Over the weekend of April 12, our webmaster was searching Google for something unrelated when he noticed healthcare websites ranking for pharmaceutical terms they had no business ranking for. A dental practice selling modafinil. An optical retailer offering Xanax. A sleep clinic advertising Lyrica.
He clicked one of the dental practice results. It did not take him to a dental practice. It took him to a rogue online pharmacy selling prescription drugs without a script.
He went back and typed the dental practice’s URL directly into his browser. The site looked completely normal. No pharmacy. No pills. Nothing out of place.
That mismatch is the entire trick. And it is how one dental practice in California turned into the thread that unraveled an 18-year pharmaceutical fraud network spanning five jurisdictions, 140-plus compromised websites, and a Russian bulletproof hosting provider.
The Invisible Hack
The attackers inject rules into a site’s .htaccess file that check every request:
RewriteEngine On
RewriteCond %{HTTP_REFERER} (google|bing|yahoo) [NC]
RewriteRule ^(.*)$ https://driveeee.net/top/go.php?q=modafinil [R=302,L]This fires at the Apache level, before WordPress even loads, before any security plugin runs. If you arrived from a search engine, you get the pharmacy. If you typed the URL yourself, you get the dental practice.
That is why a children’s dental clinic can host “Buy Xanax Online” for two and a half years without anyone noticing. The owner never sees it. Their hosting provider never sees it. Google Safe Browsing never sees it. The only people who see it are the patients searching for medications.
The National Mental Health Innovation Center at the University of Colorado had seven controlled substance pages injected into its navigation menu. A children’s health charity had sixteen. Boulevard Dental Group in California took it further: a full WooCommerce storefront with pharmaceutical products and a working shopping cart has been running on the dental practice’s own site since February 2024, according to Wayback Machine archives.
Who Gets Hit
Of 140-plus confirmed compromised sites we documented, dental practices are the largest victim category. But the campaign goes well beyond dentistry:
| Victim Category | Count | Examples |
|---|---|---|
| Dental practices | 42+ | General, pediatric, orthodontic |
| Medical / primary care | 18+ | Dermatology, neurosurgery, internal medicine |
| Nonprofits | 8+ | charity: water, Children’s Lyme Disease Network |
| Universities (.edu) | 6 | UT Austin, UC Santa Barbara, Ramapo College |
| Hospitals | 3 | Chestnut Hill Hospital (Philadelphia), Summit Healthcare |
| Government (.gov) | 1+ | Brazilian National Transport Agency |
| Artists | 1 | Bon Iver |
Of the 26 compromised sites we fingerprinted in detail, zero had any security plugin installed. Not one.
The targeting is deliberate. Healthcare domains have high search authority for medical terms, existing Google trust signals, and usually run outdated WordPress managed by an office manager with no IT backup. The entry vectors are old plugin vulnerabilities: LayerSlider, Slider Revolution, WPBakery, Formidable Forms.
Following the Money
Google searches from compromised sites route through 13 gateway domains (driveeee.net, dreevveee.com, redirart.com, and others) to four pharmacy platforms selling more than 21,000 products combined:
- Happy Family Store (l-meds.com, all-meds.com, canada-medstore.net) — nootropics, ED drugs, opioids. Hosted on OVH Poland.
- TrueMeds — approximately 90 domains, 21,252 product URLs on the flagship alone, 21 languages. Hosted on Proton66 and PROSPERO, two Russian bulletproof providers that French security firm Intrinsec has confirmed with high confidence are operated by the same entity, who markets them on Russian cybercrime forums as “UNDERGROUND” and “BEARHOST” with the pitch: “100% bulletproof, completely ignore all abuses including SPAMHAUS.”
- pillsshoplive.com — benzodiazepines, Ambien, Valium, tramadol, phentermine.
- RxMedWorld — nine-domain OpenCart operation on BlackHOST (Amsterdam/Vienna) and Shinjiru (Bulgaria).
They accept Visa, MasterCard, PayPal, SEPA bank transfers, Bitcoin, Ethereum, and USDT. They run a custom Ethereum payment gateway (ethgate.com) that has been operational since 2017. They offer a 20% pay-per-sale affiliate program, paid weekly in Bitcoin.
They ship from India.
The Corporate Trail
Infrastructure registration records lead to a single /24 network block in the Czech Republic: 31.184.236.0/24, announced by AS198620 since 2012. The block hosts eight distinct functional layers: SEO content farms, pharmacy storefronts, Ethereum payment processing, a four-IP billing service called safeinvoices.com, order tracking integrated with AfterShip, a multi-client customer support portal explicitly offering “support-as-a-service” to other operators, self-hosted DNS and email infrastructure, and a Matomo analytics instance.
