Linus Tech Tips main YouTube channel hacked

Well-known technology YouTube channel Linus Tech Tips has been hijacked by a malicious actor and is using it to promote a cryptocurrency scam.

Linus Tech Tips has over 15 million subscribers.

The attackers appear to have ripped a recording of a 2021 session from The ₿ Word conference that featured investor Cathie Wood, former Twitter CEO Jack Dorsey, and current Twitter CEO Elon Musk.

The malicious live stream on Linus Tech Tips’ channel is using keywords involving Tesla, artificial intelligence, GPT–4, and OpenAI to get viewers.

It is promoting a QR code and URL directing people to a Tesla-branded website claiming to give away crypto worth $100,000,000.

It’s a classic money-doubling scam promising to pay you back double any bitcoin, ether, dogecoin, or USD tether you send to a designated address.

A screenshot of the scam webpage.

The attacker appears to have gained access to the Linus Tech Tips channel and changed the channel handle from @LinusTechTips to @teslaliveonline1.

Navigating to the old LinusTechTips URL on YouTube gives the error message: “This page isn’t available. Sorry about that. Try searching for something else.”

At the time of publication, the channel handle had been changed again to @temporaryhandle, with the channel name changed to LinusTechTipsTemp.

All videos newer than seven years old have either been deleted or made private.

YouTuber Linus Sebastian created the Linus Tech Tips channel in November 2008. He went on to found Linus Media Group in January 2013 out of a garage.

The company is headquartered in Surrey, British Columbia, Canada.

Linus Tech Tips is not the only YouTube channel targeted in this way.

Several channels have either reported on the issue, like ThioJoe, or discussed how their accounts were hijacked, like Paul Hibbert. (Hat tip to the MyBroadband forum community for referencing these solid explanations.)

Joe explains that YouTubers are typically compromised in one of two ways:

1. Trojan Horse. A fake sponsorship deal culminates with the attacker sending a media pack or video game for the victim to download. The media pack may include a file named something like “Contract for {thing} on Youtube.com”. However, .com is a lesser-known Windows executable file extension. Double-clicking the file causes a malicious program to run and steal private data from the victim’s computer, including YouTube session data from their browser.
2. Malicious Google ads for software downloads. Attackers have started taking out Google ads targeting free and open-source software. Well-known apps like VLC, 7-Zip, OBS, Rufus, and Notepad++ have been targeted like this. Victims searching for a software download may click on the topmost sponsored link in Google and get taken to a fake site that downloads a virus rather than the actual software to their machine.

Hibbert explained that even though he had two-factor authentication enabled on his account, the attackers could easily bypass it.

“If a hacker is actually logged in as you using your cookies — which is what they did to me — they can use your existing login to go in and change all of your two-factor authentication without first providing a two-factor authentication key,” he said.

Although Google does offer an Advanced Protection Program that provides more stringent security controls on accounts, Hibbert said users aren’t told about it.

“Google offers something called an Advanced Protection Program that they just keep a secret,” he said. “They didn’t even tell me about it after I got hacked!”

However, enrolling for the programme will entail that you buy a Google Titan Security Key, or use any other FIDO-compliant hardware security key.

MyBroadband contacted Linus Media Group for comment, but it had not responded by publication, when it was just after 05:00 in British Colombia, Canada.

Update (14:30) — Channel taken down, more hijacked

YouTube appears to have taken down the hijacked channel.

It now shows the message “This account has been terminated for violating YouTube’s Community Guidelines” when trying to visit the channel’s old non-handle URL.

However, two other Linus Media Group channels have now also been hijacked: Techquickie and TechLinked.

Sebastian also confirmed on Twitter that he is aware of the issue.

Yes I know -_-

— Linus LinusMediaGroup (@linusgsebastian) March 23, 2023

Update (16:00) — Response from Linus Media Group

YouTube has taken down the Techquickie and TechLinked channels after they were also compromised.

Linus Media Group posted the following update to its paid-for subscribers-only channel on Floatplane:

“Regarding the YouTube channel hack, we are on top of it with Google’s team now,” the company said.

“Everything should be locked down and we are getting to the bottom of the attack vector with the (hopeful) goal of hardening their security around YouTube accounts and preventing this sort of thing from happening to anyone in the future.”

Now read: Hacking team exploits Tesla Model 3 zero-day — win R1.8 million and the car