FBI seizes Genesis Market, a notorious hacker marketplace for stolen logins
U.S. law enforcement agencies have seized Genesis Market, a notorious hacker marketplace used to acquire compromised credentials and digital browser fingerprints.
The takedown, dubbed “Operation Cookie Monster,” has not yet been announced by the FBI, but Genesis Market domains now display a notice stating that the U.S. law enforcement officials have executed a seizure warrant. “Genesis Market’s domains have been seized by the FBI pursuant to a seizure warrant issued by the United States District Court for the Eastern District of Wisconsin,” the message reads.
In addition to the FBI, the notice says the takedown involved law enforcement agencies from the United Kingdom, Europe, Australia, Canada, Germany, Poland and Sweden.
The operation also saw 120 people arrested and 200 searches carried out globally, the U.K.’s National Crime Agency announced on Wednesday. The NCA said it arrested 19 suspected users of the site in the U.K., including two men aged 34 and 36, who are being held on suspicion of fraud and computer misuse.
The FBI also provided data breach notification website Have I Been Pwned with “millions” of email addresses and passwords from the Genesis Market, which internet users can check to see if they were compromised.
TechCrunch contacted Europol, the FBI, and the Department of Justice. but has not yet received a response.
Genesis Market has been active since 2017 as an invitation-only online marketplace that sells stolen credentials, cookies, and digital browser fingerprints gathered from compromised systems. These fingerprints, or “bots,” included IP addresses, session cookies, plugins and operating system details, enabling attackers to impersonate victims’ browsers to access their online banking and subscription services, such as Amazon and Netflix, without needing the victim’s password or two-factor token.
Before its shutdown, Genesis claimed that these browser fingerprints would be kept up to date for as long as it retained access to a compromised device.
“In other words, Genesis customers aren’t making a one-time buy of stolen information of unknown vintage; they’re paying for a de facto subscription to the victim’s information, even if that information changes,” Yusuf Arslan Polat, senior threat researcher at Sophos, said in an analysis of Genesis Market last year.
Even up to its seizure, the number of infected devices for sale on the marketplace was growing in size.
“In 2021, over 20,000 new bots a month were being added to the site,” said Cyril Noel-Tagoe, principal researcher at cybersecurity and bot management company Netacea. “The market was temporarily down in the middle of 2022, however despite this, by March 2023, the number of bots available for sale had grown to over 450,000.”
According to reports, the now-defunct marketplace has been linked to millions of financially motivated cyber incidents globally. In June 2021, the hackers who breached gaming giant Electronic Arts claimed to gain access to the gaming giant by purchasing a $10 bot from Genesis Market that let them log into a company Slack account.
“As a result of the Genesis Market’s seizure, we expect to see an exodus of sellers and customers to competitor marketplaces,” Noel-Tagoe tells TechCrunch. “There are multiple other illicit marketplaces selling logs and credentials, although not on the scale of the Genesis Market. Alternatively, if a significant core of the Genesis Market administrators evade law enforcement, they may splinter off and create a new version of the site.”
The takedown of Genesis Market comes just weeks after the FBI gained access to the infamous BreachForums hacking forum and arrested a 20-year-old New York man accused of running the site. It also comes after U.S. law enforcement last year announced the takedown of SSNDOB, a notorious marketplace used for trading the personal information — including Social Security numbers — of millions of Americans.