40Nix

40Nix Feb/19/2025 13:35

[Misc] The details of the hijacking incident

Introduction: Sorry for the inconvenience

As I wrote in this article, my Google account was hijacked and has been restored.
I apologize for the inconvenience and concern I have caused you...
This article describes the details and causes of the incident. Chapter 1 describes the specific process from the hijacking to the resolution, Chapter 2 describes the reasons why I trusted the fake account, and Chapter 3 describes the points that should have made me realize that it was a fake account.
If you have come to this page because your Google account has been hijacked, please see [1-4. Recovery].

I hope this will be helpful for your security measures.

Overview of the takeover and resolution

  • Received a collaboration invitation
    → downloaded and ran “a software required to agree to the contract”
    → 💥infected💥
    → Google account illegally logged in and hijacked
    → contacted YouTube support team, somehow managed to recover

1. History: How were 40Nix accounts hacked?

I will explain the specific circumstances.

1-1. Before infection: Contact from a suspicious person

On February 1, 2025, I received a DM on Twitter from someone claiming to be a marketing manager for a certain beverage manufacturer.

Hey 40Nix, I’m a manager at *** and we’re open to a collaboration with you. We’re launching a new energy drink flavor and would love to discuss how we can work together.

On 2/2, I replied, “I'm interested, so please tell me more details. Also, please let me know where you heard about me,” and received the following reply:

I saw that you do original remixes and beats, maybe you would be interested in doing something with us? We could provide you with payment or some materials to work with.
I saw your Windows song :) by this way i come to u

(Windows song↓)
https://x.com/40nixM/status/1876584984859025658

And they sent a link:

I'll provide u NDA, review and sign it as u can!
There is code for it: xxxx-xxxx-....
zoho-esign.com
Review it carefully and sigh it if you agree to its terms. Let me know once you've finished!

On February 5th, I clicked on the link, entered the code, and checked the agreement. To sign the document, I was told that I needed to install a special app, so I followed the instructions on the screen to download the installer.

Ran it.

1-2. 💥Infection💥: Unauthorized login

When I ran the installer, nothing was displayed and nothing happened.
I thought it was strange and waited, and Windows Defender detected a lot of "serious" level threats such as Trojan. I was surprised, but I was relieved because it seemed to have been dealt with for the time being... or so I thought. But when I looked closely, I saw the following message.

Threat found - action needed.
Status: Active
Active threats have not been remediated and are running on your device.

Hey hey hey hey hey hey Yet Hey hey The virus Hey hey
Does that mean the virus is still "cheerful"?? HEEEYYY

I googled how to deal with it and performed offline scan. After rebooting, it seems to have been dealt with for the time being.
But it was too late. My phone won't stop vibrating. I received a notification of a suspicious login, a notification to change my Gmail password, delete and change my two-step authentication (backup code, phone number, security key), and set up an email address and phone number for resetting.
I immediately tried to log in to reset the settings, but it said "your password is wrong."
I, I tried a different method... "A verification code has been sent to phone number xxx-xx-xx-xx." It's not my number!

It's been completely taken over.

Actual notification emails. I received a lot of these.

1-3. Immediately after the hijack

I tried everything I could on the Google Help page to try.
Google Account Help - Tips to complete account recovery steps

Answer as many questions as possible
Try not to skip questions. If you're unsure of an answer, take your best guess rather than moving on to another question. Wrong guesses won’t kick you out of the process.

The "question" refers to the password and two-step authentication (a verification code is sent to a phone number). These informations has already been changed by the attacker, so there is nothing I can do about it. The page above says, "take your best guess," but there's no way I could guess it. I
could have sent the verification code to the "previously set email address for resetting," but after authenticating it, I was asked to verify with the phone number (which is already changed), so I couldn't log in after all.

At this point, I gave up on recovering my account and was completely hopeless. The password manager must have been messed up, so I changed the address, ID, and password that could be changed.
I forced myself to start afresh and opened a new Google account and YouTube channel.
I went to bed with a pounding heart. Of course, I couldn't sleep.

A FEW HOURS LATER...

The next morning, when I looked at the hijacked 40Nix channel, I saw a strange live broadcast about Bitcoin.
(I was going to post a screenshot of the broadcast here, but it brought back some really disgusting memories, so I'll skip it.)
It was so disappointing. Even now, when I think about it, it makes me feel disappointed.

1-4. Recovery

I was hoping to at least have my YouTube channel suspended, and while I was researching, I came across this YouTube help page:
Recover a hacked YouTube channel

Get additional help from YouTube
If your channel is eligible (for example, if you’re in the YouTube Partner Program), once you recover your Google Account, you can get in touch with the YouTube Creator Support team for help.
If you’re not eligible for Creator Support, you can get help from @TeamYouTube on Twitter.

