Cowin data leak claim and CloudSEK analysis

CloudSEK team has identified a malicious actor promoting a Telegram bot that provided access to the personal information of Indian individuals who had reportedly registered for vaccines through the Cowin Portal. The bot claimed to offer personally identifiable information (PII) data.
Updated on
June 12, 2023
Published on
June 12, 2023
Subscribe to the latest industry news, threats and resources.

Category:  Adversary Intelligence

Industry:  Government

Motivation: Reputation

Country: India

Executive Summary

  • CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor advertising a Telegram bot that offered personally identifiable information (PII) data of Indian citizens who had allegedly registered vaccines from the Cowin Portal.
  • Note: CloudSEK Analysis concludes that threat actors do not have access to the entire Cowin portal nor the backend database. Based on matching fields from Telegram data and previously reported incidents affecting Healthworker of a region, we assume the information was scraped through these compromised credentials. The claims need to be verified individually. 
  • On March 13, 2022, a threat actor on a Russian cybercrime forum advertised for compromised access on the Cowin Portal of Tamil Nadu region and claimed to have compromised the Cowin database. Upon analysis, we discovered the breach was that of a health worker and not really on the infrastructure. The content displayed on the screenshot matches with the Telegram bot mentioned in the media as follows:
  • Name of individual
  • Mobile Number
  • Identity Proof
  • Identification Number
  • Number of Dose completed.

Furthermore, there are numerous healthcare worker credentials accessible on the dark web for the Cowin portal. However, this issue primarily stems from the inadequate endpoint security measures implemented for healthcare workers, rather than any inherent weaknesses in Cowin's infrastructure security.








Image1: Threat Actor’s post on Telegram channels advertising about the CoWin database in 2022

Exclusive Humint Analysis revealed the data belonging to the Tamil Nadu region and the actor claimed access to this single region’s center at that moment. 

Analysis and Attribution

Information from the Telegram Channel

  • The Covid data bot was offered by a channel called hak4learn, which frequently shared hacking tutorials, resources, and bots for individuals to access and buy. Initially, the bot was available for everyone to use, but it was later upgraded to be exclusive to subscribers. 
  • The upgraded version of the bot provided PII data, including Aadhar card numbers, Pan card, Voter ID, gender, and the name of the vaccination center, based on the inputted phone number.
  • The real source of the Telegram bot is unknown, it is important to note that the bot had Version 1 offered that only displayed personal information based on Phone number. While the Version 2 claimed to be Truecaller bot that also contained personal information of the individuals.
  • The bot is currently down and might come up later as mentioned by the admin of the channel.
Snapshot of the Telegram Group hak4learn

  • The channel, established on December 11, 2021, provides a variety of Telegram bots, such as a Truecaller bot for retrieving location information based on phone numbers, an OTP bot, a UPI Recon bot, a Phishing page bot, and many others.
  • The advertised post contains screenshots of the admin portal revealing the PII of people who have registered for COVID-19 vaccination drives.

Threat Actor Activity and Rating

Based on an Instagram post made in 2022, an account likely associated with the threat actor offered various scripts exploiting UPI payment gateways such as SBI, PayTM, Google Pay etc.  

Figure- Threat actor posting scripts to scan for different UPI systems operational in India

Threat Actor Profiling

Active since



Moderate with frequent posts to monetize from methods and data

Current Status

Active, popular


The actor has been sharing scripts, database, bot details, and deals in INR, indicating a non-Russian origin. 


E4 (E: Unreliable, 4: Doubtfully True)

Impact & Mitigation



  • The exposed Personally Identifiable Information (PII) could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft.

  • Include 2FA for Cowin portal.

  • Monitor cybercrime forums for the latest tactics employed by threat actors. 


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations