As public outrage grows over one of the most serious breaches of Turkey’s digital infrastructure in recent memory, experts warn that the use of stolen electronic credentials to produce official documents, ranging from diplomas and driver’s licenses to identity records and government directives, signals a deeper systemic failure.
While prosecutors describe the investigation as a breakthrough against a 35-member network, new revelations suggest the actual scope of the scandal remains unknown. Officials have offered no clear explanation for how such sensitive credentials were compromised.
The Interior Ministry says the organization created at least 57 diplomas, 108 driver’s licenses and several other official records using cloned electronic signatures of senior bureaucrats.
Despite the unprecedented access enabled by these credentials, neither the Information Technologies and Communication Authority (BTK), which regulates the country’s digital security, nor the Ministry of Transport and Infrastructure, which oversees it, has issued a statement. This silence, experts say, deepens uncertainty about the extent of the damage, who is responsible and how widespread the misuse of public systems may be.
At the center of the scandal is a growing list of documents that were not forged in the traditional sense, but rather generated through legitimate government platforms using digital credentials belonging to public officials.
What makes the scandal particularly dangerous, according to a former Turkish police chief with direct experience in cybercrime, is the range of powers unlocked once an electronic signature is compromised. In Turkey’s digital bureaucracy, an e-signature is not merely a tool to approve documents — it is the legal equivalent of a handwritten signature and is integrated into nearly every layer of government operations.
Speaking anonymously, the former police chief described how access to an e-signature means access to the Electronic Document Management System (EBYS), which governs everything from internal ministry memos to cross-institutional decisions. “With a valid e-signature, you can carry out inter-agency correspondence, approve policy directives, appoint civil servants, sign spending orders, authorize tenders, approve overseas travel for staff or validate audit reports,” he said. “Once signed digitally, these decisions carry full legal weight and are assumed to be authentic.”
The official added that compromised credentials could even be used to modify personnel records, assign performance evaluations, grant salary authorizations or create and validate procurement contracts and inspection reports. E-signatures are also required to produce internal audit findings, regulatory approvals and institutional decisions such as project clearances, budget reallocations and disciplinary rulings.
Critically, the system lacks sufficient safeguards to detect irregular use. “If you receive a digitally signed directive from a superior, even if the order itself is illegal, you implement it without question. There is no verification mechanism that alerts the original signatory,” the expert said. In practice, this means an impersonator using a bureaucrat’s e-signature could issue an illegal directive that others in the chain of command would carry out as routine.
This makes the current scandal more than a matter of forged diplomas or falsified licenses — it represents a full-blown breach of the machinery of state. “You can simulate the functions of any ministry. That’s the level of access we’re talking about,” the former police chief warned. “And we have no idea yet how many decisions currently in force were issued under false authority.”
With such sweeping access, the scale of potential abuse is difficult to quantify. Even a single hijacked credential could be used to fabricate regulatory approvals, authorize state payments, alter records in land registries or tax databases or enable the hiring and promotion of unqualified individuals into sensitive public posts.
The anonymous expert called for a full audit of all administrative transactions linked to the compromised e-signatures, warning that without transparency and independent oversight, “we may never learn the full extent of what was done in the name of the Turkish state.”
Further complicating matters is the discovery that some senior bureaucrats had more than one e-signature, raising questions about record-keeping, traceability and internal oversight. According to digital rights expert Prof. Dr. Yaman Akdeniz, this alone is a red flag. “An e-signature is meant to be a unique digital fingerprint. It should never be duplicated or unaccounted for,” he told the Evrensel daily, adding that the lack of two-step verification systems made it easier for criminals to operate undetected.
Authorities say the gang gained access through two licensed digital certificate providers: TÜRKTRUST and E-İMZATR. Employees at these companies allegedly approved applications using forged IDs, allowing the network to obtain valid certificates in other people’s names. From there, they entered systems belonging to ministries, universities and government agencies and began issuing documents. Many of these documents — though produced through illegal access — were indistinguishable from valid ones and remain in circulation today.
The suspects include individuals who allegedly paid for credentials to obtain or upgrade diplomas, licenses or job titles. Among them is a man who reportedly scored 8 out of 100 on a written driving test but was given a certificate showing a passing grade of 70. Another passed himself off as a clinical psychologist and appeared on television to promote hypnosis therapy, charging patients up to 4,500 lira per session. In reality, he was previously registered as the head of a carpet cleaners’ association.
There are also allegations of money laundering. Court documents show that the man described as the group’s ringleader, Ziya Kadiroğlu, discussed payments with a contact in Dubai using encrypted messaging apps, referring to document prices ranging from 50,000 to 2.5 million lira. He allegedly boasted of issuing false identity cards for individuals wanted by police and claimed to have sent proxies to take standardized tests on behalf of others in earlier exam fraud cases.
While prosecutors may add new suspects to the case — now totaling 199 people — observers say criminal accountability is only part of the issue. The broader question is how a parallel network of unauthorized users was able to penetrate Turkey’s digital bureaucracy so deeply — and why, even now, no official agency has provided a comprehensive explanation of how the breach occurred or what will be done to prevent a recurrence.