Scammers use Telegram and Facebook ads to sell fake COVID certificates in Ukraine
Telegram hosts Ukrainian channels and accounts claiming to sell legitimate vaccine certificates, while FB ads are exploited to promote them.
Scammers use Telegram and Facebook ads to sell fake COVID certificates in Ukraine
BANNER: A passenger is seen showing his vaccination document to a train conductor in Ukraine, October 21, 2021. A vaccination certificate or a negative test is required for inter-city travel by train, bus or planes. (Source: Reuters/Andriy Andriyenko/SOPA Images/Sipa USA)
Fake COVID-19 vaccine certificates are being sold on Telegram channels in Ukraine and abroad, as malign actors take advantage of the platform’s anonymity to sell fraudulent documents.
With the Ukrainian government increasingly requiring proof of vaccination to travel or enter public spaces, Telegram has become host to an underground market of bogus government documents. The emergence of online markets for fake COVID-19 vaccination certificates, however, is not unique to Ukraine. Similar schemes have been documented throughout Europe, the United States, and other countries, with Telegram frequently used as a primary platform for these services.
Ukraine has achieved a modest vaccination rate at approximately 23.6 percent of the population, but various studies have found signs of vaccine hesitancy in 40 to 56 percent of the population. On October 11, 2021, the government announced proof of vaccination is required to board any transport service that crosses regional (oblast) borders and said that businesses like gyms, shopping malls, and universities could open if at least 80 percent of employees were vaccinated. This situation has fueled a black market in fake certificates. Ukrainian news outlet Liga.net tried to purchase fake vaccination certificates and found that some providers ignore customers after a deposit is paid, but on one occasion it received a paper certificate featuring the credentials of a nonexistent doctor and medical center. Radio Svoboda also ordered certificates from the black market and received forged documents that included the credentials of a real doctor and medical center in Ukraine, both of which denied any involved in the scheme.
These black markets have been the subject of statements from President Volodymyr Zelensky and the Ukrainian Ministry of Health. Police and security services routinely arrest groups selling fraudulent documents, with the latest network uncovered by the Ukrainian Security Service believed to have served 10,000 clients. In September 2021, Ukraine’s Minister of Health announced plans to introduce a new article in the criminal code for those who fabricate COVID and PCR certificates, citing that these fake documents discredit the country’s legitimate vaccination campaign. The ministry also proposed an amnesty plan for those who purchased but did not use a fake certificate, in an effort to persuade more people to get vaccinated.
Telegram is a convenient platform for illicit businesses as it allows operators to stay anonymous and change accounts easily. Personal chats in Telegram are encrypted, offering a high degree of privacy. Moreover, the platform does not have a transparent database for tracking or storing content, making it difficult to identify criminal activity on the platform, which has a history of being used by bad actors to provide illegal services.
With few exceptions, the Telegram channels identified as a part of this research strategically avoid becoming widely popular. To avoid detection, channel operators rename or abandon accounts and create new ones. They often post only a few messages advertising their services and then forward interested parties to operators to discuss details in private and encrypted chats.
Finding customers while avoiding detection
The Telegram channels selling fraudulent documents face the challenge of finding new customers while avoiding detection by the platform. The channels function contrary to many on the platform, as audience building is problematic for their operations, given increased popularity is also likely to draw scrutiny from las enforcement authorities. Instead, they operate knowing they may need to delete their account at any given moment. To find customers, they create multiple channels and use combinations of keywords, such as “vaccination,” “certificate,” “COVID,” and “buy,” to attract new users. This tactic allows people who search these terms to easily find channels offering these illicit services.
The DFRLab identified 46 Telegram channels that advertised bogus certificates for the Ukrainian market, and 23 channels that focused on other countries ranging from the United States to Russia. Most of the channels identified by the DFRLab have modest subscriber counts, usually less than 1,000, which could be a result of the renaming and recreating accounts strategy. However, some channels successfully acquired significant followings. For instance, the now-unavailable Telegram channel “Buy certificates of vaccination” had roughly 30,000 followers when the DFRLab identified it, and an archived advertisement post showed that some of its posts could generate views of more than 100,000.
