I Bought a Fake COVID-19 Vaccine Card on Etsy

The ease of purchasing or fabricating vaccine cards may complicate the roll-out of vaccine verification efforts.
Fake vaccination card
Image: Motherboard
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

I received my first dose of the Moderna vaccine in Los Angeles on March 18, and the second dose at the same place a few weeks later, according to the "COVID-19 Vaccination Record Card" in my pocket.

The information printed on it is fake, however. I bought this card from a seller using the online retailer Etsy. The Etsy shop said it offered the card as a way to get your vaccination details on a more long-lasting, convenient sheet of wallet-sized metal rather than the thin cardboard copies health care facilities give out. But the seller printed the incorrect information I provided without asking any questions.


The purchase highlights the difficulties states and businesses may face when reopening and verifying whether people have been vaccinated or not before granting entry or providing certain services, especially if they rely on the CDC-stamped vaccination cards. This summer, for example, the hacking conference DEF CON plans to run in-person in Las Vegas, and said attendees must be vaccinated. The prospect of easy to source fake vaccination cards may complicate those and other verification efforts. On Thursday, NBC News reported that pro-Trump forums have dug up templates for COVID-19 vaccination cards and are trading tips on how to forge them.

"Please keep this duplicate record card. It contains your supplied medical information regarding the Covid-19 vaccines that you received," the card reads.

Do you know anything else about fake vaccination cards? Are you making or selling them? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email


I ordered the card on April 16 and received the item around two weeks later. The listing said that the seller required a photograph of my real vaccination card to process the order, but I just sent the seller a message with the information I wanted on the card instead. It cost $15 plus shipping.

I provided my name, a fake date of birth, but the real vaccination details such as dose, healthcare site, and dose batch number of someone else with their consent. Now, I had a card that contained details on a real vaccination but with my own name, letting me try to pass off as fully vaccinated against COVID-19.


An Esty spokesperson wrote in a statement that "Fraudulent Covid-19 vaccine documents are strictly prohibited on Etsy. We actively monitor our marketplace for these types of listings and use both manual and automatic controls to monitor our site, and we also look to our community of users to report problematic listings via our site-wide flagging tool." Etsy said the listing was removed within an hour of it being created, and that the company uses manual and automated methods for monitoring the site for violating content.

"If You Make or Buy a Fake COVID-19 Vaccination Record Card, You Endanger Yourself and Those Around You, and You Are Breaking the Law," the title of a March public service announcement from the FBI reads.

"The unauthorized use of an official government agency's seal (such as HHS or the Centers for Disease Control and Prevention (CDC)) is a crime," the announcement continues. In this case, the card doesn't include the CDC seal itself.

Of course, the card itself is not as convincing a fake as one that tries to mimic the cardboard cards handed out by health facilities after an actual vaccination—the card, although bearing similarities, is not identical to a genuine one and is made of another material. But it still raises questions about how entities hope to verify attendees or customers' vaccination status when it is relatively easy to purchase a knock-off card.

A spokesperson for DEF CON previously told Motherboard that "we're still working through those details, but we likely won't be doing it ourselves," referring to the verification effort.

Subscribe to our cybersecurity podcast CYBER, here.