Genesis Market infrastructure and inventory sold on hacker forum

The administrators of the Genesis Market for stolen credentials announced on a hacker forum that they sold the store and a new owner would get the reins “next month.”

This announcement comes about three months after law enforcement seized some of the marketplace’s domains on the clearnet in Operation Cookie Monster.

Genesis Market package sold in three weeks

On June 28, the account GenesisStore, used by an operator of the Genesis Market for announcements on a hacker forum, posted that the group behind the store decided to sell the platform.

In a post shared by cybersecurity firm Flare with BleepingComputer, the seller said that the package included “the store with all the developments,” a complete database sans some details about the clients, source code, scripts, and server infrastructure."

The deal would also include the inventory that made the marketplace a thriving cybercriminal business:

• device fingerprints (e.g. cookies, IP addresses, time zones, device info)
• cookies
• the form grabber that collected all the data (custom JavaScript code)
• saved passwords
• other persona details from networked computers

 GenesisStore enticed potential buyers by saying that acquiring the platform would greatly increase the profits of those that already have a “traffic flow.”

On Thursday, GenesisStore announced that they had a customer that made a deposit, and the deal is expected to complete “next month,” with the new owner taking complete control.

The admins of the marketplace also noted that they would not hand over the accounts on the forum, so the new owner would have to create new ones if they wanted that community segment.

An automated translation of the post above reads "A buyer been found and a deposit has been made. The store will handed over to a new owner next month. Accounts on the forums will not be transferred, the new owner will create new accounts if necessary."

Go-to market for device fingerprints

Genesis Market launched in late 2017 in alpha stage. After three years, it was the most popular shop selling account credentials for online services, device fingerprints, and cookies.

Part of the success was developing custom JavaScript code to collect all the data necessary to create a device fingerprint that allowed impersonating the victim machine logging into a service.

To the service provider, it appeared as a regular log-in from the legitimate account owner using their usual machine from the normal geographical location.

The JavaScript was distributed through various info-stealing malware (RedLine, DanaBot, Raccoon, and AZORult).

Genesis Market rented bots that provided the customer with stolen account identities in real-time. This way, in the case of a change of details on the victim machine, the bot would replicate almost instantly.

Depending on the type of account, the price of a bot varied from $.70 for consumer accounts (Gmail, Facebook, Netflix, Spotify, WordPress, PayPal, Reddit, Amazon, LinkedIn, Cloudflare, Twitter, eBay) to hundreds of U.S. dollars for online banking services.

When law enforcement seized Genesis Market's clearnet domains, the platform offered about 80 million credentials and digital fingerprints, according to the National Crime Agency in the U.K.

Despite this action, the platform stayed in business on the dark web. Researchers at ZeroFox said at the time that the marketplace increased its inventory with new bots after law enforcement's Operation Cookie Monster hit the clear web domains.