I’ve been on YouTube for over a decade now, and with that comes a steady stream of emails—some from viewers, some from brands, and quite a few from scammers. Most of the scam attempts are easy to spot, but every so often, one comes through that’s far more convincing than the rest.
This most recent example caught my attention for how elaborate and well-executed it was, and I think it’s worth sharing as a cautionary tale.
These attacks attempt to get YouTube creators to download malware that steals their login credentials. You’ve probably seen this happen to other creators—big names like Linus Tech Tips have dealt with it. These attackers use social engineering tactics, many times impersonating an ad agency or brand, and send over the malware disguised as a contract.
I get messages daily that are easy to dismiss. One claimed to be from Nvidia offering an RTX 5000, but the email came from a random address in Slovakia. Another one, supposedly from Black Desert, had similar red flags. But others look much more legitimate. One scam I looked into a few weeks ago appeared to be from Corsair. The sender impersonated a real employee and used graphics and assets from Corsair’s actual website. But there were giveaways—like an email that, on reply, went to a random Gmail account and an SMTP server tied to a school in India. That one was fake, but you could spot it with a little digging.
Then came the Sony campaign email, which was on a whole different level. It started with a message from someone at “creatorpulse.org,” presenting themselves as an agency. I hadn’t heard of them before, so I checked out their website. It redirected to another agency, which looked like a social media marketing company. That wasn’t necessarily suspicious, since agencies often operate under different names for different industry verticals.
I responded, just to see where it would go. The sender said this was a major opportunity with Sony and directed me to watch a video on YouTube for more information. The video featured a very professional looking and sounding host that provides a set of instructions to the Creator for participating in the campaign. Creators were promised sizable compensation for this campaign along with up-front payments.
The YouTube channel, “Sony Partnership”, where this video lived looked authentic. It had a verified badge and 139,000 subscribers along with a lot of content taking back years. The video had been posted as unlisted and had over 4,600 views. Other creators were clearly being targeted.
But when I dug deeper, I saw that the content on the channel wasn’t original. It was made up entirely of playlists featuring official Sony videos. The channel itself hadn’t uploaded any public content—it was just borrowing legitimacy by curating the official Sony channel’s content.
I followed the link provided and logged into the associated website using a VPN and a dummy account. The site asked for access to a YouTube channel, displayed some generic YouTube stats, and then prompted users to download a password-protected archive which was supposedly an encrypted spreadsheet of products to request.
But the archive only worked on Windows, which was the biggest red flag. These types of files typically contain malware. If opened, they execute a script designed to steal Google and YouTube credentials. Once that happens, scammers can take over the channel, replace all content with crypto scam livestreams, and impersonate the original creator.
That’s likely what happened to the “Sony Partnership” channel. It was probably a legitimate account at one point—maybe even a verified one with a decent subscriber count—before it was compromised and repurposed for this phishing scheme.
The video in the scam featured a professional-looking host. Curious about who he was, I grabbed a frame and ran an image search. That led me to the portfolio of a video editor and, eventually, to a Fiverr spokesperson named Radostin Radev. He’s not involved in the scam; he was hired through Fiverr, likely thinking he was working for Sony, a past client of his. When I contacted him, he was shocked to find out how his video was being used. He hadn’t known about it until I reached out.
Others have reported receiving similar emails from fake agencies, but linking to the same video and site. Despite these reports, the scam site is still up and running, protected by Cloudflare, and the hijacked YouTube channel remains active and has been for at least a week.
The motivation here is financial. These fake crypto livestreams actually pull in money. One report from Bank Info Security detailed a scam that netted $1.6 million. The tactic is to ask viewers to send a small amount of Bitcoin in exchange for an investment opportunity or giveaway. With a hijacked, verified channel, scammers can use YouTube’s algorithm to amplify reach—sometimes with the help of fake viewers—to pull in real victims.
Bitdefender published a good deep dive last year explaining how these attacks work. It’s worth a read if you want to understand the mechanics behind it. But the bottom line is this: scammers are evolving. They’re spending money, crafting believable narratives, and using stolen or compromised infrastructure to increase their odds of success.
Staying safe means being skeptical, even when everything seems to check out on the surface. Always double-check domains, email headers, and don’t download files you weren’t expecting—especially if they’re password protected and only work on one operating system.