“We produce and offer the COVID 19 certificate. We do so by registering it in the health system database that gives it the same status as a vaccinated person. Our certificates are produced and offered for 150 euros each. However, if you are taking many, we can offer you a 10% discount. ” This is the first message received when contacting an alleged doctor who offers false vaccination certificates through Telegram groups, with whom elDiario.es has been able to speak. A promise that, as this media has been able to verify, becomes a scam after making the payment: the supposed false COVID passport that allows travel between countries of the European Union never arrives.
RNA vaccines driven by the pandemic open a “revolution” against diseases such as malaria or AIDS
The method, they say, is simple for the buyer who needs a false certificate because they do not want to be vaccinated. Through Telegram groups that are closing and giving way to new ones so as not to leave a trace, they offer to “regain freedom.” In September, this newsroom located one of these groups, with about 10,000 subscribers, which referred to the Telegram profile and the email of a supposed doctor to carry out the purchase procedures. “We will send you the electronic version the same day (of payment) and you will receive the paper version depending on the schedule of the delivery agency and your location. But the electronic version is enough,” he promised.
To give more reliability, counterfeiters show buyers a QR code with a “fictitious name”. Days later, the channel through which we contacted this individual has disappeared, but following similar search criteria, another one with the same content appears, called ‘EU Digital COVID-19 Certificates’, where denial messages and conspiracy theories are shared. , like Western celebrities and politicians get fake vaccinations, accompanied by a video of Mariah Carey getting vaccinated. He has more than 1,800 subscribers. They refer to another “doctor”, who traces the same presentation as the previous one. Of course, no 10% discount if you buy many false certificates. Days later, the name of this second account also changes, but it continues to offer the same: vaccination certificates for unvaccinated people. A few days later, this newsroom locates another similar channel, with the same name and the same modus operandi, with almost 3,000 subscribers, who seem to operate together.
But what can be seen in the sample QR? We analyzed it in several steps with Víctor Molina, Channel & Telco SE Team Leader of the cybersecurity company Check Point. When opened with a code reader, “it shows the same stream of characters than an authentic code “, he explains. Some European countries have applications that allow to verify the authenticity of these codes. By entering the test codes that the supposed doctors show to their potential buyers, the verification app identifies it as a pass valid.
Access to valid codes
“I was surprised that it was authentic,” acknowledges Molina, “but I would bet it is someone else’s.” In other words, the ‘sellers’ would have ‘stolen’ the code from other people’s authentic certificates. “It is more complicated to falsify it than to obtain that of another unsuspecting person,” explains the expert. Along the same lines, the National Cybersecurity Institute (INCIBE) declares: “Probably, the profiles behind these channels have managed to gain access to valid QR codes and they are the ones they use as a sample to deceive potential victims”, they point out.
The question is whether buyers who agree to pay 150 euros for a false certificate will receive it and if, in addition, it will work when passing controls at airports or to access places where it is mandatory. “Most likely, these profiles are intended to scam those who try to obtain a valid QR code and that in the case of making a payment, a code will never be received in the name of the applicant,” they explain from INCIBE that After receiving the notice from elDiario.es and analyzing it through its Incident Response Center, it has placed a fraud alert on its website. In it, they advise people who have contacted the profile and provided personal data – requesting name and surname, “birthday date”, social security number and email – to periodically carry out a search for their name in search engines to detect possible misuse of that information.
This writing has been able to know that, indeed, after making the payment of the 150 euros, through cryptocurrencies, the supposed sellers keep the alibi for a couple of days. This is the time that, says one of them, it takes to generate the false certificate. After contacting again after that time to inquire about the purchase, these scammers delete the Telegram conversation and disappear, without responding to the victims again.
From Check Point they also consider that the promise to enter the data of the unvaccinated patients as vaccinated in the database of the National Health System is “a false proclamation almost certainly”. “It is one thing to be able to falsify the COVID certificate, which is complicated because it is digitally signed by an organism that is difficult to falsify, and another thing that is even more complicated is for you to be able to enter the database of any country and hack access to Entering a person’s data. I see that as extremely complicated and, honestly, it doesn’t seem like a thing that costs 150 euros, “explains Molina. When asking another of the supposed doctors how he would manage to register the person in the database, he avoids explaining: “Leave that to us. For that you pay 150 euros. How to do it is part of our professional secret.”
“For security reasons we prefer payments in bitcoin”
To make the payment, criminals demand cryptocurrencies. “For security reasons we prefer that all payments are made in bitcoin and they also protect their identity,” they explain just before asking if the buyer “has a preferred vaccine that they would like.” “Although the blockchain does leave a trace, there is no direct link between an identity and a bitcoin address,” explains lawyer Miriam García, an expert in digital law. Thus, they can use their engineering “to disperse the money.”
The scammers themselves indicate step by step how to convert from euros to bitcoin through a cryptocurrency exchange page and provide all the instructions to follow so that they receive the money. After that, they demand a snapshot of the transaction – these movements do not offer the receiver data about the issuer, nor vice versa – to start generating the certificate. A certificate that, finally, never arrives.
“You receive a numerical address and you do not know who the person behind it is. Afterwards, they can send it from one address to another and, after a number of shipments, try to remove it or make micro payments so that it is diluted,” says the expert, who considers that “they use it because it is the ‘least bad’ tool to receive payments and try to hide your identity, although that does not mean that it is not traceable. They will not ask you to make them a bizum”.
In fact, in August, the Italian police already identified a network for the sale of false COVID certificates, through 32 Telegram channels, for between 150 and 500 euros. Then, police officers of Rome, Milan and Bari, in coordination with the courts of Rome and Milan and of minors of Bari, identified four people, two of them minors, as perpetrators of these possible crimes of fraud and forgery, according to reported the Corriere della Sera. In what became known as the ‘Fake Pass’ operation, they managed to identify the channels and their administrators through technical and financial analysis of the blockchain.
In any case, the lawyer estimates that in this case “all the requirements of a scam are met: there is a profit motive –they ask for 150 euros–, they use deception –they tell you that they are going to give you a certificate that is in the base of Health data – and with this deception they get a person to make an economic transfer “. “It is much more profitable to deceive people than to do all that and expose yourself to a crime of document falsification,” which can carry prison terms of six months to three years and a fine of six to 12 months for buyers, says García.
More than 10,000 sellers
From Check Point Research, the company’s threat intelligence division, they also warn of an increase in vendors who claim to offer false certificates through Telegram. If at the beginning of August they had detected about 1,000, in just over a month they have multiplied by ten, up to 10,000 worldwide. It is not something new. Already in December 2020 they had warned of hundreds of ads on the Darknet, the part of the internet that is not indexed in search engines, which multiplied in the following months, with points of sale mainly in the United States, Spain, Germany, France and Russia.
In recent months, these criminals had made the leap from the deep internet to Telegram. The reason: “There are more people and it is easier to access. In this way you have a much wider arrival, more dissemination capacity and Telegram offers you extra privacy capabilities, such as eliminating conversations, not having to give the same data as others to log in … “, explains Molina.
In Spain, currently, just over 77% of the population has the complete regimen of one of the coronavirus vaccines approved by the European Union and almost 80% have been injected with at least one dose. The certificate allows travel between EU countries and others such as Iceland, Liechtenstein, Switzerland and Norway, simply proving that the person has been vaccinated against the virus, that they have recovered from the disease or that they have a negative test in the last 48 or 72 hours, depending on the regulations of each country. In this way, the process to enter any of these territories is more agile and it is not necessary to carry out additional tests or quarantines. In addition, the national authorities are responsible for issuing the certificate, which is free.