‘It’s huge’: Inside the black market for counterfeit COVID vaccine passports
My personal “fake vaccine pack” came advertised with an animated gif.
Set against a floral-patterned carpet, the gif rapidly zoomed in and out of a neatly arranged spread: four fake paper vaccine cards stamped with the logo of the U.K.’s National Health Service, paired with a piece of official-looking blank paperwork, and—for authenticity’s sake—my (real) first name, and the date of the request. In this world, I had received two (phantom) doses of AstraZeneca. In reality, I am fully vaccinated—with two doses of Pfizer.
The other part of the package, the seller promised, was digital: a QR code that would supposedly give me access to a COVID-19 passport on the NHS’s Track and Trace app. It would be sent within 30 minutes after I transferred €200, or about $236, in Bitcoin, the seller said. The paperwork would be sent to my home address. Could the seller get me a French COVID-19 passport, or a German one? No problem—€200 each.
This isn’t the farthest reaches of the dark web. It’s Telegram, a messaging app, where this seller runs a 111,000 member group flooded with photos of official looking COVID-19 certificates in various languages—and anti-vaccine conspiracy theories.
It’s just one entryway into an exploding and barely hidden black market for COVID-19 certificates and passports, fueled both by people in wealthy countries who don’t want to get vaccinated, and people who still can’t get access to vaccines. As highly vaccinated countries are increasingly mandating vaccination passes not just for international travel, but also for access to everything from jobs to restaurants to sports events, the market is only growing.
“There is such huge potential,” says Liad Mizrachi, a security expert at Check Point Software Technologies, who has followed the explosion of fake certificates and passports since March. “Sad potential and destructive potential, as well.”
“A chaotic situation”
The explosion of fake COVID-19 passports has followed a reliable trend: The moment a country—say, France—announces a battery of restrictions based on vaccination, the offers start appearing, says Mizrachi.
They’re also easy to find. Though offers among hackers first appeared on the dark web, the search for customers quickly moved the trade to Telegram and even the popular encrypted messaging service WhatsApp, says Mizrachi. Researchers at Check Point browsed anti-vaccination groups—including on Facebook—which led to invites to Telegram groups explicitly based on selling fake passports and certificates.
“There is definitely synergy between these two groups, or at least one group is using the other one,” he says.
The movement onto messaging platforms suggests the sellers are purposely targeting buyers inexperienced with navigating the dark web, who are also less equipped to recognize outright scams, says Mizrachi. Since then, the Telegram groups have exploded in size, he adds. Some groups have just a few dozen members, while one group the company tracks has half a million.
Contacted for comment, a Telegram spokesperson referred to groups selling the fake certificates that were reported by Italian officials, and said that Telegram had shut down the accounts and received no further contact from the authorities. The spokesperson did not respond to a further request for comment on existing accounts offering fake NHS and European accounts. Facebook policy bans the posting of both legitimate and fake medical documents, including vaccine certificates.
But the low-fi nature of the early COVID-19 certificates in most countries and the lack of international cooperation have created a wide-open market for fraud, Mizrachi points out. Many of the vaccination certificates are still paper only and easy to forge, often using details ripped off strangers’ celebratory social media photos of legitimate vaccine cards.
In the U.K., where the digital COVID-19 passport is being rolled out through the NHS’s Track and Trace app, sellers now appear to be grappling with how to reliably get around the system, Mizrachi said. But loopholes have frequently been exploited in other countries. (In Germany, the government recently closed one gap that allowed digital registration through pharmacies.)
Contacted about the passes, an EU official said that the commission is aware of the increasing number of fake COVID-19 certificates, but said that the digital encryption on the bloc’s Digital COVID Certificate, which can be used for travel within the EU, is entirely secure and can’t be tampered with.
“It is important to distinguish between the security of the EU Digital COVID Certificate and the possible falsification of vaccination certificates that are used to generate [the] secure EU Digital COVID Certificate,” the official said, adding that member states needed to make sure that their own certificates were properly secured and checked.
But in many cases globally, border services aren’t equipped to scan or even understand the passports and certificates from other countries, leaving more options for fraud, noted Mizrachi.
