The domains and infrastructure for Genesis Market, one of the most popular marketplaces for stolen credentials of all types, were seized by law enforcement earlier this week as part of Operation Cookie Monster.
The action is an important blow to the cybercriminal world as Genesis was one of the major players offering both consumer and corporate account identities.
Looking for the admins
While authorities have yet to publish press releases about the takedown, accessing the Genesis Market domains shows a banner saying that the FBI has executed a seizure warrant.
It appears that the administrators of the marketplace have not been caught or identified as the FBI is interested in anyone that is in contact with them. Whoever is behind the Genesis Market has kept a low profile for all these years, indicating good operational security knowledge.
source: BleepingComputer
The FBI informs that the action was possible with the support of multiple organizations in the public and private sectors.
“These seizures were possible because of international law enforcement and private sector coordination,” reads the seizure banner, which includes close to two dozen partners.
However, some of the Genesis infrastructure appears to be active still, as the platform's site on the dark web is still reachable.
Researchers at ZeroFox say that the platform admins announced recently that the new domains for the marketplace would become available via reputable dark web channels.
Genesis Market operators confirmed that the Tor network domain is active and that they would keep the shop running by launching their plugin via Tor. They also warned of fake domains emerging.
source: Kela
According to ZeroFox, the platform's inventory received new bots since the clear web domains for the market were seized.
Alexander Martin of The Record writes that the Genesis Market takedown prompted a large number of arrests all over the world.
Europol in a press release on Wednesday informed that 119 users of the platform have been arrested, law enforcement carried out searches at 208 properties, and interviewed 97 people.
Genesis, the digital identity market
Genesis Market started in alpha stage in late 2017 and by 2020 it became the most popular online shop for account credentials for various services, device fingerprints, and cookies.
Cybersecurity company Trellix, which assisted law enforcement with the analysis and detection of malicious files used by Genesis Market, says that the operators of the platform used custom JavaScript code dropped on victim machines to collect the logins and fingerprint data (e.g. cookies, IP addresses, time zones, device info) that together composed the digital identity.
The malicious JavaScript was planted on compromised hosts by various info-stealing malware, among them RedLine, DanaBot, Raccoon, and AZORult, which provided initial access.
source: Trellix
Their profits came from renting the account identities through bots that provided stolen accounts and sensitive info, complete with the fingerprint data that made the access appear legitimate.
The bot would reside on the compromised computer and send the harvested information in real-time to its buyer.
Depending on the collected information, a bot would cost from $0.70 (consumer accounts) to hundreds of U.S. dollars (access to online banking).
Genesis Market's full database had 1.5 million bots supplying more than 2 million identities; more than 460,000 bots were available for sale at the time of the takedown. In total, the platform offered about 80 million credentials and digital fingerprints, says UK's National Crime Agency.
"The criminals buying these special bots were not only provided with stolen data, but also with the means of using it. Buyers were provided with a custom browser which would mimic the one of their victim. This allowed the criminals to access their victim’s account without triggering any of the security measures from the platform the account was on" - Europol
Genesis Market provided access to a wide list of services with user accounts from all over the world. Among them were Gmail, Facebook, Netflix, Spotify, WordPress, PayPal, Reddit, Amazon, LinkedIn, Cloudflare, Twitter, Zoom, and eBay.
It appears that customers of the market turned a pretty penny from using the stolen digital identities. Following a raid at a suspected cybercriminal that used Genesis Market, the Romanian Police seized more than $200.000 in cash and over 9 kilograms of pure gold.
According to the Dutch Police, one victim lost almost EUR 70,000 after a Genesis Market customer used his digital identity to make various online purchases. Someone also opened multiple accounts in his name at several banks.
Users that want to check if their accounts were compromised and sold on Genesis Market can check a portal from the Dutch Police specifically built for this purpose.
The FBI did not reply to a request for comment from BleepingComputer.
Update [April 5]: Article updated with information from law enforcement agencies available after publishing time
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now