Underground trade conducted over Telegram

UPDATED Italian police have launched a crackdown on criminals who traffic fake Covid-19 vaccination ‘green pass’ certificates via Telegram messenger.

The ‘NO-VAX FREE’ operation led to raids on premises linked to several suspected administrators of the Telegram channels in Veneto, Liguria, Apulia, and Sicily.

The Guardia di Finanza (GdF), the Italian law enforcement agency responsible for dealing with financial crime, first detected the trade in mid-July, shortly before they called on technical assistance from Group-IB’s Amsterdam-based, hi-tech crime investigation department.


Catch up on the latest cybercrime news and analysis


Group-IB analysts subsequently managed to confirm the existence of at least 35 Telegram channels offering for sale fake green passes, documents issued to vaccinated Italian citizens and those who recently tested negative or recovered from Covid-19.

In follow-up research, Group-IB uncovered evidence that pointed towards the suspected perpetrators’ identities. Group-IB told The Daily Swig that the number of suspects identified is confidential because the police operation is ongoing. We're still waiting back on a response to other follow-up questions from the threat intelligence firm.

Corrupt healthcare workers ruse

The cybercriminals behind the illicit trade in counterfeit passes promised prospective buyers “authentic Green Passes with QR codes”, credentials they supposedly obtained thanks to the complicity of corrupt healthcare sector workers.

In reality, any passes on offer were completely fake and the whole operation was a scam.

“We urge the Italians not to use these phony illegal services as they not only lose their money, but they submit their sensitive personal data to criminals and put themselves at a greater risk of follow-up scams,” said Colonel Gian Luca Berruti of the Guardia di Finanza, in a canned statement. “I thank Group-IB’s team for supporting the GdF investigation to unmask this criminal organization.”


According to Group-IB, fake passes typically sold for around €100, payable using cryptocurrency payments (Bitcoin or Ethereum), PayPal money transfer or voucher payments, like Amazon gift cards.

To get a green pass, the potential customer was first asked to create a secret chat on Telegram with the seller.

In several cases, this secret communication was deleted once buyers had paid with nothing offered in return. In other cases, only a fraudulent pass was offered.

Ongoing operation

Despite the crackdown, new channels peddling the same or similar fraudulent Covid-19 vaccination passes are likely to reappear. For this reason, The Guardia di Finanza operation remains ongoing.

A Guardia di Finanza statement on its operation thus far can be found here (in Italiano). A video of raids associated with the investigation was released through YouTube.

The scam has emerged in the country that was the epicentre of the first wave of coronavirus cases back in March 2020, and at a time of huge international concern about the spread of the Omicron variant of the virus that was first identified last week.

Jeux sans frontières

The fake Italian Green Passes are just one example of a wider trade of counterfeit Covid-related credentials that also includes offers of fake EU Covid-19 Vaccine Passport and EU Digital Covid Certificates, according to Group-IB.

Group-IB lead digital risk protection analyst Evgeny Egorov told The Daily Swig: "On average, sellers are asking to pay between €50-350 for the Vaccine Passport and between €100-150 for the Digital Covid Certificate. These offers were detected on Telegram channels, social networks and underground forums."

As in Italy the illicit trade in France is mostly taking place through Telegram.

"Residents of France, where the sanitary pass was introduced, were also offered to purchase the fake document on the internet," Egorov said. "Sellers are asking an average of  €25-200 for it, with the offers mainly available on Telegram channels and in social networks."

Fraudsters also traffic Fit-To-Fly certificates, whose price ranges from $300-350, and again through Telegram channels," Egorov added.


This story was updated to add comment from Group-IB analyst Evgeny Egorov


RELATED Interpol arrests 1,000 suspects, seizes $27m in crackdown on cybercrime