On January 23, 2022, multiple crypto influencers had their YouTube accounts hacked to promote a fake crypto giveaway scam.  Dozens of accounts were hacked, including @IvanOnTech, @boxmining, @CoinMarketCap, and others.

How Did the Hack Happen? 

Several of the crypto YouTubers targeted by the attack are known for their strong focus on security, meaning that their YouTube accounts likely have two-factor authentication (2FA) enabled. To pull off the hack, the attacker would have needed to bypass or overcome YouTube’s 2FA.

An early theory was that the attack was performed using a SIM-swapping attack, which would allow 2FA codes to be sent to a phone controlled by the attacker rather than the account owner.  However, as Michael Gu of Boxmining pointed out, doing so would have redirected all of a person’s text messages to the attacker’s phone, which didn’t happen.  

Additionally, the attack targeted his Boxmining brand account, which lacks an independent login and can only be accessed via a personal YouTube account and would have required a login to his personal Gmail account (which didn’t happen).

A more likely explanation is that YouTube suffered a breach or the attack was carried out by a malicious insider.  An attacker or rogue employee with access to YouTube’s systems would have had the access necessary to perform the attack and to do so at this scale.  In contrast, a SIM swapping attack for multiple accounts would have been much harder to perform at this scale.

Lessons Learned from the Hack

This attack likely involved an authentication and 2FA bypass for the affected crypto creators’ YouTube accounts, meaning that there is probably nothing that they could have done to prevent it.  This attack underscores the importance of considering whether or not something feels fishy or sounds too good to be true when operating in the crypto space.

Rob Behnke
01.25.2022