< Back to Searchlight Blog

Covid-19 and the darknet: deceit, disinformation and disruption

Published on 06 Jan 2021 by Louise

Since the beginning of the coronavirus pandemic, darknet actors have exploited the heightened sense of fear and uncertainty for financial and even political gain. In tandem with the much-anticipated rollout of vaccines for the disease in multiple countries worldwide, actors have renewed efforts at Covid-related fraud, disinformation, and cyber-espionage.

Since China disclosed the spread of a new, potentially deadly respiratory disease in late December 2019, malicious online actors have sought to exploit the SARS-CoV-2 crisis for various reasons. This article explores the different groups attempting to extract value from the coronavirus pandemic, and how the global crisis has highlighted the growing ubiquity of cybersecurity concerns in modern daily life.

Actors aiming to exploit the Covid-19 pandemic can be divided roughly into three groups, with some cross-over between them: darknet fraudsters seeking financial gain, those wishing to sow chaos in an already unstable atmosphere, and state-sponsored actors - known as Advanced Persistent Threat (APT) groups - disrupting and spying on the vaccine development process to further their geopolitical interests.

The darknet has long been known as a hosting ground for scams and deceit, owing to its facilitation of relatively anonymous online trade. Whilst users often flock to darknet markets and forums to purchase products and discuss techniques for defrauding others, they can ironically fall prey to the same activity they seek to perpetrate. Therefore, it is no surprise that darknet scammers have consistently attempted to cash in on the heightened sense of fear and paranoia during the pandemic, with darknet intelligence tool Cerberus returning over 42,000 results for the search term "covid 19". Of these results, a large proportion were listings for various drugs touted as treatments for the disease. These included listings for chloroquine and hydroxychloroquine, the antibiotic azithromycin, anti-retroviral drugs used to treat HIV such as lopinavir and ritonavir, and Russian antiviral medication Arbidol, with prices ranging from 42 to 1500 USD.

Cerberus screenshot of a darknet market listing for chloroquine and hydroxychloroquine

Further dubious listings include various purported vaccines, "cures", and Covid-19 antibody tests. Coronavirus has also led to a significant rise in the promotion of PPE products, such as surgical N95 face masks, on darknet markets, as well as vendors proclaiming "Covid sales" and deals in an attempt to use the pandemic to drum up business for their standard offerings.

Cerberus screenshot of a darknet market listing for a purported vaccine

A second example of the intersection between the coronavirus pandemic and darknet spaces is the exploitation of the current climate of fear and disruption, both for financial gain and to enhance the atmosphere of uncertainty. In the early stages of the pandemic, when many governments worldwide enforced national lockdowns to halt the virus' spread, various conspiracies with origins on darknet forums became popularised on clearnet sites such as Facebook and Youtube. Theories ranged from links between coronavirus and the rollout of 5G mobile infrastructure, to efforts at engineering population control masterminded by Microsoft creator Bill Gates.

Cerberus screenshot of a darknet forum post regarding coronavirus and 5G

Cerberus screenshot of a darknet forum post regarding coronavirus and Bill Gates

It could be argued that the unprecedented nature of the global crisis has rendered many internet users more susceptible to these unsubstantiated claims, which are typically within the purview of darknet forum dwellers. The tangible benefits of spreading such disinformation are unclear, though the BBC notes that the forums which users may be directed to for further "research" can often act as a pipeline towards darknet markets by way of advertising. The disruption to employment for many has likely provided more immediate profitability for malicious actors, with phishing scams in the UK moving to imitate government departments issuing loans and furlough payments. Phishing kits of this nature can be found for sale on darknet markets, often with the aforementioned "Covid sale" discounts attached.

Cerberus screenshot of a darknet market listing for scam pages with coronavirus discount

The shift to remote working has been similarly fraught with risk, with hackers banking on the comparatively lower standard of cybersecurity present in most employees' homes as they seek to exploit vulnerabilities in online working software such as Zoom, Google Meets and document editing services.

