Jump to content

CryptoMining Via Youtube?

Recommended Posts

I've always been a subscriber and fans of Hak5 Youtube Channel.

This is the first time I've ever created a post here (I will just sign up minutes ago).

Lately I noticed that in the history of my watched video, there would sometimes be some video that I didn't watch, at first I though it was maybe some algorithm problem of youtube because I noticed most of these 'unwatched' video in the history are normally the video that appear in the suggestion list after the video that I 'truly watched' end. But then I realized this have been going on for quite a while, that's when I decided that this is really suspicious (not to mentioned that it wouldn't take very long for the Almighty Google to resolve something I suppose)

I guessed I have been hacked, in some way or another. Then actually the first place I went to, is google search 'how to open a support ticket or email Google/Youtube' but it is dead-end. So either I am bad at googling or google really is busy and has no time for this. (Well, that's how I end up here. Don't get mad at me fellas :mellow: )

Anyway, on a closer inspection, I guess I might have fall victim to a kind of crypto-mining bot/software because I think the name maybe give it away already? :


As I scroll down to browse the list of history, I came across this names 'CryptoSheldon' a few times. Anyone ever heard of this? I always read cybersecurity article, blog and watch Hak5 Video, but honestly I never heard of this.


Any hacker and cyber-security professional have any advice for I can do now? or perhaps anyone can tell me/have way to let Google knows about this? (If, it is ever within their power to help me). Really appreciate.


People are just getting more and more creative to steal CPU for crypto-mining purpose and I totally understand. I mean, if I were them I would've also think of whatever way, no matter how trivial it seems, to get CPU from laptop all over the world. So I can totally see this trick coming, but LOL, god I didn't expect I would fall victim for it.

Link to comment
Share on other sites

I don't see how adding extra videos to your watch list would help in crypto mining. I can see it being used to increase the viewer rate of certain videos. The attack would be to silently open a tab or use an iframe and auto play the video muted so that as far as youtube is concerned you've watched the video in a legit way. There is probably a minimum time that would be needed to count as a watch before the window could be closed.

Link to comment
Share on other sites

Hi digninja,


Hm....so I guess the fact that the username of the uploader contains the word 'Crypto' is just a coincidence?

Also, what you mean is, this is an attack, but not likely the attack that involve mining, but just a trick to 'boost' the like and view of a video right?


I guess there's only one question left, and the most important one: How did I even fall victim for this? It is not even a browser plugin kind of thing. And I believe I have practice good browsing hygiene (no same password on different site, don't click any link in email or pop-up window, always check that a website is HTTPS before continue etc.)

I am wondering if you have any good article or good read about this kind of attack? I would really be interested to learn more.

Link to comment
Share on other sites

You can call yourself whatever you want so yes, could be. Or they could have other bits to their bot that also do crypto mining and this is just the bit that you've noticed.


If it is this, you could have got caught in loads of different ways, have a look at this <link removed> for some ideas.

Edited by digininja
The link was for a proof of concept, it is no longer needed
  • Like 1
Link to comment
Share on other sites

If I'd redirected you to a page that had a bunch of youtube videos embedded in it then that would have achieved the same as you were describing at the start. You don't need to be "attacked" or to be vulnerable in some way, you just have to use the internet.

Link to comment
Share on other sites

Even if it was HTTPS not HTTP, it wouldn't matter as I have full control of the content you are viewing, the only difference is whether you are viewing it over an encrypted channel or not. The lesson, not meaning this in a bad way, is never to think that you are perfect and don't make mistakes or do things you really know that you shouldn't.

For anyone who doesn't believe me, read up on how Anonymous was taken down. One small slip by Sabu brought the whole thing down and regardless of what you think of them morally or ethically, they are/were a bunch of very intelligent people.

Back to your original question, as I said, there are loads of different ways they could have got you and, without a lot more info that could only really have been collected at the time, you'll probably never know. You could try keeping an eye on this history list, maybe daily, and if you notice any additions then check your browser history for that day. You can't rule anything out as even top corporate sites can include malicious adverts, but you might be able to spot a pattern and narrow things down.

Link to comment
Share on other sites

This is simply a legit YouTube video. well Maybe copyright content but thats it.


Possibly he has other videos with instructions to downloading software to hack your wifes cellphone.


The only harm a person could do with a YouTube page is post links to cpumining software or verbal instructions.


Monitor your cpu. this should be a habit for any puter neerd.


Link to comment
Share on other sites

On 3/5/2018 at 11:56 AM, CryptoEra-BestTimeForCyberCriminal said:

Guess I really need to be more careful and discipline with my internet browsing hygiene.

If you’re on a laptop/desktop, install uMatrix by Gorhill. I suggest then globally blacklisting everything and slowly whitelisting things that are needed. it can be a pain at times but know that the time spent refreshing certain websites a few extra times will be worth it.

If you’re on an iPhone I suggest the browser Brave, which is opensource (github here https://github.com/jcs/endless) and allows for some great global control such as script & xhr control, cookie wiping , built in https-everywhere and user agent control. plus it’s wicked quick.

Link to comment
Share on other sites

  • 5 months later...

Pretty straight forward. Sounds like something a teenager would do on public wifi like a at a library. Illegal, mostly pointless, and not very profitable.
Clone target webpage
Insert obfuscated coinhive hoplink in cloned page
do MITM attack with DNS spoofing and use cloned page to harvest credentials

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...