Full Report
Threat actors are exploiting major Counter-Strike 2 (CS2) competitions, like IEM Katowice 2025 and PGL Cluj-Napoca 2025, to defraud gamers and steal their Steam accounts and cryptocurrency. [...]
Analysis Summary
# Tool/Technique: CS2 Streamjacking Campaign / Fake Giveaways
## Overview
A malicious "Streamjacking" campaign targeting the gaming community, specifically *Counter-Strike 2* (CS2) players. The attackers hijack legitimate YouTube accounts, rebrand them to impersonate popular professional CS2 players (like s1mple, NiKo, and donk), and stream looped gameplay footage advertising fake cryptocurrency and CS2 skin giveaways. The goal is to direct viewers to malicious websites to steal Steam accounts and cryptocurrency.
## Technical Details
- Type: Campaign / Technique (Social Engineering/Phishing)
- Platform: YouTube (primarily), leading to malicious external websites.
- Capabilities: Account hijacking (YouTube), impersonation, social engineering through fake giveaways, phishing for Steam credentials, and outright cryptocurrency theft.
- First Seen: Not explicitly specified, but actively targeting CS2 community (post-CS2 release context).
## MITRE ATT&CK Mapping
This activity is primarily focused on initial access and credential harvesting/impact.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Users clicking links provided in the stream description/chat)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores (Stealing stored Steam session/login cookies or direct credentials)
- **TA00010 - Collection**
- T1560 - Archive Collected Data (Stealing valuable digital items like skins)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Using web traffic to deliver phishing site)
## Functionality
### Core Capabilities
- **YouTube Channel Hijacking:** Taking over legitimate existing YouTube channels and rebranding them with professional player names and branding.
- **Impersonation:** Mimicking high-profile CS2 players for credibility.
- **Content Looping:** Displaying pre-recorded or old gameplay footage to simulate a live event.
- **Social Engineering Lures:** Promoting fake giveaways promising users crypto (e.g., "send crypto to receive double") or valuable in-game items (Skins).
- **Phishing:** Redirecting users via QR codes or links to malicious login pages masquerading as legitimate platforms (e.g., CS.MONEY) to harvest Steam credentials.
### Advanced Features
- **Asset Theft:** Once credentials are stolen, threat actors gain access to steal valuable CS2 skins from the compromised Steam accounts.
- **Cryptocurrency Fraud:** Direct requests for cryptocurrency transfers, which are immediately stolen upon sending.
- **Deceptive Branding:** Using names of legitimate esports sponsorships to enhance credibility.
## Indicators of Compromise
*Note: As this is a summary of a general scam campaign, specific hashes/IPs are not provided in the source, focusing instead on behavioral IOCs.*
- File Hashes: N/A in source
- File Names: N/A in source
- Registry Keys: N/A in source
- Network Indicators: Malicious websites hosting phishing forms (exact URLs are the primary indicator, but are defanged/obfuscated by the threat actor/platform). Links directing users to submit Steam credentials or send cryptocurrency.
- Behavioral Indicators: Live streams on YouTube impersonating pro players offering unlikely crypto/skin doubling giveaways; links embedded in streams directing to external login prompts for Steam accounts.
## Associated Threat Actors
The article attributes the activity to unnamed "threat actors" investigated by Bitdefender Labs. The campaign itself is a type of organized fraud rather than being tied to a specific APT group.
## Detection Methods
- Signature-based detection: Low utility for catching the social engineering aspect, but high utility for detecting payload files if malware is subsequently dropped (not detailed here).
- Behavioral detection: Monitoring for rapid changes in YouTube channel branding, streams featuring looped content advertising giveaways, and user navigation from video descriptions/chat to external login pages, especially regarding Steam.
- YARA rules: N/A in source.
## Mitigation Strategies
- **User Education:** Victims must be warned that offers to double or triple cryptocurrency by sending some first are universally scams.
- **Steam Account Security:** Activate Multi-Factor Authentication (MFA) and enable 'Steam Guard Mobile Authenticator.'
- **Account Review:** Regularly review Steam login activity logs for suspicious sign-ins.
- **Verification:** Users must verify affiliations with official esports organizations before providing sensitive information or credentials.
- **YouTube Vigilance:** Only watch streams from officially subscribed pro player accounts; be highly suspicious of live streams on similarly named or untrusted channels, even if the content looks live.
## Related Tools/Techniques
- Phishing techniques involving cryptocurrency donation scams.
- Compromise of high-reputation social media accounts (YouTube hijacking).
- Credential harvesting targeting gaming platforms (Steam Phishing).