119 arrested in Genesis Market takedown

Genesis Market, an illicit marketplace that specializes in the sale of stolen credentials, was subject to a takedown Tuesday in an international law enforcement operation that resulted in 119 arrests.

The operation, named Operation Cookie Monster, was announced Wednesday and led by the FBI's Milwaukee field office and the Dutch National Police, with assistance from 44 other FBI field offices. According to a press release from the U.S. Department of Justice (DOJ), international law enforcement partners included the U.K., Canada, Italy, Spain, Romania and others.

Since the founding of Genesis Market in 2018, it "has offered access to data stolen from over 1.5 million compromised computers around the world containing over 80 million account access credentials," according to the DOJ's press release.

Credentials included those for individual banking, social media and email accounts, plus initial access to organization networks. These organizations, the DOJ said, include those "connected to the financial sector, critical infrastructure, and federal, state, and local government agencies."

"Genesis Market was also one of the most prolific initial access brokers (IABs) in the cybercrime world. IABs attract criminals looking to easily infiltrate a victim's computer system," the statement continued. "Genesis Market offered for sale the type of access sought by ransomware actors to attack computer networks in the United States and around the world, and published private-sector reports indicate that they indeed were used by ransomware actors to attack such systems."

Law enforcement also managed to identify numerous prolific Genesis Market users who either purchased or used the stolen credentials. Eleven domain name seizures and 119 arrests occurred as a result of Operation Cookie Monster. A Europol news release said the operation also included "208 property searches and 97 knock and talk measures."

According to the FBI's warrant for the operation, the bureau has been investigating Genesis Market since 2018. The affidavit revealed that as part of its investigation, the FBI funded the sale of approximately 115 "packages" of stolen data from the marketplace using bitcoin. The bureau then tracked the payments and used a cryptocurrency payment processor and a hosting provider to gain insights into both the marketplace's merchants and how the marketplace works.

The FBI also, as part of its investigation, gained access to multiple Genesis back-end servers. A forensic image of a server obtained in late 2020 contained "voluminous records," the affidavit said, including usernames and passwords, email accounts, bitcoin addresses, user search and purchase history, user tickets and comments, and records of packages sold or displayed for sale on Genesis.

"The FBI reviewed this data and found (1) that as of on or about December 7, 2020, there were approximately 33,000 Genesis Market users and approximately 900,000 individual packages (or 'bots') that had been listed for sale or sold on Genesis Market, and (2) that more than $4,000,000 dollars' worth of virtual currency had been deposited into Genesis Market," the warrant read.

The FBI obtained a forensic image of a second server located outside the United States in mid-2022 with updated figures. Through "on or about May 18" of that year, Genesis Market had 59,000 individual user accounts, 1.5 million packages for sale and "more than 200,000 account access credentials for sale on Genesis Market that were associated with federal, state, and local government accounts."

The Genesis Market takedown is the latest in a line of recent marketplace disruptions. The FBI last month arrested the alleged owner and administrator of BreachForums, a darknet message board that facilitates the sale of stolen breach data. Law enforcement took down Hydra, another illicit darknet market, approximately one year ago.

However, questions remain regarding how complete the FBI's takedown of Genesis Market actually was. Security vendor ZeroFox said in a Wednesday blog post that the Tor version of the marketplace is still live, and Emsisoft threat analyst Brett Callow told TechTarget Editorial that a darknet version of the market is still up as of press time.

"There's no way of knowing how deeply compromised the Genesis operation was and still is," Callow said via email. "While the Tor site is still operational, smart cybercriminals will avoid using it. While something will eventually take Genesis' place, the takedown operation was undoubtedly a success. Cybercriminals operated with near-complete impunity in the past, but that's starting to change -- and that means there's more of a deterrent."

John Fokker, head of threat intelligence at Trellix, told TechTarget Editorial that until Genesis' administrators are taken into custody, they will likely "continue to take action in retaliation for the takedown." However, he added, this reality doesn't lessen the impact of the marketplace's takedown.

"Not even counting the arrests of hundreds of Genesis Market users, simply the loss of this platform will slow down many cybercriminal activities globally," Fokker said. "In the grand scheme of things, the number of global arrests for threat actors has been ramping up in recent years, making cybercriminals think twice. Furthermore, I suspect Genesis will not find it easy to recover from this -- as the identification of their uses severely undermines their credibility as a platform."

Trellix assisted with law enforcement efforts in analyzing malicious binaries linked to the marketplace. The security vendor's efforts are detailed in a Wednesday blog post.

The FBI declined TechTarget Editorial's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.