To contact the YouTube Creator Support Team, I needed to log in to YouTube. Since I couldn't do that, I contacted the Twitter account as a last resort. I was connected to a DM, and then to a member of the YouTube Creator Support Team via email.
(During this time, it seems that the YouTube broadcast had received multiple spam reports from viewers, and the YouTube channel had been suspended (a.k.a. banned). Thank you to the person who reported it.)
The support team's investigation confirmed that the account had been hijacked, and they then carried out the recovery process.

Too vicious

After that, we followed the instructions of the person in charge to carry out the necessary operations, and the recovery was successfully completed (2/8).
It was hijacked on 2/5, and fully restored on 2/8, three days later. During that time, I was so nervous, I couldn't sleep well, and my body and mind were so weak. I still get a little scared when my smartphone vibrates, thinking it might be a notification of unauthorized login. The malware seems to have been dealt with, but it still feels like it's smoldering. I really haaaate it. I want someone to buy me a meal.

2. Why did I trust it?

Looking back at it now, the fact that he said "We would like to collaborate with you on the launch of a new product" seems pretty suspicious... But this person's disguise was quite elaborate, so I didn't notice until getting infected.

  • The first message I received was polite (although it may have just seemed that way because I'm not used to English).
  • The account had over 10,000 followers.
  • It frequently retweeted tweets from the beverage manufacturer's official account.
  • The profile had a link to Linkedin (a business-focused social networking site), and details about his career were written there. He had just under 300 followers on Linkedin.
  • I got proper replies to my message via DM.
  • The site page, which was disguised as the electronic signature service "Zoho," was extremely elaborately designed.
    I didn't know "Zoho" before the incident. It appears to be a company that develops and operates various business applications similar to Microsoft Office. Among them is an electronic signature service called "Zoho Sign," and the site I was directed to this time was a fake site that was carefully made to imitate it.

    At first glance I didn't notice it's a fake


    The "authentication code" and URL that were actually sent. The link destination had disappeared at the time of writing this article.

After entering the code and proceeding, a proper contract-formatted document (pdf) was downloaded, and a button was displayed saying "Click here for electronic signatures: first-time users/those who have signed before." Clicking "first-time users" downloaded malware disguised as an installer called "ZohoApp."
Those familiar with Zoho may have noticed something was wrong, but the site's design was very authentic, and the logo at the top of the page was linked to the real Zoho homepage, so it was difficult to notice that it was a fake site.

Furthermore, this is a personal reason, but unfortunately, just when I was starting to think about applying for music jobs, the DM arrived.
"I, 40Nix, let's give it a go for our major debut!"
I was so excited that I got caught up in it. It's so pathetic... I'm so frustrated!!

3. Points you may have noticed here

After falling victim to the scam and realizing that it was malware, I took a closer look at the person and the fake site and found many elements that made me think, "You could have noticed this by now."

  • Twitter icon image
     ... a copy of another person's Facebook photo (found through image search)
     ... clearly a different person from the person in the LinkedIn icon
  • Past posts on Twitter
     ... If you go back a long way, there are just tweets from ordinary users. At a certain point, they only retweeted official accounts
     (all past posts were in Spanish. According to the login history, all unauthorized operations were carried out from Spain).
  • When searching for the account's ID on Twitter, a tweet came up warning people to be careful because "it's a fake."
  • Properties of downloaded software "ZohoApp.exe"
     ... "Product name" and "Publisher" are "Starcraft2" and "Blizzard Entertainment" (the software name and game production company name of the game that has nothing to do with "Zoho")
  • Even when I tried to ask about the details of the "collaboration" via DM, I was put off by being told "First the signature, then the details"
     ...is there an order to it?

I've prided myself on being an Internet kid since I was a child, so I feel embarrassed that I fell for such an easy trap. Damn it.

Conclusion

As soon as I tweeted that my account had been hacked, I received malicious replies and quote retweets from various unknown accounts saying, "Contact this person (an account pretending to be an account recovery expert) immediately!", and I was furious at the time.
Also, aside from the premise that hijacking should not be done in the first place, is hijacking a YouTube channel an advertisement for Bitcoin?! Why don't you go out of your way to be more outrageous and make a big fuss?!
Furthermore, right after this incident settled, I received a similar DM from someone claiming to be a public relations officer for the online course "Udemy". I'm fed up with this. (This person's disguise was very sloppy.)

In my correspondence with the YouTube support team, I was asked, "Have you been approached for a collaboration?" so I guess this kind of scam is pretty common. Stop it!

Finally, I would like to apologize again to anyone who was offended.
Thank you for reading this far.
Everyone, please be careful.

We look forward to your continued support of 40Nix and 三香白茶館 (Sankō Hakuchakan).

By the way

I made a new YouTube channel in a hurry and plan to use it as a sub-channel to post time-lapse videos of illustrations. If you are interested, please check it out.
▶40Nix - Resort
https://youtu.be/gr7hfIwrOh8

If you liked this article, support the creator with a tip!

Sending tips requires user registration.Find details about tips here.

Register
Comments(0)

Latest Articles

Search by Article Tags

Monthly Archive

Search by Exclusive Perks

Search Articles