The FBI and Dutch National Police and a team consisting of law enforcement agencies from 17 countries resulted in the takedown of the notorious Genesis Market on an April 4 action day. A command post was set up at Europol’s headquarters on the action day to coordinate the different enforcement measures being carried out across the globe.
Beginning in March 2018, Genesis Market had been selling stolen account credentials for email, bank accounts and social media to hackers worldwide, with more than 1.5 million bot listings, 2 million identities and more than 80 million account access credentials at the time of its takedown.
Genesis Market was also one of the most prolific initial access brokers (IABs) in the cybercrime world. IABs attract criminals looking to easily infiltrate a victim’s computer system, according to the FBI.
Simultaneous actions were also conducted around the world against the users of this platform, resulting in 119 arrests, 208 property searches and 97 knock and talk measures. In addition, Operation Cookie Monster, a US law enforcement initiative, seized 11 domain names used to support Genesis Market’s infrastructure. Genesis Market’s infrastructure was seized.
“Yesterday, the Department of Justice and its partners dismantled the Genesis Market and arrested many of its users around the world,” said Deputy Attorney General Lisa O. Monaco. “Genesis falsely promised a new age of anonymity and impunity, but in the end only provided a new way for the Department to identify, locate, and arrest on-line criminals. The Department of Justice is shining a light on the internet’s darkest corners – in the last year alone, our agents, prosecutors, and partners have dismantled the darknet’s largest marketplaces – Hydra Market, BreachForums, and now Genesis. Each takedown is yet another blow to the cybercrime ecosystem.”
What Genesis Market did
Genesis Market trafficked in digital identities, offering ‘bots’ to infect victims’ devices through malware or account takeovers attacks. The price per bot would range from as little as US$0.70 up to several hundreds of dollars depending on the amount and nature of the stolen data. The most expensive ones could enable access to online bank accounts.
Genesis Market was a user-friendly tool that enabled users to search for stolen access credentials based on location and/or account type (e.g., banking, social media, email, etc.).
In addition to access credentials, Genesis Market obtained and sold device “fingerprints,” which are unique combinations of device identifiers and browser cookies that circumvent anti-fraud detection systems used by many websites. The combination of stolen access credentials, fingerprints, and cookies allowed purchasers to assume the identity of the victim by tricking third party websites into thinking the Genesis Market user was the actual owner of the account.
Using bots, criminals could access browser fingerprints, cookies, saved logins and autofill form data in real time and notify the bot’s buyer of any changes.
What bot users did with stolen data
In addition to harvesting stolen data, criminal bot buyers were also provided with a custom browser that could access their victim’s account without triggering any of the security measures from the platform the account was on, such as the criminal’s log-in location, browser fingerprint or device operating system.
How law enforcement responded
Europol’s European Cybercrime Centre (EC3) had been supporting this investigation since 2019 by coordinating the international activity with the help of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol. EC3’s support included data analysis, the organisation of operational meetings and the facilitation of the information exchange. A command post was also set-up at Europol’s headquarters in The Hague, the Netherlands to ensure the smooth running of the action day across the world.
Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved. The Agency hosted a coordination meeting in March 2023 to prepare for this week’s operation and hosted a command center on 4 April to resolve any legal issues arising during the parallel operations in 13 countries.
Further reading
Criminial Marketplace Disrupted in International Cyber Operation. Press release. April 5, 2023. US Department of Justice, Office of Public Affairs.
Takedown of notorious hacker marketplace selling your identity to criminals. Press release. April 5, 2023. Europol
Why it matters
Genesis Market may have sold your credentials and data. If so, notify relevant stakeholders such as your bank, insurance company and any other important third party.
What to do next
The Dutch Police has developed a portal to check whether your information has been compromised. Visit https://www.politie.nl/checkyourhack and fill in your email address to control whether it is part of a Genesis Market leak.
Consumers should also take simple preventive steps to make it more difficult for hackers to access devices and data:
- Keep your software updated, including your browser, antivirus and operating system.
- Browse and download only official versions of software and always from trusted websites.
- Be wary while browsing the internet and do not click on suspicious links, pop-ups or dialog boxes.
- Think twice before clicking on links or attachments within unexpected emails.
- Set up unique passwords. Generate strong passwords or passphrases for each individual website and service. This is where the use of a password manager comes in handy.
- Activate multifactor authentication functionality whenever possible for all of your accounts.
- Use antivirus software on your electronic devices.
Victim credentials obtained over the course of the investigation have been provided to the website Have I Been Pwned, which is a free resource for people to quickly assess whether their access credentials have been compromised (or “pwned”) in a data breach or other activity.
The FBI encourages users who were active on Genesis Market, been in contact with Genesis Market administrators, or have been a victim and need to report, to email the FBI at FBIMW-Genesis@fbi.gov
Agencies participating in the Genesis Market investigation
- Australia: Australian Federal Police (AFP), State and Territory Police Forces
- Canada: 25 Law Enforcement Agencies supported by Sûreté du Québec (SQ) & Royal Canadian Mounted Police (RCMP)
- Denmark: National Police (Politi)
- Estonia: Police and Border Guard Board (Politsei ja Piirivalveamet)
- Finland: National Bureau of Investigation (Keskusrikospoliisi/ Centralkriminalpolisen)
- France: National Police (Police Nationale)
- Germany: Federal Criminal Police Office (Bundeskriminalamt)
- Italy: National Police (Polizia di Stato)
- Netherlands: National Police (Politie)
- New Zealand: New Zealand Police – Ngā Pirihimana o Aotearoa
- Poland: Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości)
- Romania: National Police (Poliția Română)
- Spain: National Police (Policia Nacional) and Civil Guard (Guardia Civil)
- Sweden: Swedish Police Authoirity (Polisen)
- Switzerland: Federal Police (fedpol), Cantonal Police of Zurich (Kantonspolizei Zürich)
- United Kingdom: National Crime Agency (NCA)
- United States: Federal Bureau of Investigation (FBI)
