Criminals with “advanced forgery skills” sell valid vaccine certificates on the dark web

Vaccination certificates have been available for sale on the Dark Web since the COVID-19 outbreak. But while the vaccination certificates that previously appeared on the dark web were forged and could not be verified by national governments, German academics recently discovered valid vaccination certificates that could be certified by the European Union.

The ring is believed to have brought in at least 425,000 euros (£360,000) and may have gained access to government systems or obtained encryption keys from national health authorities.

Criminals with "advanced forgery capabilities" are selling valid vaccine certificates on the dark web, suggesting they may have compromised government systems, according to a new study.

Scholars at Aalborg University's cybersecurity group warn that there are many scams among the dozens of COVID-19 vaccine certificate listings on underground digital marketplaces in the dark web.

The ability of unvaccinated people to deal with others in environments thought to be free of the coronavirus could allow the coronavirus to spread and potentially develop variants that are resistant to the vaccine.

Although the researchers found extensive unverified listings and suspected a hoax, they said they managed to "find some credentials that we were able to verify" based on preprints of the study that have not been peer-reviewed….

This raises the risk that "malicious individuals [could] access government systems that they can manipulate at will" or that the encryption keys used by national health organizations to validate certificates have been compromised.

The most worrisome list for researchers is the list of advertising certificates registered in 25 EU countries/regions, samples of which appear to be valid for use in any EU country/region.

Individual certificates are sold for €250 (£210) with payment in Bitcoin, but discounts are available for bulk orders.

This particular vendor store "is the only platform that spells out in such detail how its service works" and details the technical mechanism used to check the QR codes on vaccine certificates.

The researchers wrote: "To prove that the certificates sold for generation are valid, the website's homepage also contains a sample QR code of a fictitious individual, which we verified using two national COVID-19 mobile apps."

A video uploaded by the group also gave researchers a brief glimpse into their back-end administration panel, which at the time showed they had completed more than 1,700 sales - earning more than €425,000 (£360,000).

"The individuals behind this vendor store have an advanced understanding of the systems surrounding the issuance and validation of certificates, which, combined with the quality of their web pages, the attention to detail describing the overall operation of their business, and the validation use cases shown, raises the likelihood that the service is legitimate." The scholars write.

"However, this fact begs the question of how these sellers managed to penetrate the EU COVID-19 certificate system in so many countries. Unfortunately, they did not disclose this information, because a leak would have also meant the end of their business." They added.