I am writing to formally report a confirmed cyber intrusion and deliberate, multi-wave destruction of a privately maintained archive of Vaccine Adverse Event Reporting System (VAERS) public data. The intrusion involved unauthorized remote access to a personal server, and the resulting data destruction was systematic, scripted, and targeted specifically at VAERS records spanning the 2021–2023 COVID-19 vaccine adverse event reporting period. The attack was confirmed through forensic analysis completed on May 8, 2026.
1. Reporting Party
Name: Jason Page
Organization: VAERS Data Group
Contact: pagetelegram@proton.me
Role: Independent researcher maintaining a longitudinal archive of all public VAERS weekly and monthly data drops for analysis and public reference
2. Summary of Incident
Between approximately February 2023 and December 2025, an unauthorized actor gained remote access to a personal Linux server and executed a series of scripted operations that permanently destroyed 65 of 342 VAERS ZIP archives. The destruction used a wiper-class technique — overwriting file contents with 0xFF bytes followed by pseudo-random data — that leaves no recoverable data. All ZIP structural signatures (PK headers) were eliminated from every affected file, confirmed by full binary scan.
The attack was not ransomware. No ransom demand was made, no encryption key was offered, and no data was exfiltrated in a manner that would indicate a financial motive. The sole effect was permanent destruction of public health surveillance records.
3. Known or Suspected Intrusion Vector
An unauthorized TeamViewer daemon was discovered running on the affected server (pagetelegram@10.0.0.92, a private Linux server on a local network). TeamViewer was not knowingly installed or authorized by me on this system. Upon discovery, the daemon was removed. However, forensic evidence demonstrates that destructive activity continued after its removal, through at least May 12, 2025, indicating either a secondary persistence mechanism was installed during the TeamViewer session, or the download pipeline on the server was modified to corrupt incoming files automatically.
4. Forensic Evidence — Attack Timeline
A full forensic examination of 342 ZIP archives was conducted on May 8, 2026. Modification timestamps (mtime) on the 65 destroyed files reveal a minimum of four distinct attack waves:
| Wave | Date(s) | Activity | Files Affected |
|---|---|---|---|
| Wave 0 | 2012 | Three early annual archives destroyed at or near original download; may predate primary intrusion | 3 |
| Wave 1 | February 2023 | First three weekly drops of 2023 arrived destroyed; download process was compromised by this date | 3 |
| Wave 2 | April 27, 2025 | Primary mass destruction event — actor executed a scripted batch operation over two sessions (11:11–16:37 and 22:46–23:03 local time), destroying approximately 40 files totaling over 19 GB of archive data | ~40 |
| Wave 3 | May 3–12, 2025 | Mop-up operation targeting three older files (2010, 2016, and April 2025 drops) not covered by Wave 2; confirms active attacker presence through May 12, 2025 | 3 |
| Wave 4 | April 2024 – December 2025 | Persistent compromise of the download pipeline; every new VAERS monthly drop from March 2024 onwards was saved in a destroyed state at time of download | ~20 |
The April 27, 2025 mass event is evidenced by 40 files bearing modification timestamps advancing sequentially by one to several minutes across a 12-hour window — a pattern consistent only with a scripted batch process executed by a live actor on the server.
5. Technical Characteristics of the Destruction
- Method: File contents overwritten with
0xFF(all-bits-set) for the first 4,096–8,192 bytes (one to two storage blocks), followed by pseudo-random or single-repeated-byte fill for the remainder of each file - Result: Zero ZIP structural signatures (
50 4B 03 04,50 4B 01 02,50 4B 05 06) found anywhere in any destroyed file across the entire collection; confirmed by full binary scan of a 485 MB representative file - Pattern: Consistent with documented wiper-class malware techniques including Dustman (APT34-linked, 2019) and IsaacWiper (Ukraine, 2022), both of which use sector-aligned 0xFF overwrite followed by PRNG fill
- Scope: Destruction is total and irreversible from the surviving files; re-download from CDC is the only recovery path
- Dual-location confirmation: Both the primary server and a separately maintained USB thumb drive show identical corruption across identical files, confirming the destruction occurred at the source (server) before the thumb drive was populated
6. Data Targeted and Its Significance
The archive targeted was a complete collection of every public VAERS weekly and monthly data drop from 2003 through December 2025 — downloaded directly from the CDC VAERS public data portal. Of the 65 destroyed files, approximately 60 cover the period February 2023 through November 2025, which spans the ongoing COVID-19 vaccine adverse event reporting period.
This is publicly available government data. However, maintaining a continuous, timestamped historical archive creates a longitudinal record that cannot be reconstructed once destroyed, as the CDC provides only the current cumulative release and does not maintain public access to historical weekly drops after they are superseded. The destruction of weekly incremental snapshots from the peak reporting period eliminates the ability to compare data across time and identify changes in reported adverse event counts between release cycles.
7. Additional Indicators of Compromise
| Indicator | Description |
|---|---|
| Unauthorized TeamViewer daemon | Found running on server without authorization; initial access vector |
| April 27, 2025 timestamp cluster | ~40 files modified within a 12-hour window in a sequential scripted pattern |
| Confirmed access through May 12, 2025 | mtime of VAERS2016-02-14.zip = 2025-05-12 16:00; a 2016 archive would not have a 2025 modification date unless deliberately targeted |
| Compromised download pipeline | Monthly VAERS drops arriving pre-destroyed from approximately April 2024 onward indicates persistent modification to the download process |
| Identical file sizes across consecutive months | VAERS archives for Aug, Sep, and Oct 2025 are identical in byte count (558,166,466) — implausible for real data and consistent with a substituted corrupted payload being saved repeatedly |
| Partial overwrites with interrupted pattern | Two files show incomplete 0xFF overwrites (3,077 and 7,168 bytes respectively), indicating the wipe tool was terminated mid-execution — the actor was working under time constraint or was interrupted |
8. Current System Status
- The unauthorized TeamViewer daemon has been removed
- The server and local workstation remain operational
- The destroyed archive files have been preserved in their corrupted state for forensic examination
- No additional active malicious processes have been identified in the current process list
- A full forensic report has been prepared and is available upon request
9. Request
I respectfully request that CISA:
- Accept this report as an official incident filing under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and related voluntary reporting programs
- Provide guidance on whether the indicators documented here — particularly the TeamViewer deployment pattern and the wiper technique — match known active threat actor tooling
- Advise on steps to harden the server against re-intrusion given that a persistent pipeline compromise appears to have survived the initial TeamViewer removal
- Share any threat intelligence relevant to attacks targeting public health surveillance data archives, including VAERS-related infrastructure
I am prepared to provide the full forensic report, binary samples from the destroyed files, and any other technical artifacts useful to an investigation.
Respectfully submitted,