The third cybersecurity threat magnified by the coronavirus pandemic pertains to the proliferating and intensifying activity of Advanced Persistent Threat (APT) groups. APT groups are usually state-sponsored, highly skilled actors who use sophisticated tools to infiltrate government or corporate entities for purposes of political espionage, data theft, and financial gain by holding data for ransom. Since the race to develop a Covid-19 vaccine began in Spring 2020, various instances of exfiltration, reconnaissance and disruption have been reported by government agencies, pharmaceutical companies and related parties. An early example is the March 2020 targeting of the World Health Organisation (WHO) allegedly by APT group DarkHotel, who launched a site impersonating the organisation's email system with the aim to extract staff credentials. In July, China was accused of sponsoring hackers to spy on the computer network of US biotech company Moderna - one of several firms involved in vaccine development research - though this was vehemently denied by the state. That same month, the UK National Cyber Security Centre and US Department of Homeland Security warned Western research corporations of suspicious activity carried out by Russian-backed group APT29, also known as The Dukes or Cozy Bear, aimed at stealing research related to the development of Covid-19 vaccines. This prediction was potentially vindicated in December, when a cyber-attack against the European Medicines Agency (EMA) resulted in BionTech - the firm working with pharmaceutical giant Pfizer to develop its vaccine - disclosing that a regulatory submission document had been accessed by unauthorised parties.

Western research is not the only target, with the manufacturers of Russia's “Sputnik V” vaccine being forced to shut down plants in October due to cyber-attacks. Even organisations with tangential links to vaccination efforts are at risk, with IBM identifying a campaign beginning in September to disrupt the supply chain of vaccine cold-storage and distribution via phishing attacks. Whilst not an exhaustive list, these examples illustrate the geopolitical importance of vaccine development and the lengths states will go to in securing their research and, in some cases, sabotaging that of their adversaries; for many societies, vaccination is now key to reopening economies and maintaining positional power on the world stage. Various biotech companies have also been targeted by ransomware groups - including the Mount Locker gang - and ordered to pay up so as to avoid their data being made public, once again exhibiting the lucrative potential of the current crisis.

Overall, the Covid-19 pandemic has exposed both threats and opportunities in the field of cybersecurity. As well as boosting potential for fraud, disinformation and the accumulation of darknet riches, the global crisis has accelerated most societies' increasing reliance on digitisation and thus laid bare multiple glaring vulnerabilities, from the individual level all the way up to that of intergovernmental organisations. With the stakes raised so high, it is likely that activity and interest in this sector will only continue to grow as the pandemic endures.

Try our Darknet Intelligence/Forensics tool for free, contact enquiries@slcyber.io

Latest News from Searchlight

20 May 2021

Is all press good press? DarkSide, Colonial Pipeline and Ransomware-as-a-Service

This article explores the darknet structures and relationships sustaining the ransomware ecosystem, and enquires whether the consequences of DarkSide's attack against Colonial Pipeline will affect the continued growth of this lucrative cybercriminal enterprise.


03 Mar 2021

Zero-day exploit in Accellion FTA leads to data compromise of multiple companies

This article evaluates the recent slew of data breaches suffered by a range of major organisations as a result of vulnerabilities in the soon-to-be-retired Accellion File Transfer Appliance, as well as the implications of suspected involvement by notorious ransomware gang Cl0p.


06 Jan 2021

Covid-19 and the darknet: deceit, disinformation and disruption

Since the beginning of the coronavirus pandemic, darknet actors have exploited the heightened sense of fear and uncertainty for financial and even political gain. In tandem with the much-anticipated rollout of vaccines for the disease in multiple countries worldwide, actors have renewed efforts at Covid-related fraud, disinformation, and cyber-espionage.


02 Dec 2020

The quest for Monero deanonymisation and potential impacts on darknet markets

Monero, often hailed by darknet users as the most private cryptocurrency available, has recently been the subject of efforts by security researchers to deanonymise and trace its transactions. How will Monero's potential traceability affect the illicit trade that occurs on darknet markets?