Eventbrite Promoted Illegal Opioid Sales to People Searching for Addiction Recovery Help

This June, approximately 150 motorcycles will thunder down Route 9W in Saugerties, New York, for Ryan’s Ride for Recovery. Organized by Vince Kelder and his family, the barbecue and raffle will raise money to support their sober-living facility and honor their son who tragically died from a heroin overdose in 2015 after a years-long drug addiction.

The Kelders established Raising Your Awareness about Narcotics (RYAN) to help others struggling with substance-use disorder. For years, the organization has relied on Eventbrite, an event management and ticketing website, to arrange its events. This year, however, alongside listings for Ryan’s Ride and other addiction recovery events, Eventbrite surfaced listings peddling illegal sales of prescription drugs like Xanax, Valium, and oxycodone.

“It’s criminal,” Vince Kelder says. “They’re preying on people trying to get their lives back together.”

Eventbrite prohibits listings dedicated to selling illegal substances on its platform. It’s one of the 16 categories of content the company’s policies restrict its users from posting. But a WIRED investigation found more than 7,400 events published on the platform that appeared to violate one or more of these terms.

Among these listings were pages claiming to sell fentanyl powder “without a prescription,” accounts pushing the sale of Social Security numbers, and pages offering a “wild night with independent escorts” in India. Some linked to sites offering such wares as Gmail accounts, Google reviews (positive and negative), and TikTok and Instagram likes and followers, among other services.

At least 64 of the event listings advertising drugs included links to online pharmacies that the National Association of Boards of Pharmacy have flagged as untrustworthy or unsafe. Amanda Hils, a spokesperson for the US Food and Drug Administration, says the agency does not comment on individual cases without a thorough review, but broadly some online pharmacies that appear to look legitimate may be “operating illegally and selling medicines that can be dangerous or even deadly.”

Eventbrite didn’t just publish these user-generated event listings; its algorithms appeared to actively recommend them to people through simple search queries or in “related events”—a section at the bottom of an event’s page showing users similar events they might be interested in. As well as posts selling illegal prescription drugs in search results appearing next to the RYAN event, a search for “opioid” in the United States showed Eventbrite’s recommendation algorithm suggesting a conference for opioid treatment practitioners between two listings for ordering oxycodone.

Robin Pugh, the executive director of nonprofit cybercrime fighting organization Intelligence for Good, which first alerted WIRED to some of the listings, says it is quick and easy to identify the illicit posts on Eventbrite and that other websites that allow “user-generated content” are also plagued by scammers uploading posts in similar ways.

“I’m confident Eventbrite does not want to be hosting this on their platform—I’m pretty sure that that is not what they had in mind,” Pugh says. “It shows that a lot of the platforms that haven’t traditionally thought of themselves as being part of the threatscape have no idea how to monitor the content on their platform.”

Most PopularGearThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian ChokkattuCultureConfessions of a Hinge Power UserBy Jason ParhamSecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'FlahertyGearHow Do You Solve a Problem Like Polestar?By Carlton Reid

“Listings like these do not have a home on Eventbrite,” Chris Adams, the company’s head of platform product, tells WIRED in a statement. “This is a spam attack, coordinated by a few bad actors attempting to draw audiences to third-party sites.” Adams says Eventbrite is taking the issue “very seriously” and the “identified illegal and illicit activity has been removed.”

Eventbrite’s help center says it uses a “combination of tools and processes” to detect content that goes against its rules. These include, its pages say, using machine learning to proactively detect content, a “rules-based” system, responding to reports from users, and human reviews.

“Our investigation determined this is abnormal activity, a misuse of the Eventbrite platform, and based on our findings, Eventbrite did not profit from these listings, and there have been no finalized ticket purchases identified,” Adams says.

Eventbrite appears to have removed most, if not all, of the illicit listings that WIRED identified after we alerted the company to the issue. Because of the way WIRED collected the data, however, the thousands of listings found on Eventbrite are likely the tip of the iceberg. WIRED obtained the data used for its analysis by collecting listings Eventbrite deemed were “related” to hundreds of events found through simple keyword searches. These keyword searches and their related events likely do not capture the entirety of illicit events published on the platform.

