This campaign employs sophisticated phishing tactics against YouTube creators by generating fake copyright strike notices that incorporate real channel details such as profile pictures, subscriber counts, and recent videos to increase credibility. Victims are then subjected to a Browser-in-the-Browser attack, which simulates a legitimate Google login prompt within the browser, capturing their Google credentials. The infrastructure is shared among multiple attackers who rotate domains to evade detection. Compromised accounts allow attackers to fully control the Google account, rebrand the YouTube channel, and conduct cryptocurrency scams via livestreams. The phishing kit excludes channels with more than three million subscribers to avoid attracting attention from security teams.

Successful exploitation results in complete Google account takeover of targeted YouTube creators. Attackers gain control over the victim's YouTube channel, enabling them to rebrand it and livestream fraudulent cryptocurrency scams to the channel's audience. This can lead to financial losses for viewers and reputational damage for the victims. The campaign's evasion techniques, including domain rotation and selective targeting, increase its persistence and effectiveness.

No official patch or fix is applicable as this is a phishing campaign rather than a software vulnerability. Defenders should educate YouTube creators about this phishing tactic, emphasizing caution with copyright strike notifications and verifying URLs before entering credentials. Use of multi-factor authentication (MFA) on Google accounts is strongly recommended to reduce the risk of account takeover. Monitoring for suspicious login activity and promptly reporting phishing domains to relevant authorities can help mitigate impact. Since the campaign uses rotating domains, blocking known malicious domains listed (e.g., blacklivesmattergood4.com, dmca-notification.info) can assist in detection and prevention.