The two hackers prosecuted in the health pass mega-fraud case have just been found guilty following their trial, noted ZDNET.fr. Morad and Dylan, the two main defendants in this hearing which targeted a total of thirteen people aged 21 to 34, were in fact respectively sentenced to 4.5 years and 5 years in prison, each time with a suspended sentence of three years, a sentence in accordance with the prosecution’s requisitions.
The magistrates of the 13th criminal chamber of the Paris judicial court also combined these sentences with fines amounting to 50,000 euros and a ban on working in IT for five years.
The eleven other defendants, most of them also from the Lyon region, received prison sentences ranging from 9 months suspended prison time to four years, three of which were suspended.
Massive fraud
This file “highlighted the audacity of a group of young people out of greed”, “geeks who took advantage of technical flaws” to hijack tools put in place to respond to the health crisis and “flood the territory false passes,” reprimands the president of the court. “Even if other networks have seized” the exploited flaw, the defendants “have caused a serious disturbance to public order”, she continues.
In the summer of 2021, the gang succeeded in implementing massive health pass fraud with a much more effective alternative than “MFA Fatigue”.
Rather than drowning health professionals in notifications to obtain fraudulent access, Morad and Dylan had taken over the accounts of health professionals on the sites of their orders using identifiers purchased on Genesis Market, a resale platform compromised access.
Secure access that can be resold
A key sesame: e-CPS, the application allowing health professionals to authenticate and access the digital services of the digital health agency, was based on the contact details recorded on these accounts. A method which made it possible to “generate secure access that can be resold with certainty”, noted deputy prosecutor Paul Simon in his requisitions at the end of November, even if there were “grilled accesses”.
With at least 69 healthcare professionals hacked, the gang generated at least 121,000 false passes. “This count is imperfect, but it is a basic figure”, which already represents “12%, at least”, of false passes identified on national territory, calculated Paul Simon. So many forgeries which allowed the defendants to accumulate “a fortune of several tens of millions of euros”, undoubtedly dispersed among several dozen people, he concluded.
Solemnly, the public prosecutor had called in its indictment on the court to “do justice” to the indirect victims of this case. That is, all “poorly treated patients, affected by serious forms, infected by people who were not vaccinated”. “We will never identify them, but they exist, that is an absolute certainty,” recalled Paul Simon.