on the targets’ systems, the malware simply starts the stealing process.

Initially, it starts with the essential credentials and browser cookies as it enables the threat actors to hijack the victims’ accounts in pass-the-cookie attacks.

On underground markets, channels were sold for up to $4,000 

In this malware attack, a huge number of YouTube channels have been hijacked, and these channels were used for cryptocurrency exchange firms and also used for live streaming cryptocurrency scams.

Among all the channels some of them were being sold in the account-trading markets, the threat actors sold a single account at $3 to $4,000, but the exact amount depends on the total number of subscribers.

Moreover, with the help of hack-for-hire hackers, all these campaigns have been accomplished successfully. While here the threat actors hired the hackers from several Russian-speaking forums by offering them two types of work:-

  • Light Advertising
  • Full-stack advertising


To protect the users as well as their channels, Google’s TAG has suggested some protection measures that are to be followed by the users wisely, and here we have mentioned them below:-

  • Always take the Safe Browsing warnings seriously. 
  • Before running software, implement virus scanning.
  • Allow the “Enhanced Safe Browsing Protection” mode in your Chrome browser.
  • Have a deep knowledge regarding encrypted archives.
  • Remember to protect your account with 2-Step-verification.

This type of attack can cause a lot of problems for the users, that’s why they need to stay alerted reading this kind of attack. Apart from this Google has suggested the users follow the protection point carefully as it will help them to stay protected and attack-free.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.