Cybercrime as-a-service , Fraud Management & Cybercrime , Identity & Access Management

Police Seize Hacker Bazaar Genesis Market

International Operation Led by FBI Results in Hundreds of Arrests
Police Seize Hacker Bazaar Genesis Market
A Genesis Market suspect being taken into custody by U.K. National Crime Agency officers (Image: U.K. NCA)

Law enforcement disrupted an online marketplace selling access to compromised computers and stolen logon credentials in an international law enforcement operation that resulted in more than 100 arrests and twice that number of searches across the globe.

See Also: A Matrix on Behavioral Biometrics and Device Fingerprinting

U.S. authorities say Genesis Market since 2018 has offered access to more than 1.5 million compromised computers around the world and more than 80 million account credentials. For sale on the site weren't just username and password combinations but device fingerprints including browser cookies and system information that allowed hackers to bypass security measures such as multifactor authentication. The arrest tally currently stands at 119 individuals, and law enforcement actions were taken across 15 countries.

The FBI-led takedown, dubbed "Operation Cookie Monster," included cooperation from police in the Netherlands, across Europe and in the United Kingdom, Australia and Canada.

The marketplace was accessible on the open web but a referral from a current member was required to access it. "Genesis falsely promised a new age of anonymity and impunity, but in the end only provided a new way for the department to identify, locate, and arrest on-line criminals," said U.S. Deputy Attorney General Lisa O. Monaco.

The marketplace's accessibility and cheap prices greatly lowered the barrier to entry for buyers, making it a popular resource among hackers, said Europol. Access to an infected computer - a "bot" - could cost less than one U.S. dollar.

"Genesis served as an initial access broker, which are a key service which enable hosts in the various activity across the cyber landscape, including but not limited to fraud and ransomware," said a senior FBI official speaking with reporters Wednesday morning on condition of anonymity. "I cannot emphasize enough the importance of initial access brokers as a key enabler of cybercrime as a service."

Administrators went to great lengths to hide their hosting infrastructure, the official said. "The FBI was able to put the pieces back together to locate and identify Genesis markets, back-end servers which contain data about the marketplace, including information about the users, and about stolen victim credentials."

Law enforcement arrested individuals inside the United States, but the FBI refused to give further details. Marketplace operators earned at least $8.7 million in cryptocurrency from the sale of stolen credentials, but "we estimate that the complete total losses exceed tens of millions of dollars," the senior FBI official said. Genesis' back-end systems revealed approximately 59,000 user accounts tied to emails and other data that allowed law enforcement to make arrests, the official added. The official said reports of Genesis Market still being accessible through the dark web overlook actions that "have allowed us to disrupt Genesis in ways that may not necessarily be seen or apparent to others."

The FBI transmitted credential data found in Genesis Market databases to breach notification website Have I Been Pwned to allow internet users to see if they have been compromised.

"There are cases of social media profiles being stolen or of webshop orders being placed via a victim's account. Some victims even had their entire investment portfolio, bank account or crypto wallet emptied out. In short, victims lost control over their entire online life," said Ruben van Well, a Dutch law enforcement official who heads the Rotterdam Cybercrime Team.

Genesis Market "offered its users a unique specialized browser and plugin, called Genesium, that allowed for an easy injection of the stolen artifacts, making account takeover child's play for cybercriminals," said cybersecurity firm Trellix, which assisted law enforcement. Administrators used a variety of info stealer malware - including AZORult, Raccoon, Redline and Dana - to harvest online credentials. They also dropped their own set of JavaScript code on infected machines to guarantee the structure and quality of stolen information, Trellix said.

Tracking Genesis Market

Genesis Market first appeared in November 2017 in its beta version and soon became a major vendor of stolen digital fingerprint data. At the time of its debut, the marketplace claimed it could evade anti-fraud controls used by 283 major banks and payments systems, said cybersecurity company ReliaQuest.

"For less than $50, users can buy a bot on the Genesis site, which includes the fingerprint, accounts, and cookies - unsurprisingly, the store does not use or sell any products connected with the Russian commonwealth," the company said in April 2018.

Cybersecurity firm Kaspersky in 2018 reported that the price on Genesis for a stolen device fingerprint ranged from $5 to $200. "For example, if the bot has a login/password pair from an online bank account, the price is higher."

The single set of credentials that led to the June 2021 EA breach that allowed the attackers into Electronic Arts' system through the gaming giant's Slack, cost the attacker $10 on Genesis Market, Vice reported in 2021.

Analysis from cybersecurity firm Sophos corroborated the scope and affordability of wares on the market. "Genesis customers aren't making a one-time buy of stolen information of unknown vintage; they're paying for a de facto subscription to the victim's information, even if that information changes," the firm wrote in August 2022.

Trellix said marketplace administrators began actively recruiting sellers in February, probably in order to keep up with growing demand.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.