Executive Summary

On the evening of August 24, 2025, an attacker rebroadcast the SpaceX Starship Flight Test on YouTube using a channel that appeared to be titled “Starbase” (approx. 309K subscribers). At peak—right before the actual launch—over 63,000 concurrent viewers were exposed to an inserted deepfake video of Elon Musk and an on-screen QR code directing victims to spacexjoin[bad].com. The site presented multiple crypto deposit addresses and was shielded behind Cloudflare to mask the origin infrastructure. The Bitcoin address bc1q6py83dvn8gwqu2cvy7p7urmcp0s6lu4r2hpnlu received 14.25 BTC (nearly $1.6M USD at the time). YouTube appears to have terminated the fraudulent stream within minutes, but by then the damage was done.

Attack Timeline

1. Aug 22, 2025: Domain spacexjoin[bad].com registered by an unrelated party in Hong Kong (based on domain records).
2. Aug 24, 2025 (Evening): Adversary rebroadcasts the SpaceX livestream on a channel labeled Starbase.
3. Pre-Launch Peak: 63,000+ viewers; a deepfake Elon Musk clip and a QR code are inserted urging a “special crypto giveaway.”
4. Malicious Redirect: QR leads to spacexjoin[bad].com (fronted by Cloudflare), which lists several crypto addresses.
5. Funds Collected: The Bitcoin address bc1q6py83dvn8gwqu2cvy7p7urmcp0s6lu4r2hpnlu accumulates 14.25 BTC.
6. Platform Response: YouTube cuts the feed shortly thereafter; losses already realized.

Indicators

Technical Analysis

• Live Deepfake Injection: The adversary overlaid an AI-generated Elon Musk video during the hottest moment of the stream to maximize credibility and conversion.
• Trust Hijack via Livestream: Rebroadcasting a legitimate event primed viewers to accept visual prompts and time-limited calls-to-action.
• QR as a Social-Engineering Accelerator: QR codes bypass typing friction and reduce user skepticism, pushing victims to the phishing domain quickly.
• Crypto Payout Obfuscation: Single or multiple addresses presented; proceeds amassed at the cited address, potentially consolidated later across mixers or exchanges.
• Infrastructure Shielding: Cloudflare fronting hid the origin server, complicating immediate takedown and origin tracing.

Financial Impact

The tracked Bitcoin address collected 14.25 BTC. Based on contemporaneous pricing, that equates to approximately $1.6 million USD in victim losses.

Mitigation & Recommendations

For Users

• Assume all “crypto giveaway” or “double your Bitcoin” offers are fraudulent.
• Verify you are watching the official SpaceX YouTube channel (check the URL and channel verification).
• Do not scan QR codes presented in livestreams unless they are from a verified, official source.
• Use reputable crypto wallet software that supports address-blocklist warnings and transaction review.

For Platforms & Providers

• Enhance near-real-time detection for deepfake overlays and sudden on-screen QR prompts during high-profile streams.
• Automate takedown workflows for lookalike domains and branded giveaway pages reported in-stream.
• Implement friction (e.g., interstitial warnings) when outbound links/QRs appear on live broadcasts of verified brands.
• Collaborate with registrars/CDNs to fast-track deconfliction when brand abuse is detected.

Attribution Note

While domain records indicate registration in Hong Kong by an unrelated party, no definitive attribution can be made at this time. On-chain tracing and infrastructure correlation are ongoing. We will update this post if new, reliable evidence emerges.

Safety Notice

Warning: Do not visit domains or scan QR codes referenced by scammers. If you believe you were impacted, contact your exchange/wallet provider and local authorities immediately. Provide them the on-chain address and transaction IDs.