March 26, 2020by Cybersixgill

How COVID-19 is driving sales, scams & disinformation on the dark web

Scammers play to hope and fear. With the global spread of the COVID-19 pandemic, there’s a lot of that to go around, this is especially true on the dark web.

Sixgill researchers recently conducted a review of dark web chatter about the novel coronavirus. The virus has upended daily life in dozens of countries, and we’ve seen a corresponding impact on activity on dark web forums and marketplaces.

The fact that criminals see opportunity in chaos, led us to anticipate early on an uptick in several categories of activity that might rise to prominence amid the confusion. What we aren’t seeing are the copycats that usually rise as a result of successful attacks. We take this to mean that threat actors are, at the moment, still (as of late March) testing the waters to determine which schemes have the most traction.

Our review of dark web chatter on the novel coronavirus found discussions falling into four major categories: general discussions, fraud, profiteering and scamming, and social engineering and malware.

Concern for Personal Safety

The denizens of the dark web are not immune to the coronavirus. In most of its corners, the threat actors see the pandemic as both a financial opportunity and a risk to their personal health. It’s likely no surprise then that the discussions of COVID-19 focus on information sharing.

The first mentions were in Chinese language forums, but then spread to other regions and languages as the virus spread to the West.

The chatter reflects the same concerns found in other parts of the world - fear for personal safety, and concerns over job loss - were common discussion topics. But dark web chatter also included a strong undercurrents of conspiracy theories, which is perhaps no surprise given the nature of its users. Many of the discussions focused on strategies to stockpile food or weapons in response to what these groups see as inadequate government strategies.


Disinformation has been a significant topic in global politics over the past several months. It appears that threat hackers may try to take advantage of the COVID-19 pandemic to amplify the confusion. In one dark web forum, we found a hacker offering backdoor access to a top-200 website focusing on U.S. politics at an auction that began at $20,000. The actor notes that purchase of this access is “great for raising panic about the coronavirus.”

This example shows that publishers need to pay close attention to cybersecurity in difficult times.


As governments propose increased expenditures to jump start economies shocked by weeks of social distancing, scammers are looking to divert cash their way. In several dark web forums, we found people trying to exchange advice on how to get their “slice.”

Profiteering and Scams

These discussions focus on counterfeit products, bogus listings, and products sold at markups that might be illegal.

We saw several listings for N95 masks that have been in short supply. Some forums had listings for ventilators needed by critically ill patients. There are several risks with regard to purchasing these items on the dark web. For one thing, the seller may not actually have masks and ventilators for sale. There’s little recourse for fraud on the dark web. Additionally, these products may not meet specifications for use in hospital or clinical settings. Purchasers may receive masks, but users should question whether they actually act as effective barriers.


Malware and Social Engineering

One of the clearest risks for security professionals and individuals stems from malware and social engineering, made easier with phishing scams. People are desperate for information about COVID-19. They may be more prone to click on suspect links, or spend time on fake web pages that promise bogus cures while injecting malware onto a computer.

Future Outlook

The dark web, like the rest of the world, is still adjusting to the effects of COVID-19. But over the next few weeks, it will be interesting to see if the criminal underground begins sharing tactics and strategies that underlie their larger success stories. The situation is one that should, of course, be monitored closely. If you are interested in a deeper discussion of these issues, download our Coronavirus Discourse Update Report.

You may also like

SANS Report Blog-Thumbnail

July 18, 2024

SANS CTI Survey 2024: Reports Rise to the Top for Communicating Critical Information

Read more
Analyst looking at multiple monitors

July 11, 2024

Chinese APT40 Hackers Hijack SOHO Routers: Unleashing Cyber Espionage Attacks

Read more
Abstract digital landscape with flowing lines of glowing binary code in blue and orange, representing data streams and modern technology.

July 08, 2024

CVE-204-6387 Poses Risk to Organizations Relying on OpenSSH’s Server (sshd)

Read more