Pass to nowhere: Group-IB assists Italian law enforcement in identification of fraudsters selling fake Green Passes

Group-IB, one of the global cybersecurity leaders, has assisted Guardia di Finanza (GdF), the Italian law enforcement agency responsible for dealing with financial crime, in the probe into activities of the criminal organization which trafficked fake Green Passes — documents issued for vaccinated Italian citizens and those tested negative or recently recovered from COVID-19 — via Telegram messenger. As a result of the No-Vax Free operation, several suspected administrators of the Telegram channels were searched in Veneto, Liguria, Apulia, and Sicily. The suspects admitted the offence.

The fraudulent activity came into the spotlight of Guardia di Finanza in mid-July, after which it involved Group-IB’s Amsterdam-based hi-tech crime investigation department. Group-IB analysts managed to confirm the existence of at least 35 Telegram channels offering for sale fake Green Passes, with their total audience amounting to about 100,000 users, and carried out a research to help reveal suspected perpetrators’ identities. The buyers were promised «authentic Green Passes with QR codes» — the proof of vaccination, a negative test or recovery from the COVID-19. The sellers claimed it was possible thanks to the complicity of health workers. In reality, they were nothing but fake.

With the support of Group-IB, the GdF provided a complete report to the Milan Public Prosecutor’s Office, after which it embarked on a law enforcement action that led to several searches on Italian citizens in the provinces of Veneto, Liguria, Apulia, and Sicily. The suspects confessed to managing a network of the Telegram channels. As a result of the cooperative effort, the number of active Telegram channels dropped. The law enforcement action is still ongoing as new channels tend to appear again.

We urge the Italians not to use these phony illegal services as they not only lose their money, but they submit their sensitive personal data to criminals and put themselves at a greater risk of follow up scams. I thank Group-IB’s team for supporting the GdF investigation to unmask this criminal organization.

Gian Luca Berruti

Colonel, Guardia di Finanza

According to Group-IB Digital Risk Protection (DRP) analysts, the average price for fake Green Passes sits at €100 and depends on its form — either digital or printed. The fraudsters offer their customers various payment methods, including cryptocurrency payments (Bitcoin, Ethereum), PayPal money transfer or voucher payments, like Amazon gift cards.

An example of Telegram post offering for sale fake Green Pass

To get a Green Pass, the potential customer is asked to create a secret chat on Telegram with the seller — by doing so, threat actors hoped to protect themselves against potential disclosure. The customer is then asked to reveal their personal info that is allegedly contained in the QR code — their first and last name, date of birth, city of residence, and tax code identifier. In some cases, sellers also ask the purchaser to share photos of their health card, identification documents, and their home address to allegedly send them the printed certificate. After receiving the personal information of the buyer and the payment, threat actors either delete the chat and disappear, or send back a fake QR code.

Photos of digital and printed Green Passes provided by sellers to their buyers

Italy is one of the core elements of our global threat hunting and research ecosystem. Thanks to our growing knowledge about local specific threats we were able to help the GdF to unmask the administrators of the Telegram channel and assisted in collection of digital evidence. Prompt and effective collaboration with the GdF and Milan Public Prosecutor’s Office made possible unveiling the perpetrators, which resonates with our commitment to fighting cybercrime of any origin.

Anton Ushakov

Deputy Head of the Group-IB’s High-Tech Crime Investigation Department, Europe