Creators report surge in YouTube channel hijackings tied to crypto livestream scams

Creators have reported that their YouTube channels are being taken over and used to broadcast cryptocurrency giveaway streams that impersonate well-known figures and technology brands. In many cases, attackers rename the channel, change profile images and run “double-your-money” schemes that encourage viewers to send cryptocurrency with the promise of receiving more in return. YouTube has said that recovery tools are available and directs affected users to official support channels.

How the scams work

Prior investigations describe a typical pattern: Attackers send fake sponsorship emails that install malware, steal browser session cookies and bypass two-factor authentication. Once inside, they launch YouTube Live broadcasts using deepfakes of figures like Elon Musk, sometimes limiting chat to long-time subscribers to mute warnings. High-profile cases have included media and creator channels taken over to stream crypto promotions. Researchers and cybersecurity firms say these campaigns have persisted for years despite periodic takedowns.

In March, Costa Rica’s presidential YouTube account was compromised and briefly populated with crypto-related content, according to an official statement. Australian broadcaster 7News reported its channel was hijacked in 2024 to run AI-generated Musk streams. Google India’s official YouTube channel was taken offline after appearing to stream crypto-related content, and YouTube said it took immediate action to secure and restore the account. TeamYouTube continues to direct creators to recovery resources after the hacking happens.

The next step to avoid hacking

YouTube advises creators to secure their accounts immediately if a breach is suspected, run malware scans and use its hacked-account recovery system to regain access. Security experts recommend enabling hardware security keys, limiting the use of third-party browser extensions and treating unsolicited sponsorship emails or file downloads with caution. Google has previously reported that large-scale phishing operations have targeted creators through thousands of fake domains and accounts, prompting the company to make two-factor authentication mandatory for monetized channels. Creators are also advised to check device passkeys and account recovery information for unauthorized changes during a takeover.

Many creators argue that faster account restoration and stronger safeguards around session cookies and recovery settings are needed to limit the damage from hijacked livestreams. YouTube has said it continues to update its enforcement and recovery processes, but public-facing events remain a target for attackers who seek maximum visibility.