Prominent tech influencer Linus Sebastian’s three YouTube channels, “Linus Tech Tips,” “Techquickie,” and “TechLinked,” were hacked in the early hours of Friday, March 24th.
The Verge reported on that day that this incident is part of a string of high-profile breaches by crypto scammers targeting YouTube channels and that the channels, which have a combined subscriber base of over 21 million, were temporarily replaced with crypto scam videos instead of their regular tech hardware reviews.
The Verge article went on to say that the “Linus Tech Tips” channel (which currently has 15.3 million subscribers) was the first to be compromised, broadcasting several live videos before the hacker began publicizing old private videos. YouTube subsequently suspended the account while working to restore it. The other two channels, “Techquickie” and “TechLinked,” were also hacked and renamed with a focus on Tesla.
Around 12 hours later, after the three channels had been restored, the official Twitter account of “Linus Tech Tips” posted this update on the situation:
In the video embedded in their tweet, the channel’s owner first explained what the hackers had done:
“The fireworks started a little after three in the morning when the “Linus Tech Tips” account was renamed to Tesla and started streaming a podcast-style recording of self-proclaimed tech king Elon Musk discussing cryptocurrency. This in and of itself is not a scam, but the streams linked to a scam website that claimed that for every one bitcoin you sent, they would return double, complete with fake transaction records showing other users definitely getting huge payouts.
“Over the next couple of hours, then we sparred back and forth. First, I privated the streams, revoked the channel stream key, and attempted to reset the account credentials, only to realize as I was investigating the source of the breach that I had been completely out-maneuvered.
“They were back in, and the stream survived again. How? Okay, so I logged back in, nuked the stream again, and they’re up again. And now videos are being mass deleted from the channel. Over the next couple of hours playing login whack-a-mole, the “Linus Tech Tips,” “TechLinked,” and “Techquickie” accounts were each used to host these Elon Musk crypto streams until they were ultimately nuked by YouTube altogether for violating YouTube’s terms of service.“
And then he explained how the hackers had managed to do it:
“Someone on our team… downloaded what appeared to be a sponsorship offer from a potential partner. It was an innocent enough mistake. For the most part, the email came from a legitimate-looking source, and it didn’t raise any immediate red flags, like being full of grammatical errors.
“So they extracted the contents, launched what appeared to be a PDF containing the terms of the deal, then presumably when it didn’t work, went about the rest of their day. What happened in the background took place over the course of just 30 seconds. The malware accessed all user data from both of their installed browsers, Chrome and Edge, including everything from locally saved passwords to cookies to browser preferences giving them effectively an exact copy of those browsers on the target machine that they could export, including — that’s right — session tokens for every logged in website.“