COVID Vaccination-Related Fraud and Disinformation on the Darknet

In the year plus since the COVID-19 pandemic took hold, DarkOwl analysts have continued to observe widespread coronavirus-related scams on the darknet. From bootlegged PPE, to “COVID infected blood,” to fake vaccination cards, there appears to be no shortage of individuals willing to take advantage of this global crisis to pursue their goals, be it to spread disinformation or simply to make money.  

To gain insight into potential threat actors aiming to defraud individuals and corporations alike, DarkOwl turned to the darknet to take a closer look. In doing so, we identified scammers purportedly selling COVID-19 vaccines, vaccination passports and cardstock records of vaccination as issued by the the Center for Disease Control (CDC). DarkOwl has also observed a number of disinformation campaigns related to the efficacy and legitimacy of the COVID-19 vaccine across major deep web and darknet discussion boards creating additional conflict and polarization across forum users.

Vaccination Cards for Sale on the Darknet

In the past few months, DarkOwl has noted a number of scammers offering vaccination record cards for sale, priced around $150 USD on average.

Figure 1: Vaccination Cards/Passports for offer on the darknet (Source - DarkOwl Vision)

Figure 1: Vaccination Cards/Passports for offer on the darknet (Source – DarkOwl Vision)

One vendor, known only as as “darknetdeals” also offers negative COVID-19 PCR tests for sale for those needing negative COVID-19 tests for travel and work.

Users on deep web discussion boards discuss their surprise regarding the nature of the vaccination record cards issued in the U.S. and the generic grey cardstock it was printed on, along with handwritten name and dates of the first and second doses, for vaccines with multi-dose administration. DarkOwl has not engaged the threat actor nor purchased a card to verify whether this is a legitimate offer or scam, but the opportunity could appeal to anti-vaxxers who desire to travel and dine-in restaurants without receiving the vaccine.  

Other offers have also surfaced on Telegram with “coronavirus certificates” and vaccine passports available for purchase. The price was not disclosed on the channel.

 
Figure 2: Advertisement on Telegram for Vaccine Passport (Source - DarkOwl Vision)

Figure 2: Advertisement on Telegram for Vaccine Passport (Source – DarkOwl Vision)

 

Vaccinated individuals across the US have shared post-vaccine selfies with the CDC-stamped paper card issued by their vaccination provider proudly in hand across social media. Scammers could not only utilize the photo of the card to create fake cards for sale on the darknet, but steal the personalized information such as full name and date of birth for identity theft and fraud.

 
Figure 3: Sample CDC Vaccination Cards Discussed and Circulated on the Darknet

Figure 3: Sample CDC Vaccination Cards Discussed and Circulated on the Darknet

 

Vaccine Doses Still for Sale on Darknet Markets

DarkOwl continues to see several COVID-19 vaccines offered for sale across darknet marketplaces and classified-like paste sites. In recent months, there has been a surge in vaccines on offer, including Russia’s Sputnik vaccine developed by Gamaleya. On one new darknet market alone, there are 5 different vendors offering vaccines ranging in price from $40 to $888 USD per dose. Pfizer vaccines tend to be more expensive than the other vaccines on offer.

DarkOwl had observed offers for COVID-19 vaccines on other darknet markets back in December, with prices ranging from $500 to $4000 USD. One vendor received feedback stating that they purchased five vials of the Pfizer vaccine for $2000 USD and it was packaged in a shipping container the size of a pizza box along with dry ice to maintain the significantly cold temperature requirement. It was unclear whether these were intended to be single doses or multi-dose spread out by 21 days, as suggested by the manufacturer.

Figure 4: Review of Vaccine Vendor on the Darknet, December 2020

Figure 4: Review of Vaccine Vendor on the Darknet, December 2020

Figure 5: Moderna COVID-19 Vaccine Advertisement on the Darknet

Figure 5: Moderna COVID-19 Vaccine Advertisement on the Darknet

While these could theoretically be ‘stolen’ vaccines, it is more likely they are counterfeit vaccines with vials of unknown and possibly lethal substances. Last week, open sources reported that authorities had discovered fake coronavirus vaccines containing distilled water were administered to at least 80 patients in a clinic in Mexico, while a darknet scammer was arrested in Poland for selling vaccines that actually contained an anti-wrinkle agent. Luckily, the Polish doses do not appeared to have been administered to anyone.

