CYBERWARZONE – On Tuesday, the FBI-led Operation Cookie Monster successfully seized Genesis Market, one of the world’s largest platforms for cyber fraud.
This criminal platform sold stolen credentials and tools to weaponize the data, leading to millions of financially-motivated cyber incidents globally, including fraud and ransomware attacks.
Key takeaways
- Genesis Market, one of the world’s largest cyber fraud platforms, was seized by the police on Tuesday, in an FBI-led operation that involved international partners.
- Genesis Market was a one-stop-shop for cybercriminals, selling both stolen credentials and the tools to weaponize that data.
- The platform provided criminals access to “bots” or “browser fingerprints” that allowed them to impersonate victims’ web browsers, including IP addresses, session cookies, operating system information, and plugins.
- The “bots” could be imported into a browser the criminals had developed called Genesis Security, also available as an extension for other web browsers.
- Genesis Market was unique among credential marketplaces, as it did not have a list of third-party vendors and was an invite-only site, but it was discoverable through regular web search engines.
- The total number of Genesis Market victims isn’t known, but according to Recorded Future, the market showed approximately 135 million individual bot listings since 2018.
- The low barrier to access was part of the design of the criminal service, which functioned as a one-stop-shop for fraud.
- The police are carrying out a large number of arrests globally in connection with the operation.
International Partners Help in the Seizure
More than a dozen international partners helped carry out the operation, which has now replaced the login pages on Genesis Market’s websites with a splash page revealing the takedown.
Arrests Being Carried Out Globally
According to The Record, a large number of arrests are being carried out globally in connection to the seizure.
Fingerprints and Bots Enabled Criminals to Impersonate Victims
Genesis Market was unique among credential marketplaces such as Russian Market or 2easy Shop, providing criminals access to “bots” or “browser fingerprints” that allowed them to impersonate victims’ web browsers, including IP addresses, session cookies, operating system information, and plugins.
Criminals could access subscription platforms like Netflix and Amazon, as well as online banking services, without triggering security warnings or multi-factor authentication.
A go-to shop for threat actors
The market was a go-to shop for threat actors planning to perform various cyber-attack techniques, with hundreds of thousands of digital identities listed.
Here are some significant facts to know about this underground market:
1. MFA Bypass Risk: Stolen Browser Cookies
Multi-Factor Authentication (MFA) is a security protocol designed to enhance account security for a wide range of digital environments, including web, virtual private networks (VPNs), and remote desktop sessions.
Unfortunately, the black market sale of stolen browser cookies has emerged as a major vulnerability in the MFA process, as threat actors can use these cookies to bypass MFA protections and gain unauthorized access to sensitive accounts.
Threat actors use workarounds to evade MFA security mechanisms through stolen browser cookies. The cookies which could be purchased on the Genesis Blackmarket could then be imported into a control browser, potentially giving attackers sufficient time to move around laterally and access confidential data performing other actions as the victim.
2. Prices Vary by Country
Bots that automatically collect cookies and digital fingerprints are available on the Genesis Marketplace for numerous countries, including Italy, the United States, Singapore, France, Australia, and the United Kingdom. The prices of these bots vary by country and intensity of use.
3. Stealer Logs for Sale Automation
Cybercriminals use different attack methods such as the rainbow table, brute-force, and credential stuffing to capture passwords.
However, more tech-savvy cybercriminals leverage the capabilities of info stealer malware families like Raccoon, AZORult, and RedLine.
This malware can be distributed through mail phishing campaigns, malicious mobile applications, or a browser extension. The stolen data is automatically uploaded to Genesis Market, available to threat actors.
These facts are just the tip of the iceberg, and it’s essential to be aware of the risks posed by such markets. While authorities have taken down Genesis Market, it’s important to note that there are several other underground markets, and cybercriminals will continue to find ways to profit from sensitive data.
The Bot and Fingerprint Harvesting Process
The fingerprints and data included in the “bots” were mostly harvested by infostealer malware, and once purchased, the “bots” could be imported into a browser the criminals had developed called Genesis Security, also available as an extension for other web browsers.
Listings appeared alongside the services that fingerprints had access to, often including Netflix, Amazon, Facebook, and eBay accounts.
Bots could also include credentials for services that didn’t automatically appear in the listings, such as employee networks.
Approximately 135 Million Individual Bot Listings since 2018
The total number of Genesis Market victims isn’t known, although an analyst at Recorded Future said that the market showed approximately 135 million individual bot listings since 2018.
