Summary
On June, 2024, scammers hijacked a verified YouTube channel with 420,000 subscribers, rebranded it as "Tesla," and ran a seven-hour livestream of an Deepfake Elon Musk telling viewers he would "automatically double" any Bitcoin, Ethereum, or Dogecoin sent to a QR-coded wallet. The Atlantic Council’s Digital Forensic Research Lab (DFRLab) found that about $50,537 (Bitcoin + Etehreum + Dogecoins) was sent through blockchain transactions in just two hours, while the stream had around 81,000 live viewers at its peak.
That one fake Tesla livestream is just one example of a much bigger operation. In fact, around 90% of crypto deepfake scams follow this same pattern, and experts have described it as one of the largest deepfake scams ever.
According to Sumsub’s report, just one wallet linked to this campaign collected about $5 million between March 2024 and January 2025, showing how large and organized these scams have become.
Why it matters?: Unlike the Hong Kong (US$25.6M) and Singapore (US$499K) deepfake CFO scams that targeted single corporate finance teams, this is industrial-scale retail fraud. A deepfake video costs 15 to 20 $, the audience is global, and crypto settlement is irreversible.
Incident Overview:
The Digital Forensic Lab (DFRLab) documented the most thoroughly forensically reconstructed instance of a campaign running continuously since 2022.
Impersonated party: Tesla, Inc. (NASDAQ: TSLA) and CEO Elon Musk, the most-deepfaked business figure on record. Tesla's real verified channel is youtube.com/tesla.
Hijacked vehicle:
@ChampsNetworkHD, a legitimate gaming channel with 420,000 subscribers and a YouTube Verification badge. During the scam, all 2,131 prior videos were de-listed, the handle became@Tesla_Event_Live24and the channel was rebranded with Tesla's logo.Victims: Cryptocurrency-curious retail viewers - those who sent BTC/ETH/DOGE directly, plus, in adjacent variants, retirees and self-directed investors funneled into fake "trading platforms" such as Magna-FX and Quantum AI. The Hong Kong SFC formally added Quantum AI to its Suspicious Virtual Asset Trading Platforms Alert List on May 8, 2024, determining the platform used Musk deepfakes to fabricate endorsement.
Payment methods: Bitcoin, Ethereum, and Dogecoin wallets linked off-platform via an in-video QR code on
tesla-bitcoin.com(now non functional).
My Personal Experience
I’d like to briefly share a personal experience. In March 2020, I almost fell victim to an Elon Musk crypto deepfake scam. It looked incredibly convincing - a professional-looking website featuring Elon Musk, along with what appeared to be live transaction activity.
What made it feel real was the conversation on Twitter and few genuine looking videos, which gave it a sense of legitimacy. At the time, I was simply curious and thought I’d try a small, hands-on investment in crypto.
The only reason I didn’t become a victim was timing. It took a couple of days to set up my crypto wallet, and in the meantime, I had a chance to take a closer look. When I did, I realized everything was fake. Even the “live transactions” on the website were just animations, there were no real backend systems or API calls behind them.
Now in 2026, it’s easy to imagine how much more realistic and convincing these deepfake setups have become, and how effectively they can be used to scam people.
Attack Timeline & Methodology
Phase | Action |
|---|---|
1. Channel acquisition | High-subscriber, YouTube-verified channels obtained via credential theft, session-cookie hijack, or paid handover. |
2. Rebrand | Handle, name, logo, and banner swapped to Tesla's. All prior videos de-listed. The verification checkmark carries over because YouTube ties it to the channel, not the brand. |
3. Deepfake prep | A 200-second clip from a real Tesla mainstage event has audio/lip-sync replaced. The script reads like LLM output, the deepfake even vocalizes section headers like "Key Moments to Maximize Winning Potential." |
4. Live launch | Looped video goes live with comments disabled. A whitelisted "Elon Musk" account posts fake social proof. |
5. Algorithmic amplification | Concurrent viewers surge - DFRLab measured 81,000 peak, with step changes consistent with bot inflation, pushing the stream into YouTube's "Live Now" surface. |
6. Off-platform funnel | Viewers urged to scan an in-video QR code, moving them off desktop and onto a mobile browser at |
7. Wallet rotation | Deposit wallets rotated mid-stream to obscure the one-way nature of transfers. |
8. Pooling and laundering | Funds consolidated into secondary wallets, then split across many further addresses. |
9. Channel handoff | Stream ended, channel restored, the same imitation handle observed migrating to another hijacked channel - DFRLab's "traveling circus" thesis. |
Key insight: The deepfake is not the most valuable component. The synthetic Musk is the bait, the platform-manipulation stack , hijacked verified channels, inflated viewer counts, disabled comments, fake-news-style landing pages, and irreversible crypto rails - is the trap.
Financial Impact Analysis
Direct on-chain take (blockchain transactions)
Cryptocurrency | Amount Collected (USD) |
|---|---|
Bitcoin (BTC) | $40,289.91 |
Ethereum (ETH) | $3,825.22 |
Dogecoin (DOGE) | $6,422.06 |
Total | $50,537.19 |
Source: DFRLab forensic blockchain trace, wallet addresses publicly listed in the report.
Recovery rate after transaction:
In the Singapore CFO case, authorities like Singapore’s Anti-Scam Centre and Hong Kong’s ADCC were able to recover about 99% of the $499,000 within 48 hours through the banking system.
In contrast, recoveries in crypto-based scams like this are almost nonexistent. Crypto transactions are pseudonymous, irreversible, and often routed through mixers, making them extremely difficult to trace or reverse.
