1. Introduction

Over the past few months, we identified an emerging online threat that combines fraud, social engineering, and genuine health risks. Scammers are now impersonating licensed physicians and medical clinics to promote counterfeit or unsafe medications, frequently leveraging AI and deepfake technology to generate convincing fake photos, videos, and endorsements.

The stakes extend beyond financial theft. Victims are persuaded to purchase and consume unapproved or potentially dangerous substances marketed as legitimate prescriptions. This convergence of digital deception and physical harm makes the threat particularly insidious – Criminals exploit the trust inherent in healthcare relationships to generate revenue while amplifying their reach through fraudulent social proof.

  1. What We Observed

Beginning in January 2025, Check Point Research tracked a coordinated wave of pharmaceutical scams targeting the healthcare sector, from major hospitals and telehealth platforms to independent clinics and individual practitioners. These operations primarily utilize artificial intelligence to create deepfakes: synthetic videos and voice recordings that appear to show real doctors endorsing specific treatments. Scammers construct fraudulent social media accounts and advertisements that replicate the visual language, tone, and branding of trusted medical organizations, lending their deceptions a veneer of professional legitimacy.

A representative case involved a fake Facebook page impersonating a credentialed U.S. physician. The account deployed stolen credentials and professional photography to advertise counterfeit GLP-1 weight-loss medications, directing victims toward unregulated online pharmacies selling dangerous products. While this serves as just one example, our analysis reveals an estimated 500+ similar fraudulent pages are being created daily across social media platforms, indicating the industrial scale of these operations.

Figure 1: Example of a fraudulent Facebook profile impersonating a real physician in the USA. The page uses fabricated credentials and professional imagery to promote counterfeit GLP-1 products and redirect users to fraudulent online stores.

One particularly aggressive counterfeit is PEAKA GLP-1 Slimming Pearls, marketed under various aliases including “Slimming Drops” and “Liquid Pearls.” The product falsely claims equivalence with FDA-approved prescription medications like Ozempic and Wegovy, which are indicated for blood sugar control and weight management. These claims lack scientific validation or regulatory approval.

Our investigations reveal systematic theft of intellectual property, including unauthorized use of medical association logos and fabricated testimonials attributed to physicians and patients. PEAKA represents just one example within a broader ecosystem of fraudulent campaigns promoting unverified “miracle” treatments for diabetes, weight loss, and aging. These operations share common characteristics: professionally designed advertisements, fabricated expert endorsements, and AI-generated content engineered to deceive consumers and extract payment.

Figure 2: Analysis of AI-generated testimonial deepfakes used in fraudulent weight-loss promotions. The images display clear signs of synthetic generation, including anatomical inconsistencies such as incorrect finger counts, irregular textures, and mismatched background elements, confirming the use of generative AI to fabricate “before-and-after” testimonials for counterfeit GLP-1 products.

  1. Modus Operandi

These operations follow a methodical playbook. The attack typically begins when a potential victim encounters a paid advertisement on social media or in search results. The ad appears to originate from a legitimate doctor or clinic and often features a fake video or “expert recommendation”. Many of these videos are deepfakes: AI-generated content that convincingly mimics real medical professionals endorsing a product.

Figure 3: Collection of fraudulent advertisements impersonating a physician in the USA. The ads use deepfake video content, fabricated endorsements, and cloned branding to promote counterfeit GLP-1 products such as “PEAKA.” These campaigns are distributed across multiple social media platforms through paid placements designed to mimic legitimate medical promotions.

Scammers have created deepfake advertisements featuring well-known endocrinologists and diabetes researchers. These synthetic ads appropriate the physician’s voice and likeness to promote counterfeit weight-loss drugs like PEAKA GLP-1 Slimming Pearls. Since October 2025 alone, we identified over 200 such fraudulent advertisements across multiple platforms. More than half (approximately 72%) utilize fake videos, voice cloning technology, or impersonated social media profiles.

Other prominent physicians from respected health institutions have been similarly targeted. The selection pattern focuses on specialists in diabetes, weight management, and metabolic medicine, capitalizing on public interest in medications like Ozempic and Wegovy.

Clicking these fraudulent advertisements redirects victims to spoofed websites that closely replicate legitimate clinic pages. These sites incorporate professional photography, authentic-looking logos, and fabricated contact information to establish credibility. The pages deploy manipulative design elements including countdown timers, “limited stock” warnings, and big discounts to create artificial urgency and pressure visitors into rapid purchasing decisions.


Figure 4. Example of a fraudulent e-commerce webpage promoting counterfeit GLP-1 products. The page displays typical persuasive design elements such as fabricated medical endorsements, false “Made in the USA” claims, deep discounts, and urgency cues like “limited-time offers” and bulk-purchase incentives, all intended to pressure victims into completing a transaction through unverified payment gateways.