Other offers for vaccines are clearly scams without any intention to deliver a single vial.

One vendor on a market known for its promotion of “rippers” (a.k.a. scammers), stated they had the “most-effective” “Pfitzer” vaccine for sale for $500 USD. The contact information associated with the vendor has only emerged on the darknet in recent weeks and is also connected with offers for various pharmaceuticals including ecstasy and Adderall.

Some scammers have established darknet onion services with elaborate backstories of their accessibility to COVID-19 vaccines and medicines. One domain is supposedly setup by Wuhan Institute of Virology Lab Scientists and Doctors who have medicine exclusive to China to treat COVID-19 and vaccines that the Chinese government is keeping secret from the rest of the world. They are not ‘selling’ the vaccines and medicines but shipping them after Bitcoin donation is received. They also refuse to respond to ‘long emails’ and ‘investigative questions,’ and their written text includes a number of typos. (Quoted below)

 

We are Wuhan Institute of Virology Lab Scientists and Doctors. We are a few scientists from the Wuhan Institute of Virology who have been working on viruses for human health, however after the corona virus (covid-19) has been leaked out of the facility and start infecting people we warned our government about making the covid-19 vaccines available for the public and start manufacturing the corona virus medicines asap. Unfortunately our warnings didn`t work and local infection turned out to a pandemi. Some of us are sworn doctors and others are honest scientists who only work for humanity. Being able to help people but not being allowed to is making us sick, some of us committed suicide already but we decided to use any and all ways to save lives.

As written on other pages we have been sending some covid-19 (corona virus) vaccines and corona virus (covid-19) medicines successfully to another country and we do not intend to sell any covid-19 vaccine but we are asking your help to let us save our lives and escape from China to a safe location in any part of the world and work with other scientists to save more lives.

If you have suffered with the Corona virus (covid-19) and hopefully recovered we are sure of that you don`t want that suffer for anybody else. So even if you don`t need the covid-19 vaccine or corona virus medicine please donate to the address below so you can save more lives.

— Authors of Tor Onion Service titled ‘We Are Wuhan Institute of Virology Lab Scientists and Doctors’, captured March 21, 2021
 

Disinformation Persistent Across Boards and Chans

If fake vaccines filled with unknown substances do not undermine the public’s confidence in vaccine distribution, there is plenty of disinformation rampant across the political threads on darknet and deep web discussion boards to stoke collective fears and personal anxieties. A recent thread on one discussion board included links to the original Moderna patent with skepticism and a link to a controversial article suggesting the mRNA vaccines cause cancer.

 
Figure 6: User on darknet board discusses fertility issues and vaccine (Source - DarkOwl Vision)

Figure 6: User on darknet board discusses fertility issues and vaccine (Source – DarkOwl Vision)

 

Others suggest the vaccine impacts fertility, stating how they now have lowered sperm counts since taking the vaccine. Some users call out other users for “shilling” a term from the urban dictionary that in conspiracy terms refers to a person who is intentionally circulating false information or acts totally insane in an effort to discredit a conspiracy – revealing an active information war is at play on the boards.

 
Figure 7: Controversial Discussion on a Deep Web Discussion Board

Figure 7: Controversial Discussion on a Deep Web Discussion Board

 
 
Figure 8: Controversial Discussion on a Deep Web Discussion Board

Figure 8: Controversial Discussion on a Deep Web Discussion Board

 

The fabricated conspiracies on such forums are particularly imaginative and controversial. For example, another post on a forum insinuated that the entire narrative around the dangers of mRNA vaccines was intentionally developed to shift people to prefer vaccines that are indeed gene therapy experiments instead.

Based on our observations, vaccine resistance is not limited to the United States. One user on Telegram expressed outrage over how a certificate of vaccination was required to receive services from a hair salon in Demark as of April 2021. The post was written with a tone of desperation including the sentence “We need help” at the end, signaling this is becoming a global issue of controversy and potential social uprising.

 

Guys in Denmark you now have to show a corona passport (vaccine/negative test) to get service in hair salon from April 6th!!! Before that it was only for traveling. Now it’s hair salon. They are slowly grooming us into accepting this stupd passport. Soon it will be for restaurants and other cultural activities. This is fucking madness. I am so angry about this and so is many other danish citizens. This will soon happen all over the world. They say there will be a expired date for the passport but I dont believe that cus they lied about the 14 days to flatten the curve. We really need fucking help. Soon it will be restaurants too and does that mean I need to show a fucking certification to pick up food from restaurant and to the customers adress as a food courier!? I am at this stage where I may risk losing my fucking job in two months unless my job is exempted from it. Even if I may be exempted from it, many citizens will lose their job and have their freedom taken away because of this stupid passport. We need help.

— Post from Telegram User, March 23rd, 2021
 

Vaccine Data on the Darknet

Critics of the CDC’s vaccination records on easily obtainable grey cardstock and the ease at which they are counterfeited is justification for a digital vaccine passport program. Developers have not delayed as there are now numerous vaccine passport apps available across the widely used mobile app stores. Even New York has announced a new vaccine status program for mobile phones after partnering with IBM to develop a scannable barcode, similar to the QR codes used by airlines for boarding.

Since last year, the International Air Transport Association (IATA) has been working on an app called Travel Pass for use across their 290 airline participants for laboratories and healthcare providers to send PCR test results and vaccination records for flyers to present for compliant air travel. (Source)

The U.S. CDC’s website emphasizes the importance of their centralized Immunization Information System (IIS) which includes a repository of all vaccinations records for each state and according to their website, COVID-19 vaccine providers are required to report detailed information about each vaccination given at the county and state level. Personal information for vaccination recipients includes full name, date of birth, residential address, sex, race and ethnicity in addition to the vaccine’s production information from the manufacture such as expiration date, dose and lot numbers for tracing which vaccination was administered.

The CDC’s COVID-19 specific IIS includes a number of different digital information systems for tracking and managing COVID-19 vaccine data:

  • VAMS: vaccination administration management system available for vaccination providers use – contracted by the CDC for development by Deloitte Consulting.

  • IZ Gateway: the immunization gateway, a central cloud storage system to enable IISs, federal agencies, and private partners to connect and share immunization information.

  • VaxText: second dose reminder system that vaccine recipients can enroll with to receive SMS text message reminders for their next vaccination date based on the vaccine they received.

  • VTrks: vaccine ordering system which includes vaccines for each provider along with associated shipping information.

  • VaccineFinder: vaccine provider lookup system to provide the contact information for vaccine providers, hours of operation, and types of vaccines available.

Many COVID vaccine clinics have decided against the CDC endorsed VAMS administration system and instead procured commercial application alternatives such as PrepMod for mass vaccine scheduling and data administration. DarkOwl has observed some darknet users complaining about having issues using PrepMod’s system effectively and some states are considering abandoning the PreMod product for systemic design issues and persistent bugs.

 
Figure 9 Source: https://www.cdc.gov/vaccines/programs/iis/downloads/basics-immun-info-sys-iis-508.pdf

Figure 9 Source: https://www.cdc.gov/vaccines/programs/iis/downloads/basics-immun-info-sys-iis-508.pdf

 

Given the frequency and ease at which cybercriminals are compromising commercial database systems and regularly selling or leaking millions of records of customer authentication data and financial information on the darknet, vaccination record data sets are at risk of compromise.

Large scale databases of personally identifiable data associated with the vaccine distribution, like the CDC’s IZ Gateway and VaxText systems or any number of commercial and government vaccine passport apps in circulation, will be a prominent target for darknet cyber exploitation enthusiasts in the coming months, if they are not already attempting to gain unauthoritzed access to such systems around the globe.


See why DarkOwl is the Leader in Darknet Data

Copyright © 2022 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.