How Cybercriminals Are Blackmailing YouTube Influencers to Spread Crypto Mining Malware

In a troubling new trend, cybercriminals are targeting YouTube creators, coercing them into embedding malicious crypto mining malware in their videos. According to a recent investigation by cybersecurity firm Kaspersky, hackers are exploiting the growing popularity of Windows Packet Divert drivers in Russia. These drivers, designed to help internet users bypass geographic restrictions, have surged in demand, prompting a wave of instructional YouTube content. However, this has opened the door for criminals to manipulate creators and infect unsuspecting viewers.

Kaspersky’s research reveals that over the past six months, these drivers have appeared on 2.4 million devices, with downloads climbing steadily since September. As YouTubers produce videos explaining how to install these tools, hackers have seized the opportunity to slip links to SilentCryptoMiner, a dangerous piece of malware, into video descriptions.

Their methods are calculated and aggressive. In one common approach, attackers issue copyright strikes against a creator’s video, then pose as the driver’s original developer. They pressure the YouTuber to resolve the dispute by adding a malicious link, effectively turning a trusted channel into a distribution hub for malware.

One notable case involved a YouTube influencer with 60,000 subscribers. After receiving threats, the creator added harmful links to videos that collectively garnered over 400,000 views. These links directed viewers not to a legitimate source like GitHub, but to an infected archive that has since been downloaded more than 40,000 times. Kaspersky estimates that this campaign alone has compromised around 2,000 computers in Russia, though the true scope could be larger when factoring in similar efforts on platforms like Telegram.

A Sophisticated Evolution in Cybercrime

Leonid Bezvershenko, a security researcher at Kaspersky’s Global Research and Analysis Team, describes this as a significant shift in tactics. Unlike traditional malware distribution through social platforms, this approach weaponizes the trust between YouTubers and their audiences. By leveraging copyright strikes and takedown threats, attackers amplify their reach, transforming routine how-to videos into infection vectors.

SilentCryptoMiner, built on the open-source XMRig framework, mines cryptocurrencies like Ethereum and Monero. Once installed, it embeds itself in system processes through a technique called process hollowing, allowing remote operators to pause mining activity when the host system is in use, making it harder to detect.

While this campaign has primarily targeted Russian users—evidenced by the malware’s availability to Russian IP addresses—Bezvershenko cautions that cybercriminals are opportunistic. They adapt to wherever vulnerabilities emerge, suggesting this tactic could soon spread globally. The rise of crypto mining malware isn’t new; the Center for Internet Security ranked CoinMiner as the second-most prevalent malware in 2024, trailing only the SocGholish downloader. Late last year, ReversingLabs also uncovered crypto mining code hidden in widely used open-source programming tools, some boasting hundreds of thousands of weekly downloads.

For everyday internet users, avoiding these threats requires diligence. Kaspersky advises skepticism toward any download prompt that urges disabling antivirus software or insists a file is safe. Verifying the source of a link, even from a trusted creator, can mean the difference between security and compromise.