The UK's National Crime Agency (NCA) announced on Wednesday that Genesis Market, a massive dark web marketplace popular among cybercriminals, has been shut down by international law enforcement agencies in a cross-border operation called "Operation Cookie Monster".
On Tuesday night, "ODN" accessed the Genesis Market dark web site and found that a familiar banner image was posted on the site, stating that the organization's domain had been seized by the Federal Bureau of Investigation (FBI) and had been shut down as part of "Operation Cookie Monster". Anyone accessing the Genesis site would see the details of the shutdown message, as well as logos from other European countries, Canada, Australia's police organizations, and Qintel, a cybersecurity company.
"We assess that Genesis was one of the most significant dark web marketplaces anywhere in the world," said Rob Jones, Director of Threat Leadership at the NCA.
The NCA estimates that the dark web service hosted approximately 80 million credentials and digital fingerprints stolen from over two million people.
The US Treasury Department referred to the market as "one of the most prominent brokers of stolen credentials and sensitive information."
UK authorities said that 17 countries participated in the operation, led by the FBI and the Dutch National Police, with 200 searches carried out globally, 120 arrests made, and almost 100 "preventative actions" successfully taken. The US Treasury Department said it believed that the Genesis Market dark web site was run by administrators based in Russia.
Louise Ferrett, an analyst at UK cybersecurity company Searchlight Cyber, said Genesis specializes in the sale of digital products, particularly "browser fingerprints" collected from malware-infected computers.
She said that since these fingerprints often include details such as credentials, cookies, IP addresses, and other browser or operating system information, criminals can use them to bypass anti-fraud solutions such as multi-factor authentication or device fingerprinting.
The NCA said that Genesis sold credentials at prices ranging from 70 cents to several hundred dollars, depending on the available stolen data.
"To access and operate on this dark web site, all you needed to do was know about it, and you could potentially get an invitation, which given the number of users, wouldn't necessarily be that difficult," said Will Lyne, Head of Intelligence at the NCA. "Once you became a user, it was easy to…conduct criminal activity."
The NCA said that the participating countries in the investigation included Australia, Canada, Denmark, Estonia, Finland, France, the US, the UK, Germany, Iceland, Italy, New Zealand, Poland, Romania, Spain, Sweden, and Switzerland.
Genesis Market on the Dark Web
Genesis Market operates on the open web, not just the dark web. It was founded in 2017 and is known for its user-friendly English interface, and has been active since 2018.
It is a one-stop-shop for login data used for online fraud. Users can purchase login information, including passwords and other parts of the victim's "digital fingerprint," such as their browser history, cookies, auto-fill form data, IP address, and location.
This allows fraudsters to log into bank, email, and shopping accounts, redirect deliveries, and even change passwords without arousing suspicion.
Login information for Facebook, PayPal, Netflix, Amazon, eBay, Uber, and Airbnb accounts are among those sold. If the password changes, the criminal who purchased the information may even receive a notification from Genesis.
Genesis provides its customers with a customized browser that will use the stolen data to mimic the victim's computer, making it appear as though they are accessing their account from their usual location and device. Therefore, the access does not trigger any security alerts.
"This is a very sophisticated website, very easy to use, with a wiki [a website that can be edited or contributed to by users] that tells you how to use it, and it can be accessed on both the open web and the dark web," Mr. Jones said.
"So, you don't need to be a sophisticated cyber actor to get into this space. You just need to be able to use a search engine and then you can start to commit crimes."
Depending on the available amount of data, the price for a victim's information can be less than $1 or several hundred dollars.
Although Genesis users mainly access it for fraud purposes, the data sold can also be used for ransomware attacks, where hackers block access to data and demand payment to release it.
Personal data that led to the 2021 hack of gaming giant Electronic Arts (EA) was sold for just $10.
Business information is also sold on the website, providing convenience for fraud, phone number hacking, and ransomware attacks.
Will Lyne, NCA's Director of Intelligence, said Genesis was a "huge driver of fraud" and one of the most significant markets for purchasing login information.
NCA believes that tens of thousands of criminals have been using Genesis, with several hundred users in the UK alone. There are then about two million victims worldwide, with tens of thousands in the UK.
Many victims first realize something is wrong when they see fraudulent transactions on their accounts, or if they're lucky, receive a message that someone has logged in as them.
Potential victims can be searched by country/region, and the data can be viewed before purchasing.
Avoid becoming a victim of this type of market
Internet users who wish to avoid fraud are advised to keep their computer and cell phone operating systems up to date, use two-factor authentication (2FA) and strong passwords, such as those involving three random English words.
People can check if they are victims by visiting https://www.politie.nl/checkyourhack to check if they are victims.