Another tactic to increase the network’s potential reach is the creation of reserve channels that send users to an active account or provide contact details for a service operator. The DFRLab found at least seven pages using consecutively numbered handles starting from fathermother3 to fathermother9, all featuring the same contact details and created on the same day. Five out of the six accounts published their first post and several subsequent posts at the exact same time. The channels promised “formalization of all vaccination documents” with a “warranty.”
Additionally, some of the Telegram channel operators pushed their fake certificate services in public marketing groups in which services like caviar delivery, boosting social media followers, or probiv data brokers are also advertised. The DFRLab identified at least 30 accounts that actively promoted their fake documentation services in these marketplace groups, which had between 3,529 to 10,191 members.
Based on an analysis of 40 channels, the DFRLab found that the content of the channels typically includes details about the information required from the buyer, such as passport data, the price of the services, the vaccination date, and general information about upcoming government lockdowns or other COVID-19 measures. Some of the channels went further and promoted anti-vaccine disinformation likely to nudge people toward their services. For instance, Telegram channel “Truth Light” published a picture with text stating that COVID-19 is the “fascism of 21st century,” multiple videos on “new total digital communism,” and a debunked story about graphene oxide, which is toxic, as being an ingredient in the Pfizer and Moderna vaccines. The channel then advertised itself as providing a way to avoid “freedom limitations” by acquiring a fake certificate.
A few channels on Telegram are dedicated to exposing scammers such as those identified in the course of this research by publishing their Telegram handles, but since channel names can be easily changed, it is not an effective tactic in combating such services in the long term.
Fake certificates advertised on Facebook
Additional Telegram channels selling fake certificates used Facebook advertising to attract new customers. The DFRLab identified at least three ads on Facebook that promoted the sale of fraudulent COVID-19 vaccination certificates. The DFRLab viewed the ads in the Ad Library, but they were removed soon afterwards, suggesting the ad campaigns were short-lived. All three ads from three separate pages led to the same feeder page and, ultimately, to the same account on Telegram for ordering services, which means that all three might be part of the same operation.
The first ad appeared on the now-defunct page for Pizza MaMa, a Dhaka, Bangladesh pizza restaurant that announced its closure a few months before the ad. It remains unknown why a Facebook page for a pizza restaurant in Bangladesh would pivot to posting ads in Ukrainian for fake vaccination certificates, though it is possible that the page was hacked after it went dormant following the business’s closure. Since the time of research, the page has been removed.
The ad featured a picture with the word “Buy” and an image of Ukraine’s digital COVID-19 certificate shown in Diaa, the government-issued app used by Ukrainians to carry official electronic documents such passports, tax numbers, and COVID-19 vaccination certificates. The advertisement led users to the webpage aqulas.me, a free Russian platform that allows users to aggregate links into digital business cards or portfolios. Previously, this feeder page linked to a now-deleted Telegram channel that forwarded users interested in purchasing a fake vaccine certification to another account. Now, it links to a second feeder page on a different platform that includes the same username as the deleted Telegram channel. The feeder page features reviews from customers in the form of certificate photos and Telegram chat screenshots (customers are incentivized to post reviews in exchange for approximately $20 off their next order) and links to an active Telegram account for communications.
The second Facebook ad, published by the page Молчанова (“Molchanova”) — the name is a feminine surname in either Ukrainian or Russian — featured the abbreviated text “Buy certif. vac.” The ad featured a link to another business card on the Aqulas platform — which previously sent its readers to the now-defunct Telegram channel “Certificate Vac. + introduction to Diia” — that included the same user handle as the first ad. It now leads to the same feeder page hosted on Wix as the ad from Pizza MaMa. The ad started running on October 18 and was the only entry in the Ad Library for this particular Facebook page. However, the DFRLab found a screenshot of another ad from the Molchanova page that was posted October 1 to an unconnected Telegram channel. The ad used a different font, indicating it may have been an earlier iteration of the ad campaign. Both ads are no longer available in Facebook’s Ad Library.
