Fraudulent Covid Vaccination Certificates and Stolen Vaccines on Darknet Markets


Below are selected materials and findings from an investigation undertaken by Coinfirm into the trading of Covid-19 vaccination certificates, vaccines and tests in darknet markets.

The investigation found 1) scammers offering vaccines on the darknet, 2) probable health sector corruption and further proof that blockchain services with no KYC are used as criminal gateways.

Coinfirm has identified blockchain addresses related to vendors selling these products for numerous different crypto-assets including; BTC, ETH, DASH, LTC, TRX, XMR and ZEC, asset classes common to DNM trading, either due to their ubiquitousness in global crypto trade or their anonymity properties as so-called ‘privacy coins’.

Scammers Selling Vaccines

Many operate on the darknet owing to the focus of the platforms on anonymity, which many fraudsters take advantage of – purchasing a substance from darknet markets may lead to a very different one being delivered, if at all (criminals also even use DNMs to trade bioweapons, heightening the risks of ‘mix ups’).

The risk of being defrauded is demonstrated by the fact that the BTC address: 132P7fT5qCXa3WE9PhRPaHRUh5EcF7Ut15, which is being used as a payment acceptance address for Covid-19 vaccines found on the darknet market shop ‘COVID-19 vaccine’, belongs to a cluster of 145 addresses with other payment acceptance addresses used by various darknet services: mixers, stolen/cloned credit card vendors, drug traders, and scams – specifically bitcoin “doublers”.

The individuals selling customers a Covid-19 vaccine, are the same group or entity identified by Coinfirm’s analysis as soliciting frauds. The ‘COVID-19 vaccine’ shop is unique as it appears to be selling the various vaccines – AstraZeneca, Pfizer-BionTech, Johnson & Johnson, Moderna and Sputnik V – in bulk.

Screenshot of the ‘COVID-19 vaccine’ shop

Health Sector Corruption

Darknet market vendors based in the Russian Federation, the United States of America and a number of other countries claim to be able to not just sell proof of receiving the vaccine certificates but also, more worryingly, to have their unscrupulous customer’s details entered into national health systems, in some cases with doctor’s signatures. This is clear health sector corruption during the Covid-19 pandemic that has since killed just under 4 million people and caused disruption to the lives of billions. The obvious dangers of having rogue agents within the medical profession, whether in the public or private sector are self-evident during a pandemic.

A U.S.-based vendor on the Liberty Market darknet market (DNM) catering to U.S. residents, claims to be able to input client details into the system. The vendor gives instructions that “When you send me your address, I put the lot numbers from your area on the cards. You can either choose to put your name and birthday on the cards yourself for privacy reasons or I can put them so that the handwriting don’t [sic] be different and you will be in the system. In the data base [sic], the only thing that comes up is the lot numbers. Your name will not show up in the system because it is not needed for getting the vaccine.”

A screenshot of a vendor on the Liberty Market DNM selling fraudulent vaccines certificates

No KYC: Criminal Gateways

A BTC address found receiving funds for fraudulent vaccine certificates Coinfirm has analyzed, 1MEPCZZkXSf5n3FEZBb3WiyDzRv6ytxFWt, demonstrates the issue that crypto exchanges with limited to no KYC (Know Your Customer) present to stemming the tide of illicit funds by offering an easy fiat on/off ramp for criminals to cash out their trade. The address belonged to a cluster of addresses with activity on a Hong Kong-registered exchange that caters strongly to Eastern European clientele.

This address has had a total input of 40,800 USD in BTC in less than a year, one of the highest incomes from the illicit addresses analyzed. It is for these reasons that every obliged entity should institute rigorous KYC policies.

Hydra Darknet Market

When analyzing DNMs, it is difficult not to mention the largest, Hydra, that caters exclusively to Russian speakers and accounts for 75% of all global darknet market trade. Hydra took in $1.37 billion in 2020 – making the platform one of Russia’s top ten internet platforms by revenue. Operating since 2015, Hydra has seemingly been able to act with impunity whilst all other competitors have closed down and/or been apprehended by police in the Russian Federation.

Coinfirm’s data of the total value of crypto crime found that in 2020, DNM trade accounted for 18.4%, with DNMs used by customers and vendors for the trade of illicit goods owing to their utilization of numerous anonymity techniques. Hydra has, however, also revolutionized DNM trade in a few ways, including cash-out options for illicit crypto-assets and anonymous ‘drops’ of illicit goods.

Vaccine certifications are currently sold on Hydra for 30,000 RUB, 15,000 RUB and 3,500 RUB, showing a vast price discrepancy, despite all claiming to input details into the national Russian system. Despite being around 1/10th of the price of the most expensive vendor, the latter apparently still includes “certification of the completion of a full course of vaccinations from COVID-19, the dates of the vaccine and the series, the doctor’s signature and the seal of the medical organization.”

A screenshot of a vendor on the Hydra DNM selling fraudulent vaccine certificates

Also sold on the Hydra DNM are test results that show a negative result of coronavirus, offered for between 4,000 RUB and 3,000 RUB.

Stolen Vaccines

In addition, it has also been possible to purchase a supposedly real vaccine. This is shown in the image below of a site on the dark web – the ‘Vaccine Shop’ – dedicated to delivering different “stolen” vaccines to a plethora of countries.

This shop is especially saddening to see as many of those in a high-risk category in the developing world have not yet been vaccinated against Covid-19.

A screenshot of the ‘Vaccine Shop’

Interested in collaborating with Coinfirm on crypto-asset investigations into fraud, hacks and other forms of crypto crime? Get in touch with us today.