In one case, the victim received nothing back after the platform disappeared entirely - its website, phone lines, and email all went offline. In another, the victim ended up borrowing money from family, friends, and credit cards in an attempt to “unlock” supposed funds, which is a classic example of an advance-fee scam escalation.
Control Failure Analysis
Platform-level:
YouTube Verification is brand-agnostic: The checkmark stayed with the Champs Network channel after rebranding to "Tesla." Users associate the badge with brand authenticity, not channel-identity continuity.
Account-takeover defenses failed repeatedly: Channels of 420K, 631K, 700K, and 1.26M subscribers were hijacked across 2024.
Recommendation algorithms boosted the scam: With ~81K concurrent viewers, the stream was promoted into "Live Now."
Comments disabled, removing the only crowd-sourced fraud signal.
Meta's ad library showed hundreds of thousands of ads using identical scam language.
Individual / cognitive:
Trust in the Tesla logo, the verification checkmark, and Musk's familiar face overrode skepticism about a "double your crypto" promise that violates basic financial logic.
Inflated viewer counts created social proof.
QR-code redirects funneled victims onto mobile, away from desktop browser warnings.
Payment-rail:
Crypto exchanges required no transaction-purpose verification before sends to unknown wallets.
No platform-level wallet-reputation check warned users that destination addresses were freshly created with no Tesla/SpaceX/Musk transaction history.
Once funds were sent, no callback existed.
Red Flags & Warning Signs
Mistaking “live transactions” as proof of legitimacy. The image below shows animated transaction hashes to crypto wallets, but these can be purely visual effects and do not necessarily indicate real or genuine activity.
SN | Red flag | Why it matters? |
|---|---|---|
1 | "Send X, get 2X back." No legitimate giveaway in finance, ever, requires you to send funds first. | FBI, FTC, and Hong Kong SFC all flag "too-good-to-be-true returns" as the defining marker of investment fraud. |
2 | Comments disabled on a "live" event. Real Tesla and SpaceX events allow chat. | DFRLab identified this as deliberate suppression of victim warnings. |
3 | Channel handle ≠ brand. | Verification carries with channels, not names. |
4 | The "Community" tab still showed gaming content. A 30-second click would have exposed the impersonation. | Checking other tabs might be useful to figure out legitimacy. |
5 | A QR code that pulls you off-platform onto your phone. | Deliberate evasion of desktop security tools - also flagged in FBI's QR-code fraud PSA. |
6 | Stranger-than-usual cadence and lip-sync glitches. | DFRLab- the deepfake even vocalized script formatting. |
7 | Fake transaction tickers on the landing page. Real exchanges don't run live "winner" tickers. | DFRLab- SFC alert language on Quantum AI. |
8 | Time pressure ("valid only during this broadcast"). | Time boundary is a waring sign |
9 | No corroborating post on the brand's owned channels. Real corporate giveaways are cross-posted. | Common-sense verification. |
Root Cause & What Can We Learn?
Root Cause:
The root cause comes down to three conditions happening at the same time:
(i) Creating a convincing Elon Musk deepfake is extremely cheap and fast, often costing less than $20 and taking only minutes to generate.
(ii) Major platforms like YouTube, Meta, and X were built before generative AI existed, so their identity verification, moderation, and recommendation systems are not designed to detect today’s highly realistic impersonations.
(iii) Cryptocurrency enables instant, global, and irreversible transfers with pseudonymous wallets, making it the perfect payment system for scammers with no easy way to reverse transactions or identify them.
Together, these three factors create an environment where large-scale deception can scale quickly and cheaply.
What can we learn?
For cybersecurity professionals, IT managers, and SMB leaders
Train employees that verified badges confirm accounts, not real-world identity or legitimacy. Always verify campaigns by going directly to the official brand website.
Treat any QR code or off-platform link as potentially malicious until independently verified. This has become a dominant scam pattern flagged in recent FBI advisories.
For finance or treasury teams, always use out-of-band verification (e.g., a known phone call or secondary confirmation channel) before approving any urgent or unusual payment request, no matter how convincing the video or message appears.
The Singapore and Hong Kong deepfake CFO cases show that video alone is no longer reliable for authentication.
Organizations with public executives should actively monitor for deepfake misuse using detection tools such as Sensity AI, Reality Defender, Pindrop, or DuckDuckGoose.
SMBs dealing with crypto should treat any “giveaway” or “doubling” offer as automatically fraudulent by default, there are no legitimate cases.
Report incidents quickly. Agencies like the FBI IC3, FTC, Hong Kong SFC, and Singapore Anti-Scam Centre have shown that early reporting can lead to takedowns and, in some cases, partial recovery. FBI initiatives such as Operation Level Up have already prevented hundreds of millions in losses since 2024.
Conclusion
Generative AI did not invent a new scam category, it industrialized an old one. Celebrity-endorsement investment fraud has existed for decades, what's new is that the endorsement now costs a few dollars to fabricate, platform amplification is automated, and the payment trail is irreversible.
The trend is getting worse. From the DFRLab investigation in June 2024 (about $50K per session) to the Markham, Ontario case in January 2026 (Candian $1.7M lost by a single victim), the same scam playbook has grown significantly in scale.
The operational takeaway: assume any video, any voice, and any verified-looking channel can be cheaply impersonated, and rebuild verification flows around that assumption. "Denise" lost C$1.7 million not because the deepfake was perfect, it wasn't, but because no process forced her to verify against an independent channel before wiring funds. That gap is closeable. Most of the controls explained above cost nothing. They just have to be policy.