Fake YouTube Copyright Notices Target Creators, Steal Google Accounts

Cybercriminals have launched a sophisticated phishing campaign that targets YouTube creators by impersonating copyright strike notifications. Attackers use the scam to steal Google login credentials and then gain full control of victims’ accounts, including Gmail, Google Drive, and payment information.

The operation relies on a malicious site hosted on dmca-notification[.]info, which mimics YouTube’s interface with alarming accuracy. The page displays familiar elements such as the YouTube logo, search bar, and structured layout, making it appear legitimate at first glance. It prompts users to enter their channel name, handle, or video link to “check” their copyright status.

Attackers strengthen the illusion by embedding the victim’s channel handle directly into the phishing URL. This tactic makes the page feel personalized before the user even interacts with it. Behind the scenes, the system tracks activity using hidden parameters and may coordinate traffic through platforms like Telegram, indicating an organized and distributed campaign.

Attackers Exploit Creators’ Fear of Copyright Strikes

YouTube creators depend heavily on their channels for income and brand visibility. Many earn through ads, sponsorships, and merchandise, all tied to a single Google account. Attackers exploit this dependency by targeting creators’ biggest fear (losing their channel overnight).

Once criminals gain access, they act quickly. They often rebrand hijacked channels within minutes, impersonate cryptocurrency companies, and launch fraudulent livestreams to exploit existing audiences. Victims lose control while their followers become targets of scams.

The scale of credential theft is staggering, a global cybersecurity breach recently exposed 149 million passwords, fueling identity theft fears worldwide, and demonstrating that stolen login credentials are a primary currency of the dark web economy, whether harvested through phishing campaigns like this one or through massive database breaches.

The phishing page creates urgency with a convincing warning. It encourages users to “check your YouTube copyright status immediately,” pushing them to act without verifying authenticity. Another message escalates the pressure by stating that deleting the video will not resolve the issue and warns of consequences if no action is taken.

The page further threatens users with enforcement actions, stating they must “respond within three days or risk penalties against the channel.” This sense of urgency drives victims toward the next step; logging in.

Personalized Data Makes the Scam Highly Convincing

After a user submits their channel details, the phishing system pulls real data directly from YouTube. It displays accurate information, including the creator’s profile picture, subscriber count, number of videos, and most recent upload.

The system then fabricates a copyright complaint tied to that specific video. It generates timestamps dynamically based on the video’s length, making each notice appear unique and credible. This level of personalization makes the scam resemble an official legal notice rather than a generic phishing attempt.

The page instructs users to verify ownership by signing in with Google, promising that the issue will be resolved within 24 hours. Every design element pushes users toward the login button before they question the situation.

Fake Login Pages and Rotating Domains Capture Credentials

When users click “Login via Google,” the phishing site connects to a backend system that retrieves an active credential-harvesting domain. In observed cases, the system redirected victims to blacklivesmattergood4[.]com, which loaded inside a full-screen overlay.

Attackers designed this interface as a Browser-in-the-Browser attack. It mimics a Chrome pop-up window with a fake title bar reading “Sign in – Google Accounts – Google Chrome,” along with a padlock icon and a realistic-looking URL. However, the entire window is only a visual imitation. The actual browser address still points to dmca-notification[.]info.

Inside the fake window, victims see a near-perfect replica of Google’s login page. When they enter their credentials, attackers capture every keystroke.

The infrastructure does not rely on a single domain. The system dynamically rotates phishing domains in real time, allowing attackers to evade detection. Additional domains linked to the operation include dopozj[.]net, ec40pr[.]net, and xddlov[.]net, which researchers observed returning temporary errors during analysis. These may serve as backup servers or credential relay points.

After victims submit their login details, the fake window disappears without confirmation. The page returns to the copyright notice, giving attackers time to access the account before the victim notices anything unusual.

The system also includes a filtering mechanism. If a targeted channel exceeds three million subscribers, the phishing process stops and displays a harmless message stating the account is in good standing. This tactic likely helps attackers avoid high-profile users who could quickly expose the scam.

Researchers also confirmed that the campaign operates as a coordinated network. Each phishing link contains a referral ID, allowing a central system to track which attacker generated each victim. This structure confirms a phishing-as-a-service model, where multiple actors use the same toolkit to run campaigns at scale.

Experts stress that legitimate copyright alerts only appear in YouTube Studio. Any warning outside that platform should be treated as suspicious. Users should avoid signing in through external links and always verify the browser’s address bar before entering credentials.

Anyone who has already entered their details should act immediately. They should change their Google password, revoke active sessions, and review their YouTube channel for unauthorized activity.