Criminals with “advanced forging capabilities” are selling valid vaccine certificates on the dark web, according to new research, suggesting they may have compromised government systems.
Academics from Aalborg University’s Cyber Security Group warn there are many scams among the dozens of listings for COVID-19 vaccine certificates on underground digital markets.
The ability for unvaccinated people to mingle with others in settings which are assumed to be free from the coronavirus could enable it to spread and potentially develop into a variant which is vaccine-resistant.
Despite the wide range of unverified listings which the researchers found and suspected of being scams, they said they managed “to discover a number of certificates which we are able to verify”.
This raised the risk that “malicious individuals [have] access to governmental systems, which they can manipulate at will” or that the cryptographic keys used by national health organisations to authenticate the certificates had leaked.
The listing that provoked the most concern to the researchers was advertising certificates registered in 25 countries across the European Union, all of which appeared to be valid when the academics put them through the verification mechanisms used across the bloc.
Single certificates are being sold for €250 (£210) with payments to be made in Bitcoin, although discounts available for bulk orders.
No cases of new variant in UK – but ‘highly likely’ it has spread to other countries, Javid says
COVID-19: Shadow Health Secretary Jonathan Ashworth self-isolating after testing positive for COVID
UK taking ‘safety first approach’ with travel ban over new COVID variant, says Shapps
This particular vendor shop “is the only platform that elaborates on the operation of their service in such detail” and details the technical mechanisms used to check the QR code on the vaccine certificate.
“To provide proof that the generated certificates sold are valid, the homepage of the site also includes a sample QR code, of a fictional individual, which we validated using two national COVID-19 mobile applications,” the researchers wrote.
A video uploaded by the gang also offered the researcher a short glimpse of their administration dashboard, which at the time showed they had made over 1,700 sales – amounting to more than €425,000 (£360,000) in revenue.
“The individuals behind this vendor shop present an advanced understanding of the system that surrounds the issuance and verification of certificates, which combined with the quality of their web page, the overall attention to detail in describing the operation of their business, and the verification use cases shown, raises the probability of the service being legitimate,” the academics wrote.
“This fact however, leads to the question of how these sellers have managed to infiltrate the EU COVID-19 certificate systems in so many countries. Unfortunately, they do not disclose this information, since it would mean the end of their operation,” they add.