A new wave of “Scam-Yourself” attacks has emerged, exploiting AI-generated deepfake videos and malicious scripts to target cryptocurrency enthusiasts and financial traders. Discovered by Gen Digital’s cybersecurity researchers, this campaign leverages synthetic personas and AI-crafted payloads to deceive individuals into compromising their own systems. The attacks, which saw a significant surge in the third quarter of 2024, combine cutting-edge deepfake technology with psychologically tailored lures to manipulate victims into executing harmful commands, marking a dangerous evolution in social engineering tactics.
The attack sequence begins with a deepfake video hosted on a compromised YouTube channel, which appears legitimate, with over 110,000 subscribers.
The deepfake videos features a synthetic persona, “Thomas Harris” or “Thomas Roberts,” created using advanced facial animation, voice synthesis, and body movement replication. Despite the channel’s seemingly authentic content, such as repurposed material from TradingView, the video promotes a fictitious “AI-powered developer mode” that allegedly predicts cryptocurrency trends with 97% accuracy. Victims are convinced to follow the instructions, unaware of the malicious intent behind the tutorial.
Once the video instructions are followed, victims are directed to execute a PowerShell command that fetches a malicious script from paste-sharing sites like Pastefy.com or Obin.net. This script connects to a command-and-control server and delivers payloads such as Lumma Stealer or NetSupport Remote Access Tool. These payloads allow attackers to steal cryptocurrency wallet and browser credentials or gain full control over the victim’s system. The deepfake video cleverly disguises its artificial nature, mimicking legitimate workflows and including procedural details like how to bypass Windows Defender through registry exclusions.
The attackers amplify the reach of their campaign through YouTube’s sponsored ad system, targeting users who are already watching legitimate financial content. Unlike traditional phishing, these attacks require active participation from the victims, who believe they are accessing exclusive tools. This makes it crucial for users to verify any digital instructions they receive, especially when dealing with financial information or tools. With cybercriminals automating the creation of synthetic personas and script refinement, security experts emphasize the importance of cross-checking digital interactions and exercising heightened caution to avoid falling victim to these sophisticated attacks.
