CloudSEK researchers have uncovered a large-scale phishing operation targeting YouTube creators through fake collaboration and promotional offers, with over 200,000 content creators affected by the campaign.

Cybercriminals deployed automated tools to send between 500 and 1,000 phishing emails from individual accounts, using subject lines like “Collaboration Proposal” and “Marketing Opportunity” to entice creators. The attackers customize their approaches based on channel size and content type, according to findings from CloudSEK’s Threat Intelligence Research Team.

Source: CloudSEK

The operation relies on malicious files hosted on trusted platforms like OneDrive, typically disguised as partnership agreements or promotional materials. These password-protected archives contain executables that, when opened, deploy malware designed to steal login credentials and session cookies or enable remote system access.

“This campaign is not just about stealing accounts; it’s about leveraging the trust and influence of YouTube creators to amplify scams on a massive scale,” Mayank Sahariya, Security Researcher at CloudSEK, wrote in a blog post. “Attackers are exploiting these accounts to push scams and fraudulent schemes, reaching millions of unsuspecting followers.”

The technical infrastructure behind the campaign includes more than 340 SMTP servers, 46 compromised Remote Desktop Protocols, and over 26 SOCKS5 proxies used to mask criminal activities. CloudSEK’s investigation has revealed extensive documentation of the attackers’ methods, including email templates and credential-harvesting tools.

Image: A template used by a threat actor to target brand; source: CloudSEK

In one documented case, attackers approached a YouTube creator with a substantial brand partnership offer. After downloading what appeared to be terms and conditions from a OneDrive link, embedded malware compromised the creator’s account. The attackers then used the compromised channel to promote fraudulent cryptocurrency giveaways.

CloudSEK security experts outline several key protective measures against these threats. They advise content creators to verify any brand offers by contacting companies through their official channels rather than relying solely on email communications. Two-factor authentication serves as a critical security layer for account protection. Creators and their teams should approach attachments from unknown sources with heightened scrutiny while monitoring their accounts for signs of unauthorized activity. Additionally, experts stress the importance of comprehensive phishing awareness training for all team members involved in account management.

Aside from phishing, YouTube has also been the ground for other types of schemes. In November, Brazil‘s Sports Ministry requested federal intervention to combat fraudulent gambling advertisements on YouTube after identifying more than 53 channels promoting deceptive betting schemes to audiences exceeding 100,000 viewers per broadcast.