Even within this limited dataset, our analysis found that, on average, 169 illicit events have been published daily.

The vast majority of the listings WIRED found used common tactics, whether they pushed drugs, escort services, or online account details. The spammy pages were often listed as online “events.” The events do not actually happen but rather act as a way for those posting them to publish their activities online. Most of them were free; however, some tried to charge people to “attend” through Eventbrite. It is not clear whether anyone has paid for any of the events.

Searching for various controlled substances, such as brand-name opioids, brought up results on Eventbrite. These “events” mostly pushed people away from the platform to online pharmacy websites, which say people can buy medicines without prescriptions.

John Hertig, an associate professor at Butler University College of Pharmacy and Health Sciences, says there are thousands of online pharmacies operating at any time and that the vast majority of them are illegal—with websites often selling drugs not approved by the FDA or failing to be licensed in the country where they are selling into.

“The other major issue that we see in terms of illegality is not requiring a prescription,” Hertig says. “You see a lot of this: ‘easy, hassle free, simple process, no doctor needed.’ That's illegal.” Typically accounts claiming to sell medicines through non-official platforms, such as those on Eventbrite, will not be doing so legitimately, Hertig says, and that brings risks around whether what they are selling is safe.

As well as websites, those claiming to sell illicit services on Eventbrite pushed people to chat privately on WhatsApp or Telegram. Our analysis identified as many as 60 unique Telegram accounts and 65 WhatsApp numbers in the dataset. WhatsApp spokesperson Joshua Breckman says the platform encourages users to report suspicious activity and that it will respond to valid law enforcement requests. Telegram did not respond to a request for comment.

Most PopularGearThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian ChokkattuCultureConfessions of a Hinge Power UserBy Jason ParhamSecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'FlahertyGearHow Do You Solve a Problem Like Polestar?By Carlton Reid

“I use Eventbrite to show people what services I sell,” the person behind one account, going by the username Usa Best Vcc, tells WIRED in a Telegram chat. “Eventbrite helps 100% in getting my services to people.” The account, which claims to sell social media accounts and banking accounts and lists more than a dozen apps, has had its Telegram handle listed on more than 200 Eventbrite pages, according to search engine results. It also has its own website, Gmail address, Skype, and WhatsApp accounts.

Similarly, one Indian WhatsApp number appeared on 123 almost identical listings on Eventbrite. The telephone number is linked to two other numbers and a website that appears to offer escort services. All three numbers replied to messages and asked what “area” or “location” a WIRED reporter was in. One number sent a series of photographs of women and a proposed list of prices for their services.

Those behind the accounts posting to Eventbrite likely have not just singled out the platform; many also have presences across other websites and services where people can upload their own content. They often include short summaries, which are filled with keywords that could help them appear higher in search results.

For instance, the Usa Best Vcc seller also has posts on Pinterest, Medium, Deviant Art, and more. The Indian WhatsApp number also appears on hiking website AllTrails, an open data website from Public Health Scotland, Medium, and others. Pinterest spokesperson Ivy Choi says the company deleted the account and works quickly to remove content that violates its policies when it detects them. AllTrails declined to comment, and other organizations did not respond to a request for comment.

“Any site that allows a user to upload their own content will find these cyber criminals advertising, scamming, or using the site for their personal gain,” says Rachel Tobac, the cofounder and CEO of SocialProof security. “Cybercriminals leverage the power of user-generated content (their own drug advertisement) to sell to folks who are searching for what they have to sell.”

Pugh, from Intelligence for Good, says those uploading the posts to multiple platforms may be using automated tools to do so, and they are not manually entering all their details time and time again. “You definitely can see a difference in some of the more sophisticated actors who have clearly used some SEO-manipulation tools,” Pugh says. Some, she says, will use emoji or slang terms to avoid automatic content moderation that platforms put in place.

“Any platform that is inviting their user community to host freely has to be aware that their platform can be used for reasons that were never intended,” Pugh adds. “If you're putting a platform out there and inviting the community to participate, you have a responsibility to keep it safe.”

About Matt Burgess,Dhruv Mehrotra

Check Also

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were …

Leave a Reply