Law enforcement agencies in several countries have worked together to disrupt a notorious cybercrime website called Genesis Market, but there is evidence that the takedown attempt’s impact — particularly on infrastructure — may be limited.
Launched in 2018, Genesis is an invite-only marketplace that has been offering so-called ‘bots’ that provide cybercriminals with access to online accounts and systems.
These bots are created using information obtained by malware from infected devices. Each bot contains not only credentials required to access the victim’s accounts, but also device fingerprints (cookies and browser data) that enable hackers to gain access to the desired resource without triggering any alarms because the request appears to be coming from the legitimate user’s device.
Law enforcement agencies in the United States, Europe and Australia announced the results of an operation against Genesis Market on Wednesday. The operation, named ‘Cookie Monster’, involved 17 countries and resulted in roughly 120 arrests and 200 property searches.
Investigators said Genesis has offered data from over 1.5 million compromised computers, totaling more than 80 million account credentials. While many of these credentials are associated with banking, social media and email accounts, some provide access to government systems. The FBI said the site’s operators have earned $8.7 million in cryptocurrency.
Even before the official announcement was made, the cybersecurity community noticed that the surface web domains associated with Genesis Market started displaying an image informing visitors that the website has been seized by the FBI as part of an international law enforcement operation.
Court documents revealed that investigators managed to gain access to backend servers and other infrastructure supporting Genesis, which enabled them to take control of several domains.
The US Department of the Treasury on Wednedsay announced sanctions against Genesis Market, revealing that it’s likely operated out of Russia.
While the press releases issued by government and law enforcement agencies describe the action as a takedown, disruption, and dismantlement, the extent of the operation’s impact has been called into question.
More than 100 people have been arrested around the world, but they are likely users of the site rather than administrators. The message posted on the seized domains instructs those who have been in contact with Genesis admins to reach out to the FBI, which suggests authorities are still looking for them.
Cybersecurity firm ZeroFox noted that Genesis Market can still be accessed on Tor and it remains stable and functional. In addition, the site’s administrators announced that they plan on setting up new domains.
“Over the past year, Genesis admins have been increasing scrutiny of their forum users to ban all suspected law enforcement officers and researchers from the site, shutting down completely between April and June 2022 and then reopening with the mandate for users to reassert their bonafides. Even before the announcement of the alleged seizure, Genesis required new users to contact the admins directly or buy an invite from a certified user on another dark web forum,” ZeroFox said.
Researcher Michele Campobasso pointed out that not only is Genesis still accessible via its Tor domain, but it also continues to be updated with new information that is offered for sale. Campobasso noted that the only difference is that the new bots added to the site do not include the cookie and browser data needed to impersonate users, which suggests that at least a part of the supply chain did get compromised.
On the other hand, while the impact on the technical aspect of the Genesis operation may be limited, the large number of arrests could have a significant impact on its profitability. Many of the site’s users, particularly ones located in countries where they are likely to be identified and arrested, will likely think twice before using Genesis again.
Investigators have collected data on millions of victims whose credentials were sold on Genesis. This has allowed Dutch police to create an online tool that allows users to check if their are impacted. In addition, the Genesis data has also been added to the Have I Been Pwned breach notification service.
Related: Authorities Seize Online Marketplace for Stolen Credentials
Related: US Charges Six in Operation Targeting 48 DDoS-for-Hire Websites
Related: VPNLab Goes Down After Servers Seized in Law Enforcement Operation