Case Background

While the world grappled with the adversities of the deadly COVID-19 waves from 2019 to 2022, that still didn’t prove to be a strong enough reason for cybercriminals to halt their malicious activities. Governments, healthcare systems, and social services across the globe worked tirelessly to manage the crisis and ensure the safety and health of their citizens through various measures, including effective healthcare practices and proactive vaccinations to prevent and control the spread of the virus.

To ensure widespread protection, official passes were issued as proof of a clean bill of health. These passes became mandatory for citizens in many regions. The Green Pass is a document or app that proves the holder has been fully vaccinated or has recovered from COVID-19. Italy also adopted the Green Pass, requiring access to restaurants, museums, gyms, high-speed trains, and eventually for all private and public workers.

Seeing the viability and essentiality of these passes, cybercriminals were tempted to cash in on the opportunity from people who wanted unrestricted access to all the above while not having to go through the inconvenience of getting insulated and receiving an official green pass.

Seeing an opportunity, some cybercriminals in Italy started offering fake green passes. However, Guardia di Finanza (GdF) became aware of the fraudulent activity in mid-July. As soon as that happened, they approached Group-IB’s Amsterdam-based High-Tech Crime Investigation department to get involved.

Behind the scenes

When Group-IB experts uncovered the operations of the “Green Pass” scammers, they found that the activities were primarily conducted on Telegram, which was actively used as an exploitation platform. The scammers claimed they had secured authentic passes from healthcare workers and sold them to buyers wanting to appear compliant with COVID protocols.

The process was simple yet deceptive. Buyers were instructed to create secret chats on Telegram and provide personal information — names, dates of birth, city of residence, and tax code identifiers. The scammers promised to embed this data into the QR codes of their fake passes.

According to Group-IB Digital Risk Protection (DRP) analysts, the average price for fake Green Passes was around €100, depending on whether digital or printed. Payments were discreet yet accepted through various means such as Bitcoin, Ethereum, PayPal transfers, and even Amazon gift cards.

Once the scammers received the information and payment, they deleted the chats and disappeared. Sometimes, they provided a fake QR code, leaving victims with fraudulent passes and a sense of betrayal.

Impact

Group-IB’s expert investigations into the web of deceit revealed 35 Telegram channels offering fake Green Passes, with a total audience of about 100,000 users. Further research helped reveal the identities of suspected perpetrators.

With the support of Group-IB, the GdF provided a complete report to the Milan Public Prosecutor’s Office, after which it took strong law enforcement action that led to several searches on Italian citizens in the provinces of Veneto, Liguria, Apulia, and Sicily.

The suspects were brought in for questioning. They caved in and confessed to managing a network of the Telegram channels behind this region-wide scam.  As a direct result of the cooperative effort, the number of active Telegram channels has dropped, and scrutiny is constantly being exercised over any new emerging channels.

Storyline

As Italy strengthened its fight against COVID-19 by mandating Green Passes as proof of vaccination and recovery, they were unaware of a parallel cybercriminal operation exploiting the situation for profit. Just days after the Italian government announced tighter restrictions linked to the COVID-19 health pass, Italian law enforcement became aware of a criminal gang selling hundreds of fake passes and certificates via Telegram. They began investigations in collaboration with Group-IB through the ‘NO-VAX FREE’ operation.

Group-IB experts revealed critical details about the suspects, their scam schemes, the exploitation challenges, and the number of people they traded with. These duplicate passes, shared with 100,000 users, falsely authenticated that they had Green Passes with QR codes.

An example of a Telegram post offering a fake Green Pass

Image 1: An example of a Telegram post offering a fake Green Pass

The discovery and investigation into fake Green Passes enabled officials to take concrete actions to search for and arrest the suspects, putting an end to this malicious operation that jeopardized the entire nation’s well-being.

Ad of digital and printed Green Passes provided by sellers

Image 2: Ad of digital and printed Green Passes provided by sellers

We urge Italians not to use these phony illegal services as they not only lose their money, but they submit their sensitive personal data to criminals and put themselves at a greater risk of follow-up scams. I thank Group-IB’s team for supporting the GdF investigation to unmask this criminal organization.
Colonel Gian Luca Berruti of the Guardia di Finanza
Colonel Gian Luca Berruti of the Guardia di Finanza

The cybercriminals didn’t stop there…

Analyzing the activities and connecting the dots between similar scam schemes targeting other regions, Group-IB analysts warned people and authorities that the extent of the cybercriminal activity wouldn’t stop there. The fake Italian Green Passes were just one example of a wider trade of counterfeit Covid-related credentials, including offers of fake EU Covid-19 Vaccine Passports and EU Digital Covid Certificates.

Group-IB digital risk protection analyst told The Daily Swig (a prominent cybersecurity news site) “On average, sellers are asking between €50-350 for the Vaccine Passport and between €100-150 for the Digital Covid Certificate. These offers were detected on Telegram channels, social networks, and underground forums.” In France, the illicit trade mostly takes place through Telegram. “Residents of France, where the sanitary pass was introduced, were also offered the fake document on the internet.” adding that “Sellers are asking an average of €25-200 for it, with the offers mainly available on Telegram channels and social networks.” Fraudsters also traffic Fit-To-Fly certificates, priced between $300-350, again through Telegram channels.”

Despite the successful No-VAX operation against the cybercriminal gang, there was a high chance that new channels with similar fraudulent COVID-19 vaccination passes were likely to reappear. For this reason, The Guardia di Finanza operation remained ongoing.

The Italian authorities released a short video evidencing the raid on Youtube and 

Guardia di Finanza’s official statement on the operation can be found here.

Conclusion

Even after the successful conclusion of the No-Vax operation, which led to the apprehension of over 35 suspects involved in the scam scheme, the Guardia di Finanza (GdF) continued to work with Group-IB’s support. Together, we remained vigilant in immediately identifying, investigating, and dismantling any new malicious activities that may arise within the region.

At Group-IB, our decentralized and specialized Digital Crime Resistance Centers (DCRCs) stand ready to assist local authorities, businesses, and citizens in tackling cybersecurity challenges unique to their region and interests. Our Amsterdam DCRC, in this particular case, played a crucial role in providing immediate and continuous localized investigative insights to Italian law enforcement, which led to the defacing of cybercriminal(s).

Moreover, we offer full-suite cybersecurity expertise to combat any threats, regardless of complexity, targeted region, or scale of operations. Through strong public-private partnerships and Group-IB’s collective resolve, we stand united in the fight against cybercrime, ensuring cyberprotection despite the global, economic, or political challenges we face as one cohesive community.

Want to know more about Group-IB Сyber Investigation service?

Go to Cyber Investigation