The final ad appeared on the Facebookk page Srorinka, presumably a misspelled transliteration of Ukrainian word Сторінка, meaning “page.” The ad started running on October 20 and led users to another now-defunct business card on Aqulas, which provided a link to the same feeder website as the two ads from Pizza MaMa and Molchanova, respectively, mentioned above. The notable difference this time is the use of Viber cell number on the ad. The DFRLab searched for the cell number using the tool GetContact, which indicated that it is associated with the tag “Sertif vac,” an abbreviation for vaccination certificate.
Bitcoin wallets
The scale of the operations for fake vaccination documents is hard to measure as subscriber count is an inadequate representation of sales; users may purchase documents without subscribing or subscribe without making a purchase. The promotion of these services via platforms like Facebook or word of mouth further muddles the true extent of the operation. Moreover, these services are prone to scams, and there is no proof that the identified channels actually provide documents.
One measure by which the operation can be tracked, however, is financial records. While most channels advertise prices, but not the means of payment, a few of the channels identified by the DFRLab asked for payment in bitcoin (BTC). An analysis of the BTC wallets conducted by the DFRLab found a large volume of transactions.
The Telegram channel COVID Passport provided a BTC address to receive payments and a link to an exchange service that allows for payment to a BTC wallet from a credit card or any bank in Ukraine or Russia. According to Wallet Explorer, a Bitcoin block explorer tool, the identified address engaged in 22 transactions, half of which were deposits and the other half transfers to another address. In almost two months of tracked activity, the channel earned and forwarded $2,089, roughly equivalent to the purchase of 10 of the international certificates available for sale, which can be used for international travel, or 20 of the cheapest certificates available, which are used in Ukraine for bypassing local restrictions.
The DFRLab found another wallet in the archived section of TGStat, a Telegram analysis tool. It had the same operator and used similar wording to the COVID Passport channel, but featured another BTC address. At the time of publishing, this address had only four transactions. However, according to Wallet Explorer’s info section, the tool “merges addresses together, if Wallet Explorer thinks that they are part of the same wallet.” It is also important to note that the same user can have an almost unlimited number of BTC addresses. Wallet Explorer identified both of the BTC addresses to be part of one wallet. This combined wallet shows data from multiple BTC addresses and has more than 61,000 transactions, but there is no proof that all of this activity is connected to fake COVID‑19 passports.
As another wave of COVID-19 crests in Ukraine, the government introduced more restrictions for people without vaccination certificate, including mandatory vaccination for civil servants. While most will take the jab to avoid limits to their movement or to maintain current employment, others may try to “buy their freedom” from COVID restrictions by purchasing fake documents online. When it comes to finding fraudulent documents for sale, a simple keyword search allows those who refuse vaccination to easily discover an illegal market of fake certificates.
Ukrainian courts currently issue a $65 fine for those caught purchasing a fake certificate. Medical professionals who participate in the forgery face harsher consequences; in one case, a doctor faced a $1,290 fine and was suspended from practicing medicine for one year. The Ukrainian government is also planning to introduce a new bill that would increase the legal punishment for both organizers and buyers. If adopted, buyers could be fined up to $1,290 or be jailed for up to six months, whereas organizers could face a $6,430 fee or up to three years in jail. Doctors that falsify documents could be fined $2,575 or face up to two years of jail time.
Cite this case study:
Roman Osadchuk, “Scammers use Telegram and Facebook ads to sell fake COVID certificates in Ukraine,” Digital Forensic Research Lab (DFRLab), December 16, 2021, https://medium.com/dfrlab/scammers-use-telegram-and-facebook-ads-to-sell-fake-covid-certificates-in-ukraine-e796635f61c5.