Threat Actor Claims to Have 150 Million Indians’ COVID 19 Vaccination Records

A post on a cybercrime forum is selling the records of 150 million Indians, who have received the COVID 19 vaccination, for USD 800
Updated on
April 19, 2023
Published on
August 12, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category Adversary Intelligence
Affected Industries Healthcare, Government
Affected Region India
Data Fields Name, Mobile Number, Aadhaar ID, GPS, Location, State, etc.

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, selling the records of 150 million Indians, who have received the COVID 19 vaccination, for USD 800.
  • In India, all COVID vaccine registrations are managed through the COWIN portal, which was developed and managed by the Government of India.
  • The CloudSEK Threat Intelligence team is in the process of validating the claims made in the post.
[caption id="attachment_17663" align="aligncenter" width="632"]Threat actor’s post on the dark web forum Threat actor’s post on the dark web forum[/caption]

Analysis

A database of “Covid19 vaccinated people” was also advertised over a private Telegram channel on 27 May 2021. This post also claimed that the database contains 150 million records. However, it was being sold for USD 1000.  The Telegram handle that posted this is also the administrator of the private Telegram channel.  The administrator of the channel has a history of reselling databases, which have previously been leaked by ransomware groups. It is likely that “Dark Leak Market” and the Telegram channel are managed by the same entity, given that all the databases advertised over the Telegram channel have consistently been sold on the “Dark Leak Market” URL as well, within a short period of time. At the time of publishing of this report, the Dark Leak Market URL is not active. [caption id="attachment_17664" align="aligncenter" width="322"]Post on the private Telegram channel Post on the private Telegram channel[/caption] There has also been chatter in underground forums that “Dark Leak Market” is a scam. [caption id="attachment_17667" align="aligncenter" width="430"]Chatter on underground forums that “Dark Leak Market” is a scam Chatter on underground forums that “Dark Leak Market” is a scam[/caption] Soon after it was posted, the Tweet by Dark Tracer, was discussed on an underground forum, with many users alluding to the post being a scam.  [caption id="attachment_17668" align="aligncenter" width="586"]Underground discussions on the tweet Underground discussions on the tweet[/caption]

Impact & Mitigation

Impact Mitigation
The post claims that the database contains users' sensitive information such as Name, Mobile numbers, AADHAR ID, Geo-location etc,. of the 150 million affected users. If this information is authentic, it could be potentially used to to propagate social engineering attacks.  Preemptively,  the following measures can be taken to avoid data misuse:
  • Use strong passwords.
  • Enable multi-factor authentication for all online accounts.
  • Don’t share OTPs with third-parties.
  • Review online accounts and financial statements periodically.
Note: CloudSEK will continue to monitor the Onion link of “Dark Leak Market” and scour other underground forums for updates on this purported leak of a COVID 19 database. 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations