A significant international law enforcement operation has successfully dismantled Genesis Market, an illicit online platform that specialized in trading stolen account credentials across email, banking, and social media domains. This joint effort involved authorities from 17 separate nations, leading to 119 arrests and 208 property investigations across 13 countries.
Despite the operation’s scale, reports indicate that the .onion mirror of Genesis Market is still operational. The crackdown, described as “unprecedented,” has been named Operation Cookie Monster, highlighting the collaborative move against cybercriminal activity.
Since its establishment in March 2018, Genesis Market became a hub for cybercrimes, gaining access to data from over 1.5 million compromised computers, equating to more than 80 million stolen credentials. Most of the infections tied to malware associated with Genesis Market occurred in the United States, Mexico, and several European countries, according to research from cybersecurity firm Trellix.
Prominent malware families such as AZORult, Raccoon, RedLine, and DanaBot have been utilized to access victims’ information. DanaBot, in particular, has delivered a malicious Chrome extension aimed at exfiltrating sensitive browser data. The U.S. Department of Justice (DoJ) noted that the credentials listed for sale included access to sensitive sectors like finance and government agencies.
The DoJ characterized Genesis Market as one of the most notable initial access brokers (IABs) in the cybercriminal landscape. In conjunction with sanctions issued by the U.S. Treasury Department, this operation has outlined Genesis Market as a critical resource for cybercriminals targeting U.S. governmental organizations.
Moreover, Genesis Market also marketed device fingerprints, including unique identifiers and browser cookies, which provided threat actors with methods to bypass anti-fraud detection systems employed by various websites. This combination of stolen credentials and device fingerprints enabled buyers to impersonate victims, circumventing security measures.
Investigative court documents revealed that the FBI had infiltrated Genesis Market’s backend servers on two separate occasions, in December 2020 and May 2022, allowing access to information pertaining to approximately 59,000 users. The market’s packages of stolen information were sold at prices ranging from $0.70 to several hundred dollars, with financial data commanding the highest prices.
The recent takedown is expected to have a “ripple effect” within the underground economy, as cyber adversaries will inevitably seek new avenues to replace the functionalities of Genesis Market. This operation comes exactly a year after the shutdown of Hydra, another notorious marketplace, marking a notable trend of heightened law enforcement activity against cybercrime platforms.
The current landscape indicates that while Genesis Market has been dismantled, new players like the recently launched STYX marketplace are emerging. STYX aims to specialize in financial fraud, money laundering, and identity theft, using sophisticated methods similar to those previously employed by Genesis Market, demonstrating the persistent nature of cybercriminal operations.
Business owners should be particularly vigilant, as the techniques likely employed in such cybercrimes align with the MITRE ATT&CK framework, encompassing tactics such as initial access, credential dumping, and exfiltration. The ongoing evolution of these criminal marketplaces underscores the pressing need for enhanced cybersecurity measures across organizational infrastructures.
