Criminals are blackmailing YouTube creators into adding malicious crypto-mining malware to their videos, according to research from cybersecurity firm Kaspersky.
The hackers have been taking advantage of the growth in Russia of Windows Packet Divert drivers, which enable internet users to circumvent geographic restrictions.
Kaspersky’s systems have detected these drivers on 2.4 million devices over the past six months, with each successive month since September witnessing an increase in downloads.
The popularity of these drivers has led to a growth in YouTube videos on how to download and install them. But the criminals have even found a way to insert links to the SilentCryptoMiner malware into the descriptions of such videos.
One increasingly common tactic is to submit a copyright strike against a video and then contact its creator, claiming to be the original developer of the driver it discusses.
According to Kaspersky, the criminals were able to reach one popular YouTuber with 60,000 subscribers, ultimately adding a malicious link to videos with over 400,000 views.
But instead of leading to a legitimate repository such as GitHub, the offending links took viewers to an infected archive, which has since racked up over 40,000 downloads.
Kaspersky estimates that, by threatening YouTube creators with copyright strikes and takedowns, the criminals responsible have been able to infect some 2,000 computers in Russia with crypto-mining malware.
However, the security company suggests that the total could be significantly higher if it included other campaigns that have been launched in Telegram channels.
While crypto-mining malware has been around for several years now, Leonid Bezvershenko—a Security Researcher at Kaspersky’s Global Research and Analysis Team—says that pressuring creators with false copyright complaints is a more aggressive and unique tactic.
“While certain threats—like miners and info stealers—regularly leverage social platforms for distribution, this tactic of coercing influencers shows how cybercriminals are evolving,” he tells Decrypt. “By capitalizing on the trust between YouTubers and their audiences, attackers create large-scale infection opportunities.”
The mining malware used by the attackers, SilentCryptoMiner, is based on the well-known open-source miner XMRig, and is used to mine such tokens as Ethereum, Ethereum Classic, Monero, and Ravencoin.
It injects itself into a computer’s system procedures via process hollowing, and can be controlled remotely by its originators, who can stop mining whenever the original system procedure is active.
“In this specific campaign, most of the victims we identified are in Russia, and the malware itself was primarily available to Russian IP addresses,” confirms Bezvershenko, who nonetheless affirms that attackers often go wherever they see an opportunity.
This latest campaign comes at a time when crypto-mining viruses have become widespread as a form of malware, with the Center for Internet Security finding that CoinMiner was its second-most observed malware of 2024, behind drive-by downloader SocGholish.
And in December of last year, cybersecurity researchers at ReversingLabs found that attackers are increasingly inserting crypto-mining malware in popular open source coding packages and tools, which can often attract hundreds of thousands of weekly downloads.
While it may be hard to avoid legitimate-yet-infected coding packages if you’re a developer, Kaspersky advises general web users to stay vigilant and verify the source of any download.
As Bezvershenko says, “If a YouTube creator or a guide asks you to disable your antivirus or claims a file is completely safe, treat it with caution and perform an additional security check.”
Edited by Stacy Elliott.