Pass to nowhere: Group-IB assists Italian law enforcement in identification of fraudsters selling fake Green Passes

Group-IB, one of the global cybersecurity leaders, has assisted Guardia di Finanza (GdF), the Italian law enforcement agency responsible for dealing with financial crime, in the probe into activities of the criminal organization which trafficked fake Green Passes documents issued for vaccinated Italian citizens and those tested negative or recently recovered from COVID-19 via Telegram messenger. As a result of the No-Vax Free operation, several suspected administrators of the Telegram channels were searched in Veneto, Liguria, Apulia, and Sicily. The suspects admitted the offence.

The fraudulent activity came into the spotlight of Guardia di Finanza in mid-July, after which it involved Group-IB’s Amsterdam-based hi-tech crime investigation department. Group-IB analysts managed to confirm the existence of at least 35 Telegram channels offering for sale fake Green Passes, with their total audience amounting to about 100,000 users, and carried out a research to help reveal suspected perpetrators’ identities. The buyers were promised «authentic Green Passes with QR codes» the proof of vaccination, a negative test or recovery from the COVID-19. The sellers claimed it was possible thanks to the complicity of health workers. In reality, they were nothing but fake.

With the support of Group-IB, the GdF provided a complete report to the Milan Public Prosecutor’s Office, after which it embarked on a law enforcement action that led to several searches on Italian citizens in the provinces of Veneto, Liguria, Apulia, and Sicily. The suspects confessed to managing a network of the Telegram channels. As a result of the cooperative effort, the number of active Telegram channels dropped. The law enforcement action is still ongoing as new channels tend to appear again.

We urge the Italians not to use these phony illegal services as they not only lose their money, but they submit their sensitive personal data to criminals and put themselves at a greater risk of follow up scams. I thank Group-IB’s team for supporting the GdF investigation to unmask this criminal organization.

Gian Luca Berruti
Gian Luca Berruti

Colonel, Guardia di Finanza

According to Group-IB Digital Risk Protection (DRP) analysts, the average price for fake Green Passes sits at €100 and depends on its form either digital or printed. The fraudsters offer their customers various payment methods, including cryptocurrency payments (Bitcoin, Ethereum), PayPal money transfer or voucher payments, like Amazon gift cards.

An example of Telegram post offering for sale fake Green Pass

An example of Telegram post offering for sale fake Green Pass

To get a Green Pass, the potential customer is asked to create a secret chat on Telegram with the seller by doing so, threat actors hoped to protect themselves against potential disclosure. The customer is then asked to reveal their personal info that is allegedly contained in the QR code their first and last name, date of birth, city of residence, and tax code identifier. In some cases, sellers also ask the purchaser to share photos of their health card, identification documents, and their home address to allegedly send them the printed certificate. After receiving the personal information of the buyer and the payment, threat actors either delete the chat and disappear, or send back a fake QR code.

An example of Telegram post offering for sale fake Green Pass

Photos of digital and printed Green Passes provided by sellers to their buyers

Italy is one of the core elements of our global threat hunting and research ecosystem. Thanks to our growing knowledge about local specific threats we were able to help the GdF to unmask the administrators of the Telegram channel and assisted in collection of digital evidence. Prompt and effective collaboration with the GdF and Milan Public Prosecutor’s Office made possible unveiling the perpetrators, which resonates with our commitment to fighting cybercrime of any origin.

Anton Ushakov
Anton Ushakov

Deputy Head of the Group-IB’s High-Tech Crime Investigation Department, Europe

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.