In a large-scale international law enforcement operation, Genesis Market, a notorious online marketplace trading in stolen credentials linked to email, banking, and social media accounts, has been effectively dismantled.
The operation, which involved authorities from 17 countries, led to 119 arrests and the execution of 208 property searches across 13 nations, coinciding with the seizure of the illegal platform’s infrastructure. Nonetheless, the .onion mirror of the market seems to be still operational.
The law enforcement action, an “unprecedented” feat, has been named Operation Cookie Monster.
Genesis Market, since its launch in March 2018, grew into a significant nexus for illegal activities, providing access to data stolen from over 1.5 million breached computers around the world, amounting to more than 80 million credentials.
According to data from Trellix, a substantial number of infections associated with Genesis Market related malware were detected in countries including the U.S., Mexico, Germany, Turkey, Sweden, Italy, France, Spain, Poland, Ukraine, Saudi Arabia, India, Pakistan, and Indonesia, among others.
Prominent malware families, such as AZORult, Raccoon, RedLine, and DanaBot, were used to infiltrate victims. These are all capable of pilfering sensitive data from users’ systems. DanaBot was also used to deliver a rogue Chrome extension designed to harvest browser data.
“Access credentials advertised for sale on Genesis Market included those associated with the financial sector, critical infrastructure, and federal, state, and local government agencies,” stated the U.S. Department of Justice (DoJ).
Genesis Market was tagged by the DoJ as one of the “most prolific initial access brokers (IABs) in the cybercrime world.” The U.S. Treasury Department also labeled the criminal shop a “key resource” used by threat actors targeting U.S. government organizations, in a simultaneous announcement.
Beyond credentials, Genesis also sold device fingerprints, which contain unique identifiers and browser cookies, to assist threat actors in evading anti-fraud detection systems used by many websites.
“The combination of stolen access credentials, fingerprints, and cookies enabled purchasers to impersonate the victim, deceiving third-party websites into thinking that the Genesis Market user was the actual account owner,” the DoJ further explained.
Court documents indicate that the U.S. Federal Bureau of Investigation (FBI) gained access to Genesis Market’s backend servers in December 2020 and May 2022. This allowed the agency to access information related to approximately 59,000 users of the cybercrime marketplace.
Packages of stolen information harvested from infected computers, also known as “bots”, were sold for anywhere between $0.70 to several hundreds of dollars, depending on the data’s nature, as per Europol and Eurojust.
“The most expensive would contain financial information allowing access to online banking accounts,” Europol stated, adding that criminals purchasing the data were also supplied with additional tools to use it inconspicuously.
“Buyers were given a custom browser that would mimic their victim’s. This allowed the criminals to access their victim’s account without triggering any security measures from the platform the account was on.”
The custom Chromium-based browser, referred to as Genesium, is cross-platform, and the developers boast features such as “anonymous surfing” and advanced functionalities that allow users to bypass anti-fraud systems.
Genesis Market, unlike other illegal marketplaces like Hydra, was also accessible over the clearnet, reducing the entry barrier for less-experienced threat actors seeking digital identities to compromise individual accounts and enterprise systems.
The takedown is anticipated to send shockwaves through the underground economy as threat actors scramble for alternatives to fill the void left by Genesis Market.
These arrests and the domain seizure are the latest in a series of disruptions to illegal services by law enforcement. This operation also comes a year after the takedown of Hydra by German authorities in April 2022, causing a “seismic shift in the Russian-language darknet marketplace landscape.”
“A year after Hydra’s takedown, five markets — Mega, Blacksprut, Solaris, Kraken, and OMG!OMG! Market — have emerged as the major players based on the volume of offers and the number of sellers,” Flashpoint said in a recent report.
This development is also concurrent with the launch of a new dark web marketplace called STYX that primarily focuses on financial fraud, money laundering, and identity theft, reportedly opening its doors around January 19, 2023.
“STYX’s specific service offerings include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware, and much more,” Resecurity said in a detailed report.
Like Genesis Market, STYX also provides utilities designed to bypass anti-fraud solutions and access compromised accounts using detailed digital identifiers like stolen cookie files, physical device data, and network settings to mimic legitimate customer logins.
The rise of STYX as a new platform in the commercial cybercriminal ecosystem signifies that the illegal services market remains a lucrative business, enabling malicious actors to profit from credential theft and payment data.
“Most STYX Marketplace vendors specialize in fraud and money laundering services targeting popular digital banking platforms, online-marketplaces, e-commerce, and other payment applications,” Resecurity noted. “The geographies targeted by these threat actors are global, spanning the U.S., E.U., U.K., Canada, Australia, and multiple countries in APAC and the Middle East.”