Protect Yourself: Unveiling the $65M YouTube Scam Network

TL;DR

A large-scale 'YouTube Ghost Network' scam is using tutorial videos to distribute malware, including info-stealers that can capture passwords, session tokens, and crypto wallet data. Researchers identified over 3,000 videos promoting cracked software and game cheats, often instructing users to disable security software. The network employs fake and hijacked accounts to appear credible and uses a modular structure for resilience, making takedowns difficult.

YouTube Ghost Network Scam

Security researchers have uncovered a large-scale YouTube scam that uses tutorial-style videos to spread malware. Check Point Research has dubbed it the YouTube Ghost Network, and it involves over 3,000 videos. Researchers describe it as "one of the largest malware campaigns seen on the platform." ZDNET Report notes that the network has likely been active since 2021, with a surge in videos in 2025. The420.in Report highlights that this campaign has quietly operated for years.

Operation of the YouTube Ghost Network

The scam uses videos that promise cracked software and game cheats. Check Point Research notes that targets include software like Adobe Photoshop, FL Studio, and Microsoft Office, as well as game hacks for titles like Roblox. Each video guides viewers through "easy" steps and directs them to a password-protected archive on services like Google Drive or Dropbox. Check Point Research warns that users are instructed to disable Microsoft Defender before extracting the files. ZDNET explains that disabling security protections is framed as a workaround for "false positives" on pirated software.

Malware Distribution and Information Stealing

The downloaded archives contain malware, including information stealers like Rhadamanthys and Lumma. These stealers can extract browser passwords, cookies, session tokens, system fingerprints, and crypto wallet data. Check Point Research notes that multiple security labs, including Kaspersky and Recorded Future, have documented the monetization of stolen credentials through underground markets. The420.in warns that this malware can bypass multi-factor authentication (MFA) through stolen session cookies.

Network Structure and Tactics

The network uses fake and hijacked YouTube accounts to upload videos, post archive passwords, and create comments that make the content appear trustworthy. Check Point Research mentions that a compromised channel with approximately 129,000 subscribers promoted a "free Photoshop" video that received about 291,000 views. Fraudulent ad buys are also used to drive traffic to these videos. ZDNET emphasizes that operators use fake and compromised accounts to upload videos and post positive feedback.

Platform Resilience and Modularity

The Ghost Network is designed to be modular. Check Point Research explains that there are uploaders, commenters, link hosts, and disposable domains that can be quickly rotated. When a channel is banned, another emerges, and when a link is taken down, mirrors appear. ZDNET quotes Check Point, "This modular structure allows the operation to scale quickly and survive account bans, making takedowns more complex and continuous." Check Point Research notes similar tactics have been observed on GitHub (Stargazers Ghost Network) and TikTok, where "Clickfix" tricks are used to trick users into running malicious commands.

Red Flags

Users should be wary of the following red flags:

Requests to disable antivirus or SmartScreen. Check Point Research
Prompts to download a password-protected archive. Check Point Research
Instructions to run installers as administrator. Check Point Research
Channels with sparse histories or sudden pivots to "free full version" content. Check Point Research
Comment sections flooded with "works 100%" praise. Check Point Research
Pinned passwords, shortened links, or Telegram invites. Check Point Research
Mismatched file names. Check Point Research

Protection Measures

To protect yourself from malware on YouTube, consider these measures:

Download apps from official sites or trusted stores. Check Point Research
Keep Microsoft Defender and reputation-based protection enabled. Check Point Research
Turn on Tamper Protection and apply updates promptly. Check Point Research
Use a standard (non-admin) account for daily use. Check Point Research
Consider application control features like Smart App Control on Windows or an allowlist approach for software installs. Check Point Research
Scan files with a reputable service like VirusTotal before opening them. Check Point Research
Verify a channel’s authenticity. Check Point Research
Test unknown files in a sandbox or virtual machine. Check Point Research
Use password managers, passkeys, and 2FA. Check Point Research

Actions if You Clicked a Suspicious Link

If you suspect you've clicked a malicious link:

