Criminals with “advanced forging capabilities” are selling valid vaccine certificates on the dark web, according to new research, suggesting they may have compromised government systems.
Academics from Aalborg University’s Cyber Security Group warn there are many scams among the dozens of listings for COVID-19 vaccine certificates on underground digital markets.
The ability for unvaccinated people to bypass various protections in place to prevent the spread of the coronavirus could endanger other people and potentially contribute to the development of a variant which is vaccine-resistant.
Despite the wide range of unverified listings which the researchers found and suspected of being scams, they said they managed “to discover a number of certificates which we are able to verify” according to the preprint of the study which has not yet been peer-reviewed.
This raised the risk that “malicious individuals [have] access to governmental systems, which they can manipulate at will” or that the cryptographic keys used by national health organisations to authenticate the certificates had leaked.
The listing that provoked the most concern to the researchers was advertising certificates registered in 25 countries across the European Union, the samples from which they verified to be valid across Europe, using two different national COVID-19 apps
Single certificates are being sold for €250 (£210) with payments to be made in Bitcoin, although discounts available for bulk orders.
This particular vendor shop “is the only platform that elaborates on the operation of their service in such detail” and details the technical mechanisms used to check the QR code on the vaccine certificate.
“To provide proof that the generated certificates sold are valid, the homepage of the site also includes a sample QR code, of a fictional individual, which we validated using two national COVID-19 mobile applications,” the researchers wrote.
A video uploaded by the gang also offered the researcher a short glimpse of their administration dashboard, which at the time showed they had made over 1,700 sales – amounting to more than €425,000 (£360,000) in revenue.
“The individuals behind this vendor shop present an advanced understanding of the system that surrounds the issuance and verification of certificates, which combined with the quality of their web page, the overall attention to detail in describing the operation of their business, and the verification use cases shown, raises the probability of the service being legitimate,” the academics wrote.
“This fact however, leads to the question of how these sellers have managed to infiltrate the EU COVID-19 certificate systems in so many countries. Unfortunately, they do not disclose this information, since it would mean the end of their operation,” they add.