- Trending
- Comments
- Latest
Crypto investors are being lured into Ethereum draining malware campaigns through what appear to be legitimate trading bot tutorials on YouTube, a new investigation from SentinelLABS reveals. The malware, hidden inside smart contracts written in Solidity, has already drained over $900,000 from unsuspecting victims.
At the heart of the scheme is a series of YouTube videos promoting fraudulent “MEV bots” or arbitrage tools that claim to offer automated trading profits. The catch? These bots are nothing more than traps, malicious contracts that reroute user funds straight into attacker-controlled wallets.
“This is one of the most polished Ethereum draining malware campaigns we’ve seen,” said Tom Hegel, Senior Threat Researcher at SentinelLABS. “They’re leveraging old YouTube accounts and AI-generated content to build fake credibility and bypass detection.”
The scammers behind these campaigns aren’t just using any YouTube account. They’re leveraging dormant or repurposed accounts—some years old—that previously uploaded pop culture videos or news content. These accounts are cleaned up, rebranded, and used to publish tutorial-style content walking viewers through smart contract deployment.
One standout example is the account @Jazz_Braze, which built a reputation by posting nearly 100 unrelated videos between 2022 and 2024 before pivoting to a now-infamous “MEV Bot tutorial.” That single video generated 244.9 ETH, worth approximately $902,000.
“The use of aged accounts gives these scams a veneer of trust,” said Helen Yu, Blockchain Analyst at Chainalysis. “It’s difficult for users to distinguish between legitimate creators and those fronting Ethereum draining malware.”
Many videos exhibit signs of AI generation: robotic narration, unnatural facial movements, and single-angle shots without side profiles. These cut costs and scales distribution. Yet, ironically, the most profitable videos did not use AI, underscoring that visual polish is less persuasive than perceived credibility.
Victims are not tricked by phishing links or fake wallets, they actively copy and deploy the malicious smart contracts themselves, believing they’re about to run arbitrage bots. These contracts appear to monitor and exploit price differences across decentralized exchanges, an appealing promise for profit-hungry traders.
What these users don’t realize is that the contracts are embedded with complex obfuscation techniques to mask attacker wallet addresses. Techniques include string concatenation, XOR operations, and large decimal conversions—all aimed at avoiding detection even under code review.
One notorious YouTube channel, @todd_tutorials, uploaded step-by-step deployment guides, complete with fake success stories and manipulated comment sections. After SentinelLABS initiated its research, several of these videos were set to private.
“Most users don’t read the code they deploy, and even if they do, the obfuscation makes it nearly impossible to identify the trap,” said Hegel. “By the time users realize what’s happened, the funds are long gone.”
Since early 2024, the Ethereum draining malware campaign has operated in waves, each involving slightly tweaked contracts and new YouTube videos. Some campaigns raked in a few thousand dollars; others, like the Jazz_Braze video, cleared nearly a million.
In one April 2025 scam linked to @SolidityTutorials, attackers stole 7.59 ETH (approx. $28,000). Another siphoned 4.19 ETH ($15,000). But in every case, stolen funds were withdrawn quickly and split across dozens of new wallets, 24 in the largest case, to evade tracing.
This laundering pattern, according to blockchain analysts, is indicative of organized threat actors with experience in obfuscation, smart contract design, and social engineering.
To further maintain the illusion, scammers heavily moderate YouTube comment sections, removing or filtering out negative reviews while promoting fabricated testimonials. With YouTube comments censored, many confused victims turn to platforms like Reddit or crypto forums in search of answers, usually too late.
With Ethereum draining malware still active and evolving, experts warn users to avoid blindly trusting YouTube trading tutorials, even from seemingly reputable accounts. Key red flags include:
“Trust has become a weapon in the hands of attackers,” said Yu. “The smarter they get at social engineering, the more vigilant the community must become.”
YouTube has not publicly addressed the findings, though some of the flagged videos have since been made private or removed. SentinelLABS continues monitoring related campaigns and urges the platform to adopt stricter scrutiny of crypto-related uploads.
For now, the best defense is skepticism: if a trading bot sounds too good to be true—it probably is, with a smart contract designed to steal your Ethereum.
Copyright © 2025 - The Bit Gazette.
