In a joint operation dubbed “Operation Cookie Monster,” international law enforcement has seized the domain names for the Genesis Market — the dark web shop infamous for selling stolen credentials.
On Tuesday, the website displayed an FBI takedown notice, which also requested that volunteers come forward with information regarding Genesis administrators.
The operation is the latest scalp in the global law enforcement crackdown on illicit cybercrime marketplaces. In the last year, authorities have shut down Hydra, the world’s largest dark web market at the time, and ChipMixer, a popular crypto mixer used for laundering funds.
Genesis, Botnets, and Identity Fraud
Hackers selling on the marketplace typically relied on browser fingerprinting to steal information and cookies as well as credentials. In a heist, all a user would have to do is enter their login credentials on a compromised website. This would then allow both the credentials and browser fingerprint to be swiped by a malicious actor.
While Genesis allowed users to buy and sell stolen login credentials for a number of widely-used services — including Dropbox, Microsoft, PayPal and Twitter — it was financial data that was the hottest item up for sale.
“Genesis Market was a specialised cybercrime shop, used to sell data stolen with the help of infostealers,” Yuliya Novikova, Head of Digital Footprint Intelligence at cybersecurity firm Kaspersky, told VPNOverview.
“These are malicious programs designed to steal data from all kinds of devices — personal ones and even corporate. For context, stealers can obtain information such as crypto wallet data, various credentials, passwords, browser histories, screenshots, details about the victim’s device, banking cards and access to online banking accounts, etc.”
Cybersecurity researchers have noted that the popularity of the invitation-only market and others like it has made it clear that hackers were studying leading anti-fraud technology in order to circumvent it.
“Many anti-fraud defenses now rely on matching device fingerprints to credentials in order to verify a legitimate user’s identity,” researchers at Netacea said in an analysis of the marketplace. “By infecting legitimate devices and stealing their fingerprints, Genesis Market bots can pass right through such protections.”
Genesis also traded in sprawling networks of infected smartphones and computers known as botnets. While prospective buyers were able to purchase access to Genesis bots and browser fingerprints on the marketplace, another common selling point was repeatedly advertised. As long as a device remained infected, the botnet operator continued to have updated access to their data.
“In other words, Genesis customers aren’t making a one-time buy of stolen information of unknown vintage; they’re paying for a de facto subscription to the victim’s information, even if that information changes,” Sophos said in its 2022 study of Genesis Market. “This makes the stolen data Genesis sells more useful for attackers and thus more valuable.”
Marketplaces like Genesis contributed heavily to identity fraud in recent years. In fact, NordVPN stated that Genesis was one of the three biggest botnet markets, contributing to the sale of 4.9 million people’s data.
Not Out of the Clear Yet
Though the FBI and other authorities involved have yet to put out an official press release about the takedown. At the moment, questions remain about the future of Genesis Market’s operators, who are believed to be based in Russia or a Russian-speaking region. Therefore, detaining the market’s operators and administrators might be a challenge.
Recently, ransomware operators, such as REvil, have rebranded and re-emerged after law enforcement takedowns. Until authorities nab the Genesis operators, we may see its botnet infrastructure resurface in the future. Furthermore, the customer traffic from Genesis could spill over to other markets, as it did after the Hydra takedown.
“Another popular forum, BreachForums, was also taken down at the end of March, and so we expect a decrease in the activity of the English-speaking segment of the darknet anytime soon,” Novikova said.
Interested in reading up more on this underground market? Check out our detailed guide on the Genesis Market. It also explains what you can do if your data was stolen, or if your device is part of a botnet network. Cybercriminals continue to evolve their tools and techniques to carry out malicious activity. It is important to stay informed and up to date on how to stay safe on dark web marketplaces in 2023.
