Don’t be fooled by this massive YouTube scam network – how to protect yourself

Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

• The YouTube Ghost Network promoted thousands of scam videos.
• Videos offer game hacks or pirated software; they distribute malware.
• A web of fake accounts makes the scam videos look genuine.

A malicious network of videos hosted on YouTube has been discovered by researchers who branded it “one of the largest malware operations seen on YouTube.”

The researchers’ discovery

On Thursday, Check Point researchers published a report that revealed the scam, dubbed the YouTube Ghost Network, which they tracked for over a year. Over 3,000 malicious and fraudulent videos, hosted on YouTube’s platform, make up the core of the network. 

Also: If a TikTok ‘tech tip’ tells you to paste code, it’s a scam. Here’s what’s really happening

The YouTube Ghost Network has likely been active since 2021, with videos posted consistently over the years — until 2025, when the number of videos tripled. 

The YouTube Ghost Network, explained

Over 3,000 YouTube videos, described as part of a “sophisticated malware distribution network,” contained tutorial-style content that enticed viewers with promises of free or cracked software, game hacks, and game cheats. The most common lures were for free versions of Adobe Photoshop, FL Studio, and Microsoft Office, alongside hacks for games, including Roblox. 

Easy-to-understand instructions accompanied each video, telling viewers to download a password-protected archive from sources including Google Drive and Dropbox. Once downloaded, users are told to temporarily disable Windows Defender before extracting and installing the file contained in the archive. 

If you’re trying to use cracked software, you’d probably want to disable security protections, so the need to stop Windows Defender from catching a pirated file makes sense — even though it’s dangerous. However, once a malicious file is launched, users will realize they have actually executed malware on their PC. 

The research team said this network is being used to spread information stealers, including Rhadamanthys and Lumma. 

However, there is more to this network than just fraudulent videos. The operators of the scam are using fake and compromised YouTube accounts not only to upload videos, but also to post links and archive file passwords, and to interact with watchers — posting positive feedback that makes the cracks and tutorials appear genuine and safe. 

For example, a compromised YouTube account with approximately 129,000 subscribers posted a video touting a cracked version of Adobe Photoshop, which reached 291,000 views. 

Furthermore, fraudulent Google Ads campaigns have been driving traffic to these videos.

“This modular structure allows the operation to scale quickly and survive account bans, making takedowns more complex and continuous,” Check Point said.

Is this the only scam of its kind?

No. As a popular video hosting platform, YouTube has been abused since its inception to host videos that lead to malicious downloads.

Last year, the researchers revealed a similar scam on GitHub. Dubbed the Stargazers Ghost Network, malicious links and malware packages were distributed via GitHub repositories, with fake accounts starring, forking, and subscribing to make them appear genuine.  

Also: How Clickfix and AI are helping hackers break into your systems – at an alarming rate

In recent months, TikTok, another video hosting platform, has also been abused for malicious purposes. Content is being posted that promises free software and hacks, along with instructions. However, in this case, scammers are employing Clickfix techniques to dupe users into triggering malicious commands on their own devices. 

It takes no more than a quick Google search to find websites and videos offering game hacks, cheats, software cracks, and pirated software downloads — all of which were themes found in the latest network’s video content. 

How to stay protected

Check Point has reported the network to Google, and the majority of the videos involved in the network have been taken down.

However, the disruption of this malware distribution network is only the tip of the iceberg. These kinds of scams will never go away, and so it is up to us to steer clear of them. 

• Official sources: You should not download software from unofficial sources. While the lure of free software, gaming cheats, and hacks may be tempting, you never really know what the file you are installing will do to your system — and let’s not forget these practices are often illegal, too.
• Cybersecurity: If any software package or installer requires you to disable your antivirus software, this is a major red flag. If you do, you are opening yourself up to data theft, malware, and potentially account compromise. 
• Stay suspicious: If something looks too good to be true, it probably is. You should maintain a high level of skepticism before downloading any new software or apps. 
• Trust: As the example above highlights, even if a YouTube account has a large number of subscribers, that doesn’t mean the content it posts is safe. A high follower count doesn’t guarantee safety, and even the most popular channels could be taken over by threat actors. This applies to community posts, too.
• What to do next: If you have downloaded a file after watching one of these videos and you suspect you have executed malware on your system, you need to act fast. Generally speaking, the first thing you should do is cut yourself off from the internet, as this may stop your information from being extracted and transferred, and prevent malware from receiving instructions. Re-enable any cybersecurity software you disabled (if you can) and try to run a scan, though some malware may prevent it. If the file still exists, delete it. If you can’t clean your PC yourself, you may need to take it to an IT specialist. Don’t use a machine you think may be infected to access any of your accounts until it is clean, and don’t connect it to any other devices.