“Usually you just look at it, and ‘It looks fine, okay, carry on,’” he said. “It’s just kind of a chaotic situation.”
After all, potential technical complications haven’t stopped sellers from claiming they can offer digital solutions, which might point toward the best way of combating the spread of fake COVID-19 passports in the first place: letting people know that they’re likely to get scammed.
Anti-vaxxers are “really, really averse to getting duped,” points out Sander van der Linden, a social psychologist from Cambridge University who studies misinformation and conspiracy theories. From a scammer’s perspective, increasingly robust COVID-19 passports aren’t a barrier, he points out: “They’ll just pretend to sell you anything.”
While a second seller told me their paper-card offerings were only workable for cursory entry to restaurants and shops—which, at the moment, is not even necessary in the U.K.—another claimed they could set up a digital passport for me linked to my genuine NHS number, address, and GP registration.
“It gets puts [sic] into the NHS database,” the seller said. “We have inside people.”
When I expressed doubt, the seller said they would provide proof—after I transferred £200 ($278)—in Bitcoin, of course. (I was not able to verify the identity or the location of the seller.)
“Buying and using fake cards to pretend you have received the coronavirus vaccine, when you haven’t, could be harmful to you and others, and could result in the further spread of the virus,” said Pauline Smith, director of Action Fraud, the U.K.’s National Fraud and Cyber Crime Reporting Centre, in a provided comment. She added that in the U.K., the vaccine is available only from the NHS and is, of course, free.
In the world of COVID-19, the explosion of fake vaccination certificates is just one scam among many.
Cybersecurity experts have also pointed toward black market offers of the vaccines themselves, along with a vast universe of fraudulent schemes: from low-tech scammers pretending to be health authorities to rip off personal data or take advantage of desperation for tests, to sophisticated cyberattacks aimed at health services and providers.
“Since the start of the pandemic, our threat intel analysts have detected thousands of pandemic-related cyberattacks,” said AJ Nash, senior director of cyber intelligence strategy at Anomali, a cybersecurity company. “We’ve also seen dark web forums selling fake COVID-19 vaccination cards, test results, and even vaccines.”
While Nash said the firm hadn’t seen fakes specifically for the NHS app, “given the range of underground online forums and the levels of sophistication cybercriminals have achieved, it’s reasonable to presume that such a market will emerge, if it hasn’t already.”
The fake COVID-19 passport explosion seems to cater to two disparate but powerful barriers to global vaccination: distrust, and lack of access.
When it comes to distrust, the market is coming from people who refuse to get vaccinated—in the U.S., about half of those who are unvaccinated say they will “definitely” not get the shot.
There are also indications that vaccine hesitation is slightly higher among younger people in both the U.S. and the U.K., who are both the least likely to be currently vaccinated and the most tech-savvy. (The U.K., in general, actually has relatively little vaccine hesitancy compared to other countries, according to a tracker from YouGov.)
The lack of access, meanwhile, is largely due to the slow pace of the global vaccine roll out. According to the World Health Organization, wealthy countries had administered about 50 doses per 100 people by May, while poorer countries had administered just 0.1 doses per 100 people. That group is fueling global demand for fake certificates in order to travel to see family, or simply to work, points out Mizrachi.
The majority of the market for fake COVID-19 documents are likely to be from this second group, says van der Linden. Genuine anti-vaxxers remain a well-studied minority, he notes.
But the fairly overt marketing for the COVID-19 passports might also be drawing in a new group of people—those who don’t consider themselves to be generally anti-vaccine, but still don’t want to take the COVID-19 jab.
“I don’t think we have a number for that group now, but they’re their own group,” said van der Linden.
Either way, the selling continues. While I was finishing this story, a notification from Telegram popped up on my phone.
“The truth is always don’t take that crazy sh*tty vaccine,” the seller wrote.
The person attached a photo of their wares: paperwork fanned out across a parquet floor, and bearing the forged fonts and letterheads of the governments of Indonesia, the Netherlands, and Pakistan.
This article has been corrected to reflect Sander van der Linden’s affiliation.
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.