By: Kyle Fedorek

In the Penza region, police officers and the FSB of Russia detained another “hacker” group . This time we are talking about the group “BlowMind”, which was engaged in stealing YouTube channels.

In July 2020, a criminal case on the fact of creation and distribution of malicious computer programs (part 2 of S. 273 of the criminal code). Six residents of Penza aged from 17 to 20 years are suspected of committing a crime, who were detained on 16.07.2020.

The group was created in January 2020. The attackers agreed to write a “Stealer” that will steal cookies and usernames/passwords from browsers.

The group includes: the organizer and coordinator of the group (blackhatqq, bet1sh, estilmate), Python developer (munqush), support (ParatrooperA), LOGER (SwedenOptimaTeen), and others.

, Russian Hacker Group BLOWMIND Arrested by FSB
User Bet1sh on shadow forums promoting blowfish and selling stolen youtube accounts.

Then more than 200 so-called “workers” were hired (for a percentage of the subsequent sale of stolen channels), whose task was to find the owners of YouTube channels and impose on them (through social engineering methods) the launch of “Stealer”. They even had a special guide written for them (https://telegra.ph/BLOWMIND—Manual-05-11).

, Russian Hacker Group BLOWMIND Arrested by FSB
A translated screenshot from the BLOWMIND tutorial for spreading and hacking youtube accounts

“Workers” were searched through numerous shadow forums. Interestingly, later on these forums began to appear complaints about “BlowMind” (complained of fraud, small payments, etc.). Some accounts of members of the group were even blocked for fraud.

Victims (owners of YouTube channels) were sent Stiller under the guise of legitimate SOFTWARE. Fake sites were created for this SOFTWARE and channel owners were offered to review it for money (for this purpose, they had to run a malicious EXE file). The size of the “Stiller ” executable file was specially inflated to 550 MB, so that it could not be loaded for verification in virustotal.com.

In early versions, Stiller actually only supported the Chrome browser from version 80 onwards (no data was stolen from Edge/Yandex Browser/Firefox), but later support was added for all popular browsers, and even for non-popular ones (for example, Vivaldi).

As a result of the attackers ‘ actions, several hundred popular YouTube channels were hacked and stolen. Channels stolen in this way were then resold on popular underground forums such as the infamous OGUsers.