Genesis Market Takedown Sees 120 Suspects Arrested

Largest online marketplace selling stolen credentials to criminals worldwide has been taken down in international operation

Police and law enforcement around the world have taken down one of the biggest online marketplaces selling stolen credentials to criminals worldwide.

Genesis Market was taken offline on Tuesday 4 April in an action that involved 17 countries which was led by the FBI and Dutch National Police, the UK’s National Crime Agency reported.

The notorious hacker marketplace was used by criminals to acquire compromised credentials and digital browser fingerprints.

The takedown involved law enforcement agencies from the US, the Netherlands, the United Kingdom, Europe, Australia, Canada, Germany, Poland and Sweden.

Genesis takedown

Genesis Market was a go-to service for criminals seeking to defraud victims, having hosted approximately 80 million credentials and digital fingerprints stolen from over two million people, the NCA said.

As part of the investigation, the NCA said that it identified hundreds of UK-based users of the platform and 31 warrants were executed on Tuesday and Wednesday morning in co-ordinated raids by the NCA, Regional Cyber Crime Units and police forces.

The NCA said that 24 people were arrested in the UK, including two men, aged 34 and 36, who were detained by the NCA in Grimsby on suspicion of Computer Misuse Act and fraud offences.

In total, there were around 120 arrests, over 200 searches and close to 100 pieces of preventative activity carried out across the globe.

“Behind every cyber criminal or fraudster is the technical infrastructure that provides them with the tools to execute their attacks and the means to benefit financially from their offending,” said Rob Jones, NCA Director General NECC and Threat Leadership.

“Genesis Market was a prime example of such a service and was one of the most significant platforms on the criminal market. Its removal will be a huge blow to criminals across the globe,” said Jones.

“Targeting this infrastructure is at the core of the NCA’s efforts to disrupt the highest harm offenders and protect the public from those seeking to infiltrate their lives, stealing their identities and their money,” said Jones.

Matthew Gracey-McMinn, head of threat research at Netacea has tracked the dark website Genesis Market, which traded in digital identities, selling ‘bots’ that contained information harvested from victim devices, which had been infected using malicious attacks.

The bots would give criminals access to all the data pertaining to an individual identity, such as cookies, saved logins and autofill form data.

Big win

Julia O’Toole, CEO of MyCena Security Solutions noted that the Genesis marketplace was one of the most established Identity Access Brokers, so this was a big win for the FBI.

“The operators of the site would collect data on internet users, including their login credentials, auto-filled passwords and their browser Cookies in a bid to bypass MFA and access their online accounts,” noted O’Toole. “When they gained access to these, there would be no alerts the account was compromised as attackers simply logged in, so it was only after fraudulent activity occurred that the victim was made aware.”

“Marketplaces like Genesis highlight the dangerous consequences when employees save their passwords in browsers,” said O’Toole. “Yes, it may be more convenient, but when their device or internet search account falls into the wrong hands, a criminal is suddenly awarded with access to everything. It is akin to putting all your eggs in one basket, something we are always told to avoid.

“To counter breaches that use credential theft or stolen identities, organisations must move away from employee-made passwords, biometric passwordless identification and single sign-on solutions. Instead, they can rely on technology that generates and encrypts strong independent passwords for their employees,” said O’Toole. “This removes the threat of password phishing and Identity Access Brokers selling their credentials, which effectively puts an end to sites like Genesis.”

Significant event

Another cyber expert, Roman Faithfull, a cyber threat intelligence analyst at ReliaQuest said that the takedown of Genesis Market was a significant event in the cybercriminal landscape given the large number of customers who frequented the site.

“However, in the months prior to the takedown, Genesis experienced a number of technical issues and was frequently unavailable, leading to complaints from cybercriminals, who may already have begun migrating to another service as a result,” noted Faithfull.

“Viable alternatives to Genesis do exist, including gated sites that require a monetary deposit to use the site,” said Faithfull. “It is likely that former users for Genesis will turn to these services to purchase stolen logs and credentials. It is also realistically possible that threat actors will turn to purchasing or creating their own info stealers, as recommended on cybercriminal forums, until a trusted and viable Genesis alternative returns.”

“Alternatively, operators of many existing info-stealers have Telegram channels where they share logs directly (either for free or in exchange for payment),” said Faithfull. “It appears that cybercriminals will seek to take advantage of those looking for Genesis replacements by creating scam pages of its alternatives, with several fakes of competing platforms popping up already.”

Credential stealing

Another expert offered the hope that the Genesis Market may impact the activities intent on exploiting stolen credential.

“This global takedown of the largest online cybercriminal marketplace of its kind will have a notable impact on the activities of cybercriminals focused on stolen credential usage for the rest of the year,” said John Fokker, head of threat intelligence at Trellix Advanced Research Center.

“The Genesis Market lowered the barrier to entry for many cybercriminals, and allowed others to scale their operations quickly and execute focused attacks for quick financial gains,” said Fokker. “Not even counting the arrests of Genesis Market users, simply the loss of this platform will slow down many cybercriminal activities.”

FBI coup

Another security expert also noted that the Genesis takedown is a notable victory for the FBI.

“Genesis marketplace was an invite-only cybercrime institution that held data on account holders from almost all major websites,” noted Mark Lamb, CEO of Scottish cyber startup HighGround.io.

“The operators offered customers a pre-made package on victims, enabling them to access accounts and execute attacks quickly, with all the information they needed to commit fraud,” said Lamb. “Unfortunately, very few victims were aware they had been compromised until money was stolen or goods were purchased, as there was nothing malicious for threat detection tools to alert on.”

“This is another coup for the FBI that follows a long string of recent takedowns,” said Lamb. “It will be interesting to see if the operators of Genesis are caught, because given the scale of the operation they were running, the FBI will not let them off lightly.”