A wave of hijacked or fake livestreams on YouTube and other platforms uses AI deepfakes of public figures and on-screen QR codes or links to funnel viewers to phishing pages. Those pages trigger “wallet drainer” kits that request malicious approvals or signatures and then siphon assets almost instantly. Security firms and media have documented both the livestream tactic and the drainer tech behind it.
What the “livestream stealing cryptos” trend looks like
Scammers run pop-up or hijacked livestreams featuring deepfaked executives or celebrities that promise airdrops or “double your crypto” giveaways. Viewers are asked to scan a QR code or visit a short link displayed on the live video. Recent examples include deepfake Elon Musk streams on YouTube Live and a series of Ripple/XRP impersonation streams YouTube users reported in July 2025.
Why livestreams?
Livestreams feel urgent and “official,” especially when a deepfake appears to speak in real time. Researchers have shown campaigns that spin up aged or compromised channels to boost credibility, then run long live broadcasts that funnel clicks to scam sites.
How the theft happens in four steps
1) The lure on video
A deepfake or replayed clip claims a limited-time giveaway or token claim. QR codes or URLs appear directly on the stream. Reports and threat-intel show QR codes are now a standard bridge from video to phishing.
2) The fake “connect wallet” page
Victims land on look-alike pages for exchanges, wallets, TON or project sites and are prompted to connect via WalletConnect or to scan another QR. Security teams at Group-IB, Cisco Talos and PCRisk have documented these flows.
3) The drainer request
Once connected, the site triggers transaction or approval prompts that look routine but actually grant unlimited spend or execute a malicious transfer. Research on kits like Inferno Drainer shows how they pick the most valuable assets and move them within seconds.
4) Funds are emptied
Losses from drainer attacks surged in 2024 and continued into 2025, with multiple firms recording hundreds of millions stolen as kit operators iterate and return under new names.
Recent highlights and alerts you should know
- YouTube Live streams using a deepfake of Elon Musk ran for hours and directed viewers to crypto “giveaways.”
- A September 2024 investigation detailed a pop-up Musk deepfake stream that raised tens of thousands of dollars within two hours.
- In July 2025, Ripple’s leadership warned about a surge of YouTube deepfakes pushing fake XRP giveaways.
- Policymakers have begun pressing for tighter oversight of YouTube ads after waves of deepfake investment scams.
Under the hood: what wallet drainers do
Drainer kits are phishing-delivered malware stacks that automate theft. They commonly ask for ERC-20 approvals or signatures via mobile/QR to seize transfer rights, sometimes posing as trading bots or claim portals. Reports from Kaspersky, SentinelOne, Group-IB, SlowMist and others describe the kits’ growth, QR-based flows, and constant rebrands.
Why it’s exploding now
Two forces converged: much better deepfakes and a thriving drainer-as-a-service market. From mid-2024 to spring 2025, reports of gen-AI-enabled scams jumped roughly 456%, and dark-web chatter around drainer kits spiked. Livestreams are the perfect distribution surface for this pair.
How to spot and stop a livestream drainer scam
- Treat all “send crypto to receive more” or “claim live bonus” streams as scams, even if the channel looks official. Independent analyses and newsroom reports repeatedly show these are fraudulent.
- Never scan a QR code from a livestream to connect your wallet. Financial regulators and security teams flag QR-to-wallet flows as a common trap.
- Don’t sign blind approvals. If a site asks for unlimited spend or odd permissions, cancel. Drainers rely on deceptive approvals that look harmless.
- Verify announcements on official sites or verified handles before acting; many companies publicly warn they never run “send one, get two” promos.
- Keep a small, separate hot wallet for experimenting; hold savings in a hardware wallet and revoke stale approvals regularly. General security advisories recommend minimizing exposure.
If you clicked or signed, act immediately
- Disconnect the wallet site session and revoke token approvals; then move remaining assets to a fresh address.
- If you sent funds to a deposit QR at a physical crypto ATM or scanned a code someone messaged you, stop further transfers and file a report right away. Guidance from consumer-protection agencies emphasizes QR-based ATM fraud awareness.
- Report the livestream/video and phishing site so platforms and registrars can respond faster; many campaigns rely on speed before takedowns.
A quick checklist for creators and platforms
- Enforce strong account security and recovery to prevent channel hijacks; stream-jacking has been used to run fake “live” events at scale.
- Pre-screen and auto-flag streams that overlay QR codes or wallet addresses alongside giveaway language.
- Provide clear “crypto scam” reporting categories and faster turnaround on live content complaints. Policymakers are pushing for stronger guardrails here.
FAQs
Are these livestreams ever real giveaways?
Legitimate projects don’t ask viewers to send crypto to “unlock” more or to scan a QR for surprise claims during a live event. Deepfake-driven “double your coins” promos on YouTube and elsewhere have been repeatedly exposed as scams.
How fast can drainers empty a wallet?
In seconds. Once you grant the malicious approval or sign the wrong transaction, automated scripts transfer tokens and NFTs immediately. Security write-ups detail this rapid, automated behavior.
Which projects are being impersonated?
Everything from Tesla/Elon Musk to Ripple/XRP, TON and popular wallets. The names change, but the mechanics—livestream lure, QR/URL, wallet connect, malicious approval—are consistent.