Easy Access to Genesis Market
Genesis Market was an invite-only site, but it was discoverable through regular web search engines. As with most large-scale criminal forums, invite codes were widely available, even being offered on YouTube videos.
Low Barrier to Access
The low barrier to access was part of the design of the criminal service, which functioned as a one-stop-shop for fraud. Genesis even provided a Wiki explaining how it worked for new users in a bid to commoditize the fraud.
Market shutdowns and New Markets
When law enforcement agencies take down popular cybercrime forums like RaidForums and BreachForums, it disrupts the underground cybercrime ecosystem.
It can lead to a decrease in activity on the dark web and make it more difficult for cybercriminals to find and sell stolen data, tools, and services.
However, this disruption also creates a power vacuum that other forums can fill. After the takedown of RaidForums and BreachForums, new forums like PwnedForums have appeared on the scene, vying for the attention of cybercriminals and other members of the underground community.
These new forums often market themselves as more secure and private than their predecessors, appealing to users who may be wary of the risks of getting caught by law enforcement. They may also offer different features or services to attract users, such as specialized marketplaces for certain types of data or tools.
Impact on The Netherlands
Ruben van Well, the team leader of Rotterdam’s cybercrime team, has been working tirelessly on a project to take down one of the most dangerous criminal trading sites on the internet – Genesis Market.
The site was responsible for the sale of millions of user profiles containing online fingerprints, which allowed hackers to take control of their victims’ digital lives.
The site not only sold user account information but also copies of users’ unique online fingerprints, making it easier for hackers to gain control of their victims’ digital lives.
The number of accounts traded on the site totaled at least 1.5 million information packages worldwide, with over two million victims likely affected, including approximately 50,000 Dutch citizens. “Some of them have actually fallen victim to fraud,” van Well stated.
“There are cases where social media profiles were stolen or packages were ordered on someone’s account at a web store. But we also have victims who have had their entire investment portfolio emptied or their bank accounts and crypto wallets completely plundered. In short, you lose control over your entire online life.”
One 71-year-old victim from Almere was repeatedly victimized in various ways, and multiple items were fraudulently purchased in his name from online stores.
Almost €70,000 was stolen from his investment account, and bank accounts were opened in his name at multiple banks. This type of crime can have a significant impact on the victim, as can be imagined.
“In cases like these, we usually advise people to change all their passwords immediately. However, this malware is designed in such a way that it only helps a little. The criminal who has purchased your information will simply receive an update with your new password,” warns van Well.
Check your hack
The Dutch Police has launched a portal to help people check whether their personal information has been compromised on Genesis Market, a notorious criminal marketplace with over 1.5 million bots listed. To use the portal, visit https://www.politie.nl/checkyourhack and enter your email address. If your data has been stolen, it’s important to run your antivirus program to remove any malware and then change all your passwords. Notify relevant parties, such as your bank or insurance company, of the identity theft.
April 7th, 2023
On April 7th, 2023, a 28-year-old man from Maassluis, The Netherlands was presented to the examining magistrate by the Public Prosecutor’s Office on suspicion of computer intrusion, data theft, and identity fraud. The man is one of three suspects arrested by the Rotterdam police unit.
The examining magistrate shares the Public Prosecutor’s view that there is a risk of repeat offense, and the suspect will remain in custody for two more weeks. The other suspects have been released, but remain under investigation.
The man was identified during the global investigation into the Genesis Market, where so-called “online fingerprints” were illegally offered. The digital fingerprints were stolen from victims’ computers by dangerous malware.
The man from Maassluis is suspected of purchasing the digital identity of at least 500 Dutch victims via Genesis Market, paying at least €10,000 for it, and then victimizing at least fifty victims, resulting in a total loss of approximately €150,000.
To Conclude
Genesis Market was a prominent underground marketplace on the dark web that specialized in selling stolen digital identities, such as credentials, fingerprints, web platform vulnerabilities, and cookies.
The market was known for its large number of bots that were available for sale, allowing cybercriminals to perform various cyber-attack techniques.
However, in April 2023, the FBI seized the Genesis Market, which was a significant blow to the dark web economy in ‘Operation Cookie Monster’.
Despite the shutdown of the market, experts warn that new underground markets will likely emerge, and cybercriminals will continue to find ways to profit from sensitive data.
What steps are you taking to protect yourself and your organization from cyber threats?