Connect with us

Hi, what are you looking for?



Success of Genesis Market Takedown Attempt Called Into Question

Law enforcement announced the takedown of Genesis Market, but the impact on the cybercrime marketplace’s infrastructure may be limited.

Genesis seized

Law enforcement agencies in several countries have worked together to disrupt a notorious cybercrime website called Genesis Market, but there is evidence that the takedown attempt’s impact — particularly on infrastructure — may be limited.

Launched in 2018, Genesis is an invite-only marketplace that has been offering so-called ‘bots’ that provide cybercriminals with access to online accounts and systems.

These bots are created using information obtained by malware from infected devices. Each bot contains not only credentials required to access the victim’s accounts, but also device fingerprints (cookies and browser data) that enable hackers to gain access to the desired resource without triggering any alarms because the request appears to be coming from the legitimate user’s device. 

Law enforcement agencies in the United States, Europe and Australia announced the results of an operation against Genesis Market on Wednesday. The operation, named ‘Cookie Monster’, involved 17 countries and resulted in roughly 120 arrests and 200 property searches. 

Investigators said Genesis has offered data from over 1.5 million compromised computers, totaling more than 80 million account credentials. While many of these credentials are associated with banking, social media and email accounts, some provide access to government systems. The FBI said the site’s operators have earned $8.7 million in cryptocurrency. 

Even before the official announcement was made, the cybersecurity community noticed that the surface web domains associated with Genesis Market started displaying an image informing visitors that the website has been seized by the FBI as part of an international law enforcement operation.

Court documents revealed that investigators managed to gain access to backend servers and other infrastructure supporting Genesis, which enabled them to take control of several domains. 

Advertisement. Scroll to continue reading.

The US Department of the Treasury on Wednedsay announced sanctions against Genesis Market, revealing that it’s likely operated out of Russia.

While the press releases issued by government and law enforcement agencies describe the action as a takedown, disruption, and dismantlement, the extent of the operation’s impact has been called into question. 

More than 100 people have been arrested around the world, but they are likely users of the site rather than administrators. The message posted on the seized domains instructs those who have been in contact with Genesis admins to reach out to the FBI, which suggests authorities are still looking for them. 

Cybersecurity firm ZeroFox noted that Genesis Market can still be accessed on Tor and it remains stable and functional. In addition, the site’s administrators announced that they plan on setting up new domains. 

“Over the past year, Genesis admins have been increasing scrutiny of their forum users to ban all suspected law enforcement officers and researchers from the site, shutting down completely between April and June 2022 and then reopening with the mandate for users to reassert their bonafides. Even before the announcement of the alleged seizure, Genesis required new users to contact the admins directly or buy an invite from a certified user on another dark web forum,” ZeroFox said. 

Researcher Michele Campobasso pointed out that not only is Genesis still accessible via its Tor domain, but it also continues to be updated with new information that is offered for sale. Campobasso noted that the only difference is that the new bots added to the site do not include the cookie and browser data needed to impersonate users, which suggests that at least a part of the supply chain did get compromised. 

On the other hand, while the impact on the technical aspect of the Genesis operation may be limited, the large number of arrests could have a significant impact on its profitability. Many of the site’s users, particularly ones located in countries where they are likely to be identified and arrested, will likely think twice before using Genesis again. 

Investigators have collected data on millions of victims whose credentials were sold on Genesis. This has allowed Dutch police to create an online tool that allows users to check if their are impacted. In addition, the Genesis data has also been added to the Have I Been Pwned breach notification service.

Related: Authorities Seize Online Marketplace for Stolen Credentials

Related: US Charges Six in Operation Targeting 48 DDoS-for-Hire Websites

Related: VPNLab Goes Down After Servers Seized in Law Enforcement Operation

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...