Kaspersky Exposes Hackers Blackmailing YouTubers to Spread Crypto Malware

Cybersecurity firm Kaspersky revealed a YouTube crypto malware blackmail where attackers leverage the platform’s copyright strike system to coerce influencers into adding malicious links to their video descriptions.

These actions directed unsuspecting viewers to malware-infected downloads as YouTube content creators gave in to the blackmail.

Kaspersky Reveals SilentCryptoMiner

Kaspersky’s report reveals that hackers exploit the trust that YouTube influencers have built with their audiences, making this campaign particularly dangerous. It cites a malware campaign where cybercriminals distribute malware disguised as tools for bypassing digital restrictions.

Specifically, the hackers exploit copyright complaints, threatening and blackmailing YouTube content creators into promoting SilentCryptoMiner. SilentCryptoMiner is a sophisticated crypto-mining Trojan based on the popular open-source mining software XMRig.

According to the report, the malware mines cryptocurrencies such as Ethereum (ETH), Ethereum Classic (ETC), Monero (XMR), and Ravencoin (RVN). It also uses the Bitcoin blockchain to maintain control over botnets.

Over the past six months, Kaspersky has detected more than 2.4 million Windows Packet Divert driver instances. Reportedly, cybercriminals leverage these to manipulate network traffic. They present many tools as legitimate software solutions but contain hidden malicious payloads.

Dynamics of Windows Packet Divert detections. Source: Kaspersky

Once installed, the malware persists on a victim’s system, bypassing security measures and modifying critical system files.

In the report, Kaspersky highlights a case in which a YouTuber with 60,000 subscribers unknowingly helped distribute the malware. The creator initially posted videos demonstrating how to bypass certain online restrictions and included a link to a supposed restriction bypass tool.

However, the file was infected with SilentCryptoMiner. Later, they edited the infected video description to remove the link, replacing it with a warning stating that the program “does not work.”

“Next, the attackers threatened the content creators under the pretext of copyright infringement, demanding that they post videos with malicious links or risk shutdown of their YouTube channels. This way, the scammers were able to manipulate the reputation of popular YouTubers to force them to post links to infected files,” read an excerpt in the report.

Use of Copyright Strikes to Coerce YouTubers

In a more insidious move, hackers have also filed false copyright claims against YouTubers who refuse to cooperate. By threatening content creators with channel takedowns, cybercriminals have forced them into distributing the malware.

Cybersecurity experts warn that YouTube and other social media platforms may not be the only targets of such blackmail schemes. Bad actors could soon deploy similar tactics on Telegram and other messaging platforms where influencers engage with their communities.

Therefore, users should remain cautious when downloading software from unverified sources. What appear to be seemingly helpful tools can serve as a gateway for malicious activities. Meanwhile, this discovery comes just a month after Kaspersky exposed another major cybersecurity threat.

“Our experts have discovered a new data-stealing Trojan, SparkCat, active in the App Store and Google Play since at least March 2024. SparkCat leverages machine learning to scan image galleries, stealing cryptocurrency wallet recovery phrases, passwords, and other sensitive data hidden in screenshots,” the firm claimed.

This highlights the growing risks that cryptocurrency investors face. As YouTube influencers become prime targets for cybercriminals, blockchain intelligence platform Arkham has begun tracking their portfolios.

The new feature, dubbed “Key Opinion Leader (KOL) Label,” tracks the wallets of influencers with over 100,000 followers on X. This means investors can monitor whether influencers genuinely back the tokens they promote or if their endorsements are merely paid advertising. This highlights how influencers’ role extends beyond social media.