On November 5, 2025, several prominent YouTube content creators experienced an attack involving fake DMCA takedown notices that led to malicious downloads. The domain prominently associated with this scam was http://dmca-security.com, which acted as the initial phishing site. Cybersecurity analysts, including Tanner and John Hammond, investigated this domain to uncover related malicious infrastructure and gather relevant indicators of compromise (IoCs). Analysis of the phishing domain revealed connections to additional domains and IP addresses, focusing on pivoting techniques in DNS history to trace the threat. Specifically, the IP address 101.99.92[.]246 was identified as being utilized shortly after the phishing domain's registration. This indicates a potentially organized effort by the threat actors to quickly establish a network of malicious domains.