In the year plus since the COVID-19 pandemic took hold, DarkOwl analysts have continued to observe widespread coronavirus-related scams on the darknet. From bootlegged PPE, to “COVID infected blood,” to fake vaccination cards, there appears to be no shortage of individuals willing to take advantage of this global crisis to pursue their goals, be it to spread disinformation or simply to make money.
To gain insight into potential threat actors aiming to defraud individuals and corporations alike, DarkOwl turned to the darknet to take a closer look. In doing so, we identified scammers purportedly selling COVID-19 vaccines, vaccination passports and cardstock records of vaccination as issued by the the Center for Disease Control (CDC). DarkOwl has also observed a number of disinformation campaigns related to the efficacy and legitimacy of the COVID-19 vaccine across major deep web and darknet discussion boards creating additional conflict and polarization across forum users.
In the past few months, DarkOwl has noted a number of scammers offering vaccination record cards for sale, priced around $150 USD on average.
One vendor, known only as as “darknetdeals” also offers negative COVID-19 PCR tests for sale for those needing negative COVID-19 tests for travel and work.
Users on deep web discussion boards discuss their surprise regarding the nature of the vaccination record cards issued in the U.S. and the generic grey cardstock it was printed on, along with handwritten name and dates of the first and second doses, for vaccines with multi-dose administration. DarkOwl has not engaged the threat actor nor purchased a card to verify whether this is a legitimate offer or scam, but the opportunity could appeal to anti-vaxxers who desire to travel and dine-in restaurants without receiving the vaccine.
Other offers have also surfaced on Telegram with “coronavirus certificates” and vaccine passports available for purchase. The price was not disclosed on the channel.
Vaccinated individuals across the US have shared post-vaccine selfies with the CDC-stamped paper card issued by their vaccination provider proudly in hand across social media. Scammers could not only utilize the photo of the card to create fake cards for sale on the darknet, but steal the personalized information such as full name and date of birth for identity theft and fraud.
DarkOwl continues to see several COVID-19 vaccines offered for sale across darknet marketplaces and classified-like paste sites. In recent months, there has been a surge in vaccines on offer, including Russia’s Sputnik vaccine developed by Gamaleya. On one new darknet market alone, there are 5 different vendors offering vaccines ranging in price from $40 to $888 USD per dose. Pfizer vaccines tend to be more expensive than the other vaccines on offer.
DarkOwl had observed offers for COVID-19 vaccines on other darknet markets back in December, with prices ranging from $500 to $4000 USD. One vendor received feedback stating that they purchased five vials of the Pfizer vaccine for $2000 USD and it was packaged in a shipping container the size of a pizza box along with dry ice to maintain the significantly cold temperature requirement. It was unclear whether these were intended to be single doses or multi-dose spread out by 21 days, as suggested by the manufacturer.
While these could theoretically be ‘stolen’ vaccines, it is more likely they are counterfeit vaccines with vials of unknown and possibly lethal substances. Last week, open sources reported that authorities had discovered fake coronavirus vaccines containing distilled water were administered to at least 80 patients in a clinic in Mexico, while a darknet scammer was arrested in Poland for selling vaccines that actually contained an anti-wrinkle agent. Luckily, the Polish doses do not appeared to have been administered to anyone.
Other offers for vaccines are clearly scams without any intention to deliver a single vial.
One vendor on a market known for its promotion of “rippers” (a.k.a. scammers), stated they had the “most-effective” “Pfitzer” vaccine for sale for $500 USD. The contact information associated with the vendor has only emerged on the darknet in recent weeks and is also connected with offers for various pharmaceuticals including ecstasy and Adderall.
Some scammers have established darknet onion services with elaborate backstories of their accessibility to COVID-19 vaccines and medicines. One domain is supposedly setup by Wuhan Institute of Virology Lab Scientists and Doctors who have medicine exclusive to China to treat COVID-19 and vaccines that the Chinese government is keeping secret from the rest of the world. They are not ‘selling’ the vaccines and medicines but shipping them after Bitcoin donation is received. They also refuse to respond to ‘long emails’ and ‘investigative questions,’ and their written text includes a number of typos. (Quoted below)
If fake vaccines filled with unknown substances do not undermine the public’s confidence in vaccine distribution, there is plenty of disinformation rampant across the political threads on darknet and deep web discussion boards to stoke collective fears and personal anxieties. A recent thread on one discussion board included links to the original Moderna patent with skepticism and a link to a controversial article suggesting the mRNA vaccines cause cancer.
Others suggest the vaccine impacts fertility, stating how they now have lowered sperm counts since taking the vaccine. Some users call out other users for “shilling” a term from the urban dictionary that in conspiracy terms refers to a person who is intentionally circulating false information or acts totally insane in an effort to discredit a conspiracy – revealing an active information war is at play on the boards.
The fabricated conspiracies on such forums are particularly imaginative and controversial. For example, another post on a forum insinuated that the entire narrative around the dangers of mRNA vaccines was intentionally developed to shift people to prefer vaccines that are indeed gene therapy experiments instead.
Based on our observations, vaccine resistance is not limited to the United States. One user on Telegram expressed outrage over how a certificate of vaccination was required to receive services from a hair salon in Demark as of April 2021. The post was written with a tone of desperation including the sentence “We need help” at the end, signaling this is becoming a global issue of controversy and potential social uprising.
Critics of the CDC’s vaccination records on easily obtainable grey cardstock and the ease at which they are counterfeited is justification for a digital vaccine passport program. Developers have not delayed as there are now numerous vaccine passport apps available across the widely used mobile app stores. Even New York has announced a new vaccine status program for mobile phones after partnering with IBM to develop a scannable barcode, similar to the QR codes used by airlines for boarding.
Since last year, the International Air Transport Association (IATA) has been working on an app called Travel Pass for use across their 290 airline participants for laboratories and healthcare providers to send PCR test results and vaccination records for flyers to present for compliant air travel. (Source)
The U.S. CDC’s website emphasizes the importance of their centralized Immunization Information System (IIS) which includes a repository of all vaccinations records for each state and according to their website, COVID-19 vaccine providers are required to report detailed information about each vaccination given at the county and state level. Personal information for vaccination recipients includes full name, date of birth, residential address, sex, race and ethnicity in addition to the vaccine’s production information from the manufacture such as expiration date, dose and lot numbers for tracing which vaccination was administered.
The CDC’s COVID-19 specific IIS includes a number of different digital information systems for tracking and managing COVID-19 vaccine data:
VAMS: vaccination administration management system available for vaccination providers use – contracted by the CDC for development by Deloitte Consulting.
IZ Gateway: the immunization gateway, a central cloud storage system to enable IISs, federal agencies, and private partners to connect and share immunization information.
VaxText: second dose reminder system that vaccine recipients can enroll with to receive SMS text message reminders for their next vaccination date based on the vaccine they received.
VTrks: vaccine ordering system which includes vaccines for each provider along with associated shipping information.
VaccineFinder: vaccine provider lookup system to provide the contact information for vaccine providers, hours of operation, and types of vaccines available.
Many COVID vaccine clinics have decided against the CDC endorsed VAMS administration system and instead procured commercial application alternatives such as PrepMod for mass vaccine scheduling and data administration. DarkOwl has observed some darknet users complaining about having issues using PrepMod’s system effectively and some states are considering abandoning the PreMod product for systemic design issues and persistent bugs.
Given the frequency and ease at which cybercriminals are compromising commercial database systems and regularly selling or leaking millions of records of customer authentication data and financial information on the darknet, vaccination record data sets are at risk of compromise.
Large scale databases of personally identifiable data associated with the vaccine distribution, like the CDC’s IZ Gateway and VaxText systems or any number of commercial and government vaccine passport apps in circulation, will be a prominent target for darknet cyber exploitation enthusiasts in the coming months, if they are not already attempting to gain unauthoritzed access to such systems around the globe.