Disconnect from the internet. Check Point Research
Run a full system scan with Microsoft Defender or another trusted endpoint tool. Check Point Research
Remove suspicious startup items and browser extensions. Check Point Research
Clear cookies and sessions. Check Point Research
Change passwords for email, banking, and social accounts. Check Point Research
Enable multifactor authentication everywhere. Check Point Research
Revoke active sessions in Google, Microsoft, and other key services. Check Point Research
Migrate funds to new crypto wallets. Check Point Research
Back up essential data and perform a clean OS reinstall. Check Point Research

Platform and Advertiser Responsibilities

Platforms and advertisers should:

Throttle reach for new channels pushing executable downloads. Check Point Research
Flag social-engineering phrases. Check Point Research
Scan archive contents. Check Point Research
Harden ad screening. Check Point Research
Heed guidance from organizations such as Google’s Threat Analysis Group and CISA. Check Point Research

YouTube Scambaiters Dismantle Fraud Ring

A $65 million multinational fraud ring targeting seniors has been dismantled with the help of YouTube scambaiters. U.S. Department of Justice reports that 28 alleged members of a Chinese organized crime ring are charged in four federal grand jury indictments. U.S. Department of Justice states that 25 of the defendants have been arrested for conspiracy to commit mail and wire fraud and conspiracy to commit money laundering. U.S. Department of Justice notes that the searches resulted in the seizure of more than $4.2 million from financial accounts as well as several luxury vehicles.

Scam Operation

The criminal network, composed primarily of Chinese nationals, worked with India-based scam call centers. U.S. Department of Justice explains that fraudsters posed as technical support agents, government officials, or bank employees. Victims received unsolicited calls or emails directing them to call phone numbers that connected them to the scam call centers. U.S. Department of Justice reports that the scammers used scripted lies and psychological manipulation to gain the victims’ trust and often remote access to their computers.

YouTube's Role in Exposing Scammers

YouTuber Pierogi from “Scammer Payback” played a crucial role in documenting key evidence. U.S. Department of Justice notes that Pierogi teamed up with two other YouTubers from “Trilogy Media” to publish videos on their respective YouTube channels. In coordinated sting operations, Scammer Payback and Trilogy Media baited fraudsters, confronted them on camera, and published those videos. U.S. Department of Justice states that videos posted in 2020 and 2021 helped law enforcement identify Zhiyi Zhang, Dudu Chen, and Huajian Chen, all named in the indictments.

Multimodal Detection of YouTube Scam Videos

A study on detecting YouTube scam videos via multimodal signals and policy reasoning was conducted by Ummay Kulsum, Aafaq Sabir, Abhinaya S.B, and Anupam Das. The study highlights that YouTube's accessibility has made it a target for scammers who upload deceptive content. Prior research has relied on textual or statistical metadata for detection, which can be easily evaded and may overlook visual cues. Arxiv notes that existing approaches often rely on traditional machine learning models that primarily output a probability score.

Research Questions

The study addresses the following research questions:

How effective is textual metadata in detecting scam videos on YouTube? Arxiv
Can visual-only models using frame-level features detect scam videos competitively without textual metadata? Arxiv
How can we jointly leverage textual and visual information to detect scam videos while generating interpretable reasoning criteria aligned with YouTube’s policies? Arxiv

Key Findings

The study's key findings include:

Text-only models using video titles and descriptions achieve moderate effectiveness (76.61% F1). Arxiv
Visual analysis using a fine-tuned LLaVA-Video model yields stronger results (79.61% F1). Arxiv
A multimodal framework that integrates titles, descriptions, and video frames achieves the highest performance (80.53% F1). Arxiv

The multimodal framework produces interpretable reasoning grounded in YouTube’s content policies. Arxiv

Dataset

The study utilized three publicly available YouTube scam video datasets covering monetary, giveaway, and cryptocurrency scams. The consolidated dataset was named VidScam. Arxiv used the Python library yt-dlp to obtain the corresponding videos. Arxiv notes that the datasets from (Bouma-Sims and Reaves, 2021), (Tripathi et al., 2022), and (Li et al., 2023a) were used.