YouTube creators should be concerned since new spyware YTStealer is currently targeting their accounts to take them over by stealing their authentication cookies.

How does the attack work?

The malware containing malicious YTStealer installers lures users by impersonating software that edits videos or acts as content for new videos.
  • Prior to running on the host, the YTStealer malware performs various anti-sandbox checks utilizing the free Chacal utility.
  • The malware carefully examines the browser SQL database files to look for YouTube authentication tokens.
  • After adding the stolen cookie to its store, it launches the web browser in headless mode to validate them.
  • If it’s valid, YTStealer also collects additional information, such as YouTube channel name, subscriber count, creation date, monetization status, and official artist channel status.

Who buys these compromised accounts?

According to the autonomous security operations platform, stolen YouTube accounts are sold on the dark web.
  • The buyers of the compromised accounts typically use these stolen authentication cookies to hijack YouTube channels for various scams or demand a ransom from the actual owners.
  • The prices depend on the channel size - the larger and more influential a YouTube channel, the more expensive it will be to purchase.


Despite the fact that YouTube content creators' accounts are protected by multi-factor authentication, hackers can still bypass MFA and access their accounts. YouTube creators can consider logging out of their accounts on a regular basis to invalidate any authentication tokens that may have previously been created or stolen.
Cyware Publisher