Once a purchase decision is made, payment is processed through obscured or offshore systems, despite the display of familiar payment brand logos to suggest security. The outcome typically follows one of two paths: the victim’s money is stolen with no product delivered, or they receive unlabeled or mislabeled pills and liquids of unknown composition and safety.

This fraud model transcends simple financial theft by introducing direct health risks. These counterfeit products frequently make medically implausible claims, such as “lose 20 kilograms in one month”, while incorporating stolen medical branding, fabricated reviews, and hidden recurring billing that charges victims repeatedly. The scale and coordination suggest these operations function less as opportunistic cons and more as sophisticated, organized cyber crime enterprises.

  1. Technical Analysis

Using Check Point’s External Risk Management (ERM) platform, we conducted infrastructure analysis that revealed these fraudulent medical campaigns operate as part of a coordinated system functioning like a criminal industry.

  • Shared Infrastructure: Many fraudulent medical websites are connected at the infrastructure level. They share common IP addresses and use the same web-hosting companies, often based in countries with weak online security rules. Domain names, SSL certificates, and registration dates frequently cluster together, with dozens of fraudulent sites launching simultaneously, likely through automated deployment systems.
  • Common Website Designs: Source code examination revealed that many sites were constructed using identical templates and scripts. Shared layouts, interface elements, and payment processing systems provide strong evidence that scammers are deploying pre-packaged website kits to rapidly establish fake clinic storefronts.
  • AI-Generated Imagery: The photographs featured on these pages, depicting doctors, clinics, and pharmaceutical packaging, often exhibit telltale signs of AI generation. Anomalies including inconsistent or “strange” lighting, unusual textures, and repetitive visual patterns suggest a common generative model was used to produce imagery across multiple scam operations.
  • Fraud Kits for Sale: On secret parts of the internet, underground marketplaces and attackers now offer complete “fraud kits” containing everything necessary to operate a fake medical website: templates, stock imagery, hosting automation scripts, and even multi-language translations. This commoditization enables individuals with minimal technical expertise to replicate and launch new scams globally.

These operations represent an automated, industrialized fraud ecosystem powered by shared technological infrastructure and AI-generated content, designed to make healthcare scams fast, inexpensive, and easily scalable.

Figure 5: Visualization from the ERM Forensic Canvas tool illustrating shared infrastructure among fraudulent pharmaceutical domains. The analysis reveals multiple websites hosting counterfeit GLP-1 campaigns connected through identical IP addresses and overlapping DNS records, confirming that the sites operate within a coordinated technical network.

  1. The Real-World Dangers

Simply put, these scams are much more dangerous than simple online lies, and they pose risks that extend far beyond digital deception. When consumers believe they are purchasing regulated pharmaceuticals, they may instead consume untested, contaminated, or inert substances. This can trigger serious health complications, exacerbate existing medical conditions, or delay access to legitimate treatment with potentially severe consequences.

The broader impact includes erosion of trust in telemedicine. When criminals successfully impersonate doctors and fabricate entire medical practices, public confidence in legitimate online healthcare diminishes, potentially limiting access to care for populations who depend on remote medical services.

Perhaps most concerning is how criminals weaponize AI to exploit emotional vulnerabilities, particularly health-related fear and anxiety. Rather than employing traditional threat-based tactics, these operations leverage fabricated empathy and false authority to bypass critical thinking. This evolution demonstrates how online fraud can produce direct physical harm, representing one of the clearest examples of digital crime crossing into real-world danger.

  1. Conclusion and Recommendations

These fraudulent pharmaceutical campaigns illustrate the evolution of cyber-crime in 2025. Scammers have moved beyond credential theft and financial fraud to replicate entire medical ecosystems, using AI to fabricate packaging, branding, and even shipping notifications. The convergence of cyber crime and physical threat requires a coordinated response.

Stopping these scams requires teamwork. Cyber security experts, health agencies, online shopping platforms, and payment companies all need to work together to track, expose, and shut down the networks behind them.

Consumer Protection Guidelines:

For consumers, awareness and criticism remains the strongest defense:

  • Verify pharmacy legitimacy: Confirm that medications come from licensed pharmacies accredited by the National Association of Boards of Pharmacy (NABP).
  • Question social media ads: Maintain skepticism toward pharmaceutical products advertised through social media or unsolicited online ads.
  • Verify endorsements: Independently confirm any medical endorsements before trusting “doctor recommendations” online.
  • Watch for red flags: Be alert to countdown timers, “limited stock” warnings, and steep discounts that create artificial urgency.

The barrier to creating a convincing fake doctor has collapsed to the cost of AI tools and computing time. In this environment, trust must be actively earned through verification rather than passively assumed. Protecting public health now requires the same vigilance we apply to defending critical systems: verifying information, maintaining awareness, and combating misinformation before it spreads.

You may also like