The RIPE record for the /24 points to Makis Systems s.r.o., a Prague-registered limited liability company (IČO 24751898), incorporated October 2010, operating from a virtual office address shared by 3,772 other companies. The Czech Commercial Register lists two directors and sole shareholders, each holding 50 percent, appointed at incorporation. Their names, along with those of every other individual we identified, are documented in the full research paper against the specific public record each came from.
The pharmacy domains themselves are registered to a different individual, operating through Loster Management Limited, a Belize shell company whose address appears in the ICIJ Paradise Papers alongside nine other shells. A UK sister company, Loster Corporation Limited, was dissolved in February 2026, two months before we started looking. The primary redirect gateway is registered to a Moscow address using an email address that literally contains the word “pharm.” A BBB complaint profile for a US-registered shell, Joster Express LLC in Jacksonville, Florida, explicitly lists “Happy Family Store Online Pharmacy” as the alternate business name.
Six corporate entities. Five jurisdictions. Every corporate address in the chain is a shell or virtual office.
Eighteen Years
The oldest confirmed artifact in this operation is a 2008 copyright notice on sun-modalert.com, verified against a Wayback Machine snapshot. The mail and DNS backbone domain, wavebill.com, was registered in September 2007 and responding to HTTP requests by December 2008. truedrugstore.com was selling Viagra, Levitra, and Soma as “Best Online Pharmacy” by September 2009. The Makis Systems company itself was incorporated in October 2010.
The infrastructure has been continuously operational for 18 years. The company has filed financial statements annually since incorporation. New domain registrations continue: two new TrueMeds domains (33-meds.com, 44-pharm.com) were created on April 12, 2026, one day before our investigation began.
Threat Intel Coverage
Prior to this publication, none of the indicators we documented appeared in ThreatFox, URLhaus, VirusTotal, or any other public threat intelligence feed we checked. An operation spanning 140-plus compromised websites, four pharmacy platforms, 160-plus attacker-controlled domains, and Russian bulletproof hosting was, until now, invisible to the blocklists and security feeds most of the industry relies on.
What We’re Publishing
We are releasing the complete research as a public good at github.com/Greylorn/Pharma-Cloaking-Research:
- Full research paper (PDF, 37 pages) — technical methodology, infrastructure mapping, attribution chain with confidence grades, and an honest limitations section.
- IOC feeds (CSV and JSON) — 162 domains, 105 IPs, 63 active URLs, formatted for import into threat intelligence platforms, SIEMs, and blocklists.
- Selected evidence images referenced in the paper and in this post.
Compromised site owners are being notified separately with per-site evidence and remediation guidance.
If You Run a WordPress Site
Check .htaccess at the root of your site for any RewriteRule that references external domains, especially ones you don’t recognize. Search your wp_posts table for pharmaceutical keywords (modafinil, xanax, tramadol, lyrica). Check whether your theme directory has been renamed to a random string. Update every plugin, especially Slider Revolution, LayerSlider, WPBakery, and Formidable Forms. Install a security plugin (Wordfence, Sucuri, or iThemes) if you do not already have one.
If you find something, the cleanup is not trivial. The attackers persist through multiple layers: .htaccess rules, PHP injections in theme files, and database records in wp_posts. Cleaning one does not clean the others.
The Uncomfortable Finding
All of this was public. The DNS records were queryable. The company filings were public. The WHOIS registrants were exposed. The shell company addresses appeared in the Paradise Papers. The BBB profile named the pharmacy by name. A DNS zone transfer succeeded on the first try and exposed the operator’s internal topology. None of it was behind a login or a paywall. It was sitting in public databases, waiting for someone to connect the dots.
We did not set out to map a multinational pharmaceutical fraud network. We set out to help some dental practices that had been hacked. The rest followed from pulling one thread and not stopping.
Legal Disclaimer & Research Notice
Independent Security Research Disclosure
Illini Tech Services, LLC
April 2026
This document (“Report”) is published by Illini Tech Services, LLC (“Illini Tech Services”) as a matter of independent, good‑faith security research conducted in the public interest. The information contained herein is provided for educational, defensive, and informational purposes only.
The research was conducted using only publicly accessible information: DNS queries, HTTP responses, WHOIS/RDAP records, RIPE database queries, public company registries, the ICIJ Offshore Leaks Database, Wayback Machine archives, and Certificate Transparency logs. No authentication was bypassed. No credentials were tested. No data was modified.