An unprecedented law enforcement operation involving 17 countries has resulted in the takedown of Genesis Market, one of the most dangerous marketplaces selling stolen account credentials to hackers worldwide. As a result of an action day on 4 April, this illegal service was shut down and its infrastructure seized.
Simultaneous actions were also carried out across the globe against the users of this platform, resulting in 119 arrests, 208 property searches and 97 knock and talk measures.
This international sweep was led by the U.S. Federal Bureau of Investigation (FBI) and the Dutch National Police (Politie), with a command post set up at Europol’s headquarters on the action day to coordinate the different enforcement measures being carried out across the globe.
Genesis Market was considered one of the biggest criminal facilitators, with over 1.5 million bot listings totalling over 2 million identities at the time of its takedown.
Why was Genesis Market so dangerous?
Genesis Market’s main criminal commodity was digital identities. This marketplace would offer for sale what the market owners referred to as ‘bots’ that had infected victims’ devices through malware or account takeovers attacks.
Upon purchase of such a bot, criminals would get access to all the data harvested by it such as fingerprints, cookies, saved logins and autofill form data. This information was collected in real time – the buyers would be notified of any change of passwords, etc.
The price per bot would range from as little as USD 0.70 up to several hundreds of dollars depending on the amount and nature of the stolen data. The most expensive would contain financial information which would allow access to online banking accounts.
The criminals buying these special bots were not only provided with stolen data, but also with the means of using it. Buyers were provided with a custom browser which would mimic the one of their victim. This allowed the criminals to access their victim’s account without triggering any of the security measures from the platform the account was on. These security measures include recognising a different log-in location, a different browser fingerprint or a different operating system.
In addition, unlike other criminal marketplaces, Genesis Market was accessible on the open web, although obscured from law enforcement behind an invitation-only veil. Its accessibility and cheap prices greatly lowered the barrier of entry for buyers, making it a popular resource among hackers.
The law enforcement response
The takedown of Genesis Market was a priority for law enforcement given the platform’s ability to facilitate all types of cybercrime.
Europol’s European Cybercrime Centre (EC3) has been supporting this investigation since 2019 by coordinating the international activity with the help of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol. EC3’s support included data analysis, the organisation of operational meetings and the facilitation of the information exchange. A command post was also set-up at Europol’s headquarters in The Hague, the Netherlands to ensure the smooth running of the action day across the world.
Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved. The Agency hosted a coordination meeting in March 2023 to prepare for this week’s operation and hosted a command center on 4 April to resolve any legal issues arising during the parallel operations in 13 countries.
How to tell whether your data was stolen
With over 1.5 million bots listed on Genesis Market, chances are that your credentials have already ended up for sale on this criminal marketplace.
The Dutch Police has developed a portal to check whether your information has been compromised. Visit https://www.politie.nl/checkyourhack and fill in your email address to control whether it is part of a Genesis Market leak.
More information: Europol