Google Uncovers 1.6M Phishing Emails and a Cryptocurrency Scam

Google also displayed around 62K 'Safe Browsing' phishing page warnings, so here's your reminder to pay attention to those.

Google has identified and blocked 1.6 million phishing emails between May 2021 and now. The scams were all part of a big malware campaign with a goal of stealing YouTube accounts and using them to promote cryptocurrency schemes.

The news comes from Google’s Threat Analysis Group (TAG), and they seem to have the issue in hand: That 1.6 million emails represents a 99.6% decrease in the volume of related phishing emails in Gmail.

It’s another peek into the security threats we all face over the internet. The scams aren’t always trying to sell you bad cryptocurrencies, but they’re always trying to steal your personal data.

How the Scam Works

The short story here is that you’re likely safe: Its phishing emails are customized and aimed at YouTubers. As long as you don’t have an urge to collaborate on a project, you won’t be tempted to download the malware, which is often made to look like a VPN or Steam game.

Here’s how Google explains it in their blog post on the topic.

“The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.”

TAG has kept an eye on this type of phishing campaign since late 2019. In addition to blocking the 1.6 million messages to targets, TAG also says it “displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts.”

Like a horror movie villain, though, the scammers are living to attack another day: TAG notes that it has detected attackers are shifting to more profitable email providers —,, and are all mentioned.

Avoid Those Downloads

The specific malware involved is called “Cookie Theft,” or a “pass-the-cookie attack.” It’s a session hijacking attack that gives the bad actor access to the user’s accounts through the session cookies stored in the victim’s website browser.

The trick is decades old, but TAG speculates scammers are being forced into trying more social engineering due to the effective rise of multi-factor authentication. Sometimes that means getting really creative, TAG notes, like when they invented an entire fake Instagram account:

“In one case, we observed a fake social media page copying content from an existing software company.”

Google’s updating its products with “additional heuristic rules” to better detect these emails, and YouTube has “hardened channel transfer workflows.” Regular users, though, will just have to stay on guard whenever anyone emails and wants them to download anything.

Staying Safe

You can do a few things to put yourself in the best position to avoid getting scammed and downloading a malware service that spies on your account logins. Try considering these tips:

  • Enable multi-factor authentication
  • Pay attention to Chrome’s “Safe Browsing” warnings
  • Try an online virus scanning tool like VirusTotal to catch malware
  • Try a password manager tool — we’ve rounded up the best deals over here
  • Enable Chrome’s “Enhanced Safe Browsing Protection” mode for the most security warnings
  • Keep an eye out for encrypted archives online — they can be a sneaky way to avoid antivirus detection scans

You could also try a secure VPN. It won’t stop social engineering scams, but it’s one more layer of protection. Google might catch a lot, but we definitely can’t depend on them for everything.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Adam is a writer at and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals