There is light at the end of the coronavirus tunnel: Countries are now beginning a gradual return to normalcy thanks to vaccination programs. Many people—cybercriminals included—are most looking forward to going on post-vaccination vacations and catching up on all the travel that’s been missing over the past year. Countries are opening up their borders to foreign visitors, albeit with restrictions or requirements such as proof of vaccination or a negative coronavirus test. We’ve seen before how COVID has had a particularly significant impact on the dark web travel market, with dark web travel agencies offering cut-price airline tickets and hotel reservations. 

With that in mind, our team at Photon wanted to examine the dark web response to COVID vaccinations. In this blog, we traverse the deep and dark web to investigate how the beginning of the end of the pandemic is impacting the microeconomy of cybercriminal marketplaces and forums.

How are dark web document services faring?

Our research revealed that the so-called “renderers”—dark web document service vendors who have traditionally supplied fake drivers’ licenses, passports, and bank statements—have pivoted to producing coronavirus-related documentation in response to enquiries from other threat actors. 

At the start of the pandemic, negative test certificates were highly sought-after, often requested by buyers looking to get out of a country. For example, one cybercriminal forum user requested a COVID-19 “certificate” for “escaping from Mexico.” A threat actor on a different platform requested a “rendering of an international COVID certificate.” We found similar requests for certification of a negative test across multiple sites, with buyers typically expressing their need to leave or enter a foreign country.

Figure 1. Cybercriminal forum user urgently requests COVID-19 test for leaving Mexico

Dark web graphic design services have also been in demand since the start of the pandemic. An 18GB folder of “Covid-19 Graphics, Photos, Videos & More” that was shared on an English-language cybercriminal forum in July 2020 was still being downloaded in March 2021, likley for use in coronavirus-related targeted phishing campaigns. 

Document vendors responded quickly to this demand, with many established sellers updating their dedicated threads to advertise “Covid” document services. One established document vendor posted in their dedicated forum thread in March 2020 that they would provide a “coronavirus fake.” Another offered a “covid quarantine passport” alongside their other document services. One particularly sinister offering came from a vendor who advertised fake death certificates with “COVID” listed as the cause of death. The mind boggles thinking of the many potential malicious schemes that could benefit from such a document. 

From October 2020, we even saw document service vendors who only sell fake medical documentation, thus forgoing the more established practice of offering such documents alongside passports, drivers licenses and utilities.

Figure 2. Cybercriminal forum medical documents vendor
Figure 2. Cybercriminal forum medical documents vendor

It wasn’t just fakes created from scratch either. A seller of stolen medical documents announced in the title of their thread that their haul included 300,000 negative “COVID tests.” We found many such databases on English language forums in particular. Vendors usually stated the number of available COVID-19 test records in the titles of their thread—a clear indicator of what they believe their target market desires. 

Figure 3. Cybercriminal forum vendor advertises US database containing 14,000 COVID test records
Figure 3. Cybercriminal forum vendor advertises US database containing 14,000 COVID test records

How has vaccination disrupted the market?

Negative test certificates were “all the rage” in 2020 and are still highly sought after. However, nowadays we’re seeing many more vaccination-related requests, with users across multiple platforms seeking “Covid vaccine certificates.” For example, one threat actor requested “a high quality replica/scan of COVID vaccine certificate” that must be “authentic, and re-created properly,” adding that it “need[s] to be able to be modified for personal use.”

Figure 4. Cybercriminal forum user requests COVID Vaccine Certificate
Figure 4. Cybercriminal forum user requests COVID Vaccine Certificate

Similar to the start of the pandemic, document service providers are responding to the shift in demand by offering up these fake COVID-19 vaccine certificates. For instance, one seller on a Russian-language forum advertised an “inoculation certificate for Covid” for “those who don’t want to get vaccinated” for the asking price of RUB 10,000 (USD 132.25). They remarked in a later post that it would also be possible to get “an official one” through “government services,” which was priced at RUB 35,000 (462.88 USD). The availability of such documents is not limited to a particular geography; a vendor on one English-language forum advertised a “COVID-19 (SARS-CoV-2) Vaccination Paper/Card”, and remarked “I’m not responsible for anything you do with this card”.

Figure 5. Cybercriminal forum vendor advertises COVID-19 Vaccination cards
Figure 5. Cybercriminal forum vendor advertises COVID-19 Vaccination cards

However, it appears that supply has not entirely caught up with demand: Not all vendors have made the switch from negative tests to vaccination certificates. This is reflected in the high number of users requesting these certificates and the high price charged by those selling them. It’s possible that this is simply because vaccination was not a valid option until recently, especially for those under a certain age demographic. It would raise a few eyebrows if you arrived at a hotel with an inoculation certificate before vaccines were even available. The nascent demand for this new documentation is there, though, and it is surely only a matter of time before supply catches up. 

What is driving the demand for vaccination certificates? 

In short, work and travel. Our research uncovered some unusual drivers for the supply chain in vaccination certificates. For instance, one forum user wrote, “Work has asked that I get vaccinated, but for various reasons I don’t want to.” They expressed interest in “a medical form, certificate for antibodies presence etc.”

Figure 6. Cybercriminal forum user asks how they can avoid needing to get vaccinated
Figure 6. Cybercriminal forum user asks how they can avoid needing to get vaccinated

Yet most vaccine certificates bought on cybercriminal platforms are highly likely intended to help get around travel restrictions. One forum user explicitly asked if such a certificate would allow them to travel abroad. In March 2021 a vendor on an English-language platform addressed this specifically, advertising a COVID-19 “vaccine passport” to buyers who “want to travel freely without being jabbed.”

Figure 7. Forum user advertises “Proof of Covid-19 vaccination card”
Figure 7. Forum user advertises “Proof of Covid-19 vaccination card”

How are dark web travel vendors faring?

Our last blog on travel vendors reported that they had been forced to adapt to the restricted landscape of international travel. These vendors offer heavily discounted flight tickets and hotel rooms, either stolen or purchased with airline points or stolen credit cards. While some greatly reduced their services or shut up shop, many sellers simply switched the destinations they offered depending on what travel was available to them at the time. One vendor explained that they couldn’t offer hotels in Russia or Bali at the time, though “we’re still doing all other countries.”

Figure 8. Cybercriminal forum travel vendor advises currently-unavailable travel destinations
Figure 8. Cybercriminal forum travel vendor advises currently-unavailable travel destinations

Several prominent travel vendors we mentioned in previous blogs, such as “serggik00” and “Patriarh”, have resumed regularly updating their dedicated threads, posting reviews from those using their service. sergik00 even uploaded a post to their dedicated thread in April 2021 to celebrate the anniversary of their sixth year in business – and business is good. For various reasons, including those unrelated to the coronavirus, others have failed to weather the storm. “Rapesec”, for instance, shut up shop after law enforcement took down the cybercriminal marketplace Dark Market in January 2021.

Figure 9. Cybercriminal forum travel vendor serggik00 celebrates their sixth year in business
Figure 9. Cybercriminal forum travel vendor serggik00 celebrates their sixth year in business

While some travel vendors have taken a “not my problem” approach to the possibility that their customers won’t be able to realize their bookings due to a lack of medical documentation, others have recognized the restrictions and passed on this warning to their customers. One travel vendor announced on their dedicated thread: “!!! Warning !!! If you are planning to holiday in Krasnodar Krai in the near future, then understand that hotels require a negative Covid test certificate. The certificate must be obtained no earlier than 48 hours before checking in.”

Figure 10. Cybercriminal forum travel vendor warns client of the need to present a negative test upon check-in
Figure 10. Cybercriminal forum travel vendor warns client of the need to present a negative test upon check-in

We had wondered if any travel vendors would have moved into the document service scene in order to provide a sort of “package deal” that would include travel documents such as airline tickets and hotel bookings, as well as vaccination and test certificates, but this does not appear to be the case. Similarly, we did not find any evidence that travel vendors were forming partnerships with or recommending document vendors, in their dedicated threads. It is up to travelers to sort out all the documents they need on their own. Perhaps the skills needed to organize fraudulent hotel bookings and airline travel have little cross-over with medical document forgery. Best leave that up to the traditional document renderers.

How can you stay ahead of threat actors with Dark Web Intelligence?

Just like they’ve always done, users of dark web forums and marketplaces are responding to real-life events. They’re taking full advantage of the prospect of international travel resuming once again. As travel restrictions are lifted, we can expect to see more and more document “renderers” offering COVID vaccination certificates or travel papers.

If you’d like to keep up to date with this and similar trends on the dark web and in the cybercriminal underworld, get a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight across open, deep, and dark web sources on COVID-19 related intelligence and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Get a free, seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.