DarkPath scam group loses 134 domains impersonating the WHO

United Nations security experts and security firm Group-IB said they worked together to take down 134 websites operated by a cybercrime group known as DarkPath.

The domains have been used earlier this month to impersonate the World Health Organization (WHO), the UN and Group-IB said today.

"Scammers had created a distributed network of 134 rogue websites impersonating the World Health Organization (WHO) on its health awareness day, encouraging users to take a fake survey with the promise of funds in return," Group-IB said.

The scammers promised users €200 to fill out the survey and share a link with their WhatsApp contacts. However, the prizes never materialized, and the scheme generated a sprawling spam campaign that fed new traffic to the scam sites.

Group-IB said the scheme targeted millions of users worldwide.

The company told The Record that after notifying the UN's International Computing Centre, they worked with "a wide network of regulators and service suppliers - domain name registrars, hosting providers, associations, including FIRST, TRUSTED Introducer, APWG, Scamadviser and many others" to take down the 134 sites.

Group-IB said the 134 scam sites were managed by a known threat actor going by the name of DarkPath.

"After our blocking efforts, the scammers stopped using the WHO branding across their entire network," a Group-IB spokesperson told The Record today.

Still, despite the WHO-centered takedown, the group is still active. Group-IB says the threat actor still operates around 500 other sites impersonating other brands.

The security firm estimates the reach of these sites in the millions, with around 200,000 users landing on the scam sites each day.