What the YouTube copyright strike scam looks like

The base email is short, on-brand, and built to bypass thinking. A YouTube-style header, a "Studio" wordmark, and a body opening with your channel name:

"Your channel has received a copyright strike from [Company]. Click here to dispute within 24 hours or your channel will be terminated."

The display name reads "YouTube Copyright Team." The actual sending domain is something like youtube-strikes.help or dmca-youtube.net. The button leads to a counter-notification form harvesting your Google password and 2FA code. From submission, the attacker has a 30-second window to log in, swap the recovery email, and revoke your sessions.

A second wave hits creators who do not click. A follow-up arrives from "[Brand Name] PR" with a sponsorship brief or "media kit" carrying an info-stealer (RedLine, Vidar, Lumma). These families target browser cookies storing your YouTube session token. Once exfiltrated, the attacker logs into Studio without your password or 2FA. Mandiant documented this chain in its 2023 reporting on creator-targeted info-stealer campaigns.

The 4 variants in active rotation

1. The fake counter-notification form

"Your channel has received a copyright strike from Sony Music for video [your real video title]. Complete the counter-notification within 24 hours." The video title is real because the attacker scraped your channel first. The link is a YouTube-lookalike form on a typosquat like youtubesupport-claim.com. Harvests your Google login. Highest-volume variant in 2026.

2. The "Trust & Safety" Google Drive document

"YouTube Trust & Safety has identified policy violations. Strike details attached as a Google Drive document." The link hosts a Windows executable disguised as a PDF (Strike_Details.pdf.exe with hidden extension). Opening it installs an info-stealer that exfiltrates browser cookies including YouTube and AdSense session tokens. Google TAG advisories describe this pattern.

3. The fake collaboration brief

"Hi [Creator], I am the Brand Partnerships Manager at [Company]. Please review the attached brief and media kit." Password-protected ZIP (password in the body to bypass scanners) containing the info-stealer. Cisco Talos tracked sustained 2024-2025 campaigns using this lure against gaming, crypto, and lifestyle creators.

4. The AdSense suspended notice

"Your AdSense account has been suspended due to invalid traffic. Resolve within 7 days to prevent termination and forfeiture of pending earnings." Highest click rate from mid-size creators with five-figure monthly balances because the threat is denominated in money already earned. The link leads to a fake AdSense login harvesting credentials and 2FA in real time.

Why creators are gold targets

Creators are not random phishing victims. A successful compromise compounds three ways at once.

  • Recurring AdSense revenue. A monetized channel is a recurring cash stream. The attacker swaps the AdSense payout destination and harvests the revenue tail.
  • Audience as a malware distribution platform. A 500K-sub channel is a trust amplifier. The hijacker swaps the avatar to a Tesla or SpaceX clone and runs a scam livestream with "Elon Musk" telling viewers to send crypto for "double back." Mandiant's 2023 analysis of the Linus Tech Tips compromise documented exactly this playbook.
  • Sponsorship crypto holdings. Many creators hold crypto from sponsor payments. Info-stealers exfiltrate browser wallet extensions (MetaMask, Phantom) and seed-phrase files alongside the YouTube cookie. Cisco Talos telemetry flags creator machines as oversampled in stolen-wallet recovery data.

Recent high-profile cases

Linus Tech Tips - August 2023 (Mandiant, BleepingComputer)

Linus Media Group lost control of three channels (Linus Tech Tips, TechLinked, Techquickie) after an employee opened a malicious "sponsorship brief" PDF that was an info-stealer. The malware exfiltrated browser session tokens, bypassing 2FA because token replay needs no password or code. Within an hour the channels were renamed to "Tesla" branding and ran crypto giveaway livestreams. Mandiant analysis showed the same playbook hitting dozens of additional creators per month.

The crypto-channel cluster (Cisco Talos, 2024-2025)

Cisco Talos tracked sustained campaigns hijacking dozens of crypto-focused channels per month via info-stealer payloads in fake collaboration briefs. Channels were rebranded as Ripple, Coinbase, or Ethereum Foundation and used for crypto-doubler livestreams losing tens of thousands of dollars per stream.

Google TAG North Korean activity (2024)

Google TAG reported in 2024 that North Korean actors impersonated YouTube and brand partnerships in targeted campaigns against creators and security researchers, using the same lure with payloads optimized for credential and cookie exfiltration.

The 7 red flags

  • Sender domain is not @youtube.com or @google.com. Real notifications come from noreply@youtube.com or noreply@google.com. Anything else (@youtube-support.help, @dmca-youtube.net) is a scam. Display name spoofing means "YouTube Copyright Team" in the From line is meaningless; only the actual domain matters.
  • 24-hour urgency. Real strikes appear in YouTube Studio immediately with no countdown, and the counter-notification window is 10 to 14 days, not 24 hours. Any email pushing action inside 24 hours is engineered for panic.
  • Attachment claiming to contain "strike details." Real YouTube never attaches files to copyright notifications. Strikes are linked inside YouTube Studio, never delivered as a PDF, ZIP, or DOCX. An attachment is near-certain malware.
  • Link not on youtube.com or studio.youtube.com. Hover before clicking. The destination must show youtube.com or studio.youtube.com as the actual domain (the part immediately before the first single slash after https://). youtube.com.dispute-now.help is NOT YouTube; the real domain is dispute-now.help.
  • Generic "Dear Creator" greeting. Real YouTube emails use your channel name as it appears in Studio. "Dear Creator," "Hello Channel Owner," or "Hi YouTube Partner" suggests a bulk send.
  • Request to log in outside the normal flow. Legitimate notifications send you to Studio and authenticate through accounts.google.com. A counter-notification form on a third-party page asking for your Google password is not how Google authenticates anywhere.
  • Copyright claimant has no real online presence. Search the exact name. A real rights holder has a website, a registered legal entity, and a presence on the U.S. Copyright Office DMCA agent registry. A claimant with zero footprint is fictitious.

The only verification that works

Every other check is secondary to one rule. Real copyright strikes only exist inside YouTube Studio. Verify in this order:

  1. Do not click the email button. Open a new tab and type studio.youtube.com manually. Do not search "YouTube Studio" because paid ads occasionally surface typosquats during peak phishing waves.
  2. Sign in normally. Inside Studio, click Content in the left nav, then the Copyright tab. Any real strike is listed here with the claimant, video, disputed section, and a built-in counter-notification flow. If no strike is listed, the email is fake.
  3. Cross-check Studio's Notifications panel. Real YouTube emails always have a matching entry in the bell icon at the top of Studio. No match means no real email.
  4. Look up the claimant. A real rights holder shows up in the U.S. Copyright Office DMCA agent registry, in Lumen Database takedown records, or with an active business presence. An invented company has none of these.

Recovery if your channel is already compromised

Speed matters. Once an attacker has your session token or password, the channel rename, payout swap, and scam livestream typically run inside one hour.

  1. Revoke all sessions. Open myaccount.google.com/security, scroll to "Your devices," and sign out of every session except the one you are using. This invalidates stolen cookies.
  2. Change your Google password. Long, unique, not reused. Password managers are non-optional for creators in 2026.
  3. Enable 2FA with a hardware security key, not SMS. SMS is defeated by SIM-swap attacks against high-value creators. A FIDO2 key (YubiKey, Google Titan, Feitian) cannot be phished or SIM-swapped. Set up at least two keys to avoid lockout.
  4. Check YouTube Studio Settings > Permissions. Attackers commonly add themselves as Manager or Owner to retain access after a password reset. Remove any user you do not recognize. Check Settings > Channel for unauthorized transfers.
  5. Revoke third-party app access at Google Account > Security > Third-party apps. Info-stealer payloads sometimes install OAuth grants that survive a password reset.
  6. Freeze AdSense payouts at AdSense > Payments > Settings while you investigate. Prevents the attacker from redirecting the next payment cycle.
  7. Contact Google Creator Support via the YouTube hijacked channel recovery form. Partner Program members get priority. Monetized channels recover faster because YouTube has a financial stake in returning the account.
  8. If crypto wallets were drained, file a report at Chainabuse and the FBI IC3 at ic3.gov. Chainabuse aggregates wallet reports across exchanges for asset-freezing requests; the IC3 complaint is required for later civil recovery.
  9. Run a full malware scan. If the compromise traced to an info-stealer payload, the machine is compromised and any new password set on it will be exfiltrated again. Scan with Malwarebytes or Microsoft Defender Offline, or reformat, before changing further credentials.

How browser-layer defense catches this earlier

Phishing emails increasingly clear SPF, DKIM, and DMARC because attackers register lookalike domains and authenticate them properly. The defense that works is at the destination: when you click the dispute button and land on the fake counter-notification page, a browser-layer scanner can block the page before any form loads.

SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders. YouTube is in our 539-brand impersonation database, and the heuristics flag "YouTube logo plus Google login form on a non-youtube.com domain" as an instant block. Install SafeBrowz free for browser-layer defense on your channel, AdSense, and every other Google login.

Frequently asked questions

Does YouTube ever send copyright strike notifications by email?

Yes. YouTube sends a notification from noreply@youtube.com when a strike is issued, but it is informational only. No attachments, no 24-hour countdown, no third-party links. The real strike is always visible in YouTube Studio under Content > Copyright. If the strike is not there, the email is fake.

I clicked the link but did not enter any information. Am I still at risk?

If you just rendered the page and closed it, immediate credential risk is low. But fake counter-notification pages sometimes auto-download a "strike details" file or trigger a fake CAPTCHA that pastes a PowerShell command into your clipboard. Check Downloads, run a malware scan, and revoke all Google sessions as a precaution. See our guide on ClickFix attacks for the post-click variant.

How did the attacker get my real channel name and video titles?

Your channel name, recent videos, and subscriber count are public. Attackers scrape them via the YouTube API and personalize phishing emails for every creator above a subscriber threshold. A personalized email is proof you are above the targeting threshold, not proof of legitimacy.

If I have 2FA enabled, can my channel still be hijacked?

Yes. Info-stealers exfiltrate the browser session cookie, a token that already represents your authenticated session and bypasses 2FA on replay (this is how Linus Tech Tips was hijacked despite 2FA). Real-time AiTM kits also proxy your 2FA code as you enter it. The defense is a FIDO2 hardware key bound to the real domain. SMS 2FA is the weakest variant and is also broken by SIM-swap.

How long does YouTube take to recover a hijacked channel?

Recovery times vary. Partner Program members reporting inside the first hour have been recovered in 24 to 48 hours (Linus Tech Tips recovered in roughly 12 hours). Non-monetized channels can wait days or weeks. Use the official recovery form at support.google.com/youtube/contact/recover_hijacked_channel. Do not pay any third party claiming to recover faster, as recovery-scam fraud is a documented secondary attack.

Should I respond to a sponsorship email if I am not sure whether it is real?

Verify the sender outside the email. Real brand managers have LinkedIn presence, work email matching the company domain, and an established footprint. Never open a password-protected ZIP, never enable Word macros, never run any executable from a sponsorship contact. Real briefs come as PDFs or Google Docs links from a verified corporate Google account. Legitimate brands accept verification through a known company channel without offense.

Related reading

Bottom line: The YouTube copyright strike scam runs on panic and platform trust. The single rule that beats it is to verify every strike inside YouTube Studio, never through an email link. Use a hardware security key, not SMS. Add a browser-layer scanner like SafeBrowz so the fake counter-notification page never loads.