The Seizure of Genesis Market
- April 30, 2023
- Clayton Rice, K.C.
An international law enforcement operation involving seventeen countries has shut down a notorious online purveyor of stolen identities. The worldwide cyber investigation seized the infrastructure of Genesis Market in another blow to the cybercrime ecosystem. The dismantling of the user friendly site that offered access to data stolen from 1.5 million computers containing over 80 million account access credentials is the latest takedown in the war on cybercrime as law enforcement continues to deploy surveillance and disruption techniques to compliment traditional methods of investigation and prosecution.
On April 5, 2023, the U.S. Department of Justice and Europol, the law enforcement agency of the European Union, announced that an international law enforcement action dubbed Operation Cookie Monster had seized Genesis Market. Reporting for CBS News, Robert Legare described the platform as “a darknet site that sold data containing login credentials for bank accounts, social media passwords and IP addresses from identity theft and data breach victims.” (here) According to a press release issued by the U.S. justice department, the investigation involved forty-five FBI field offices in an “unprecedented” takedown. (here) Europol, in a concurrent press release, announced that the the seizure also involved simultaneous actions worldwide against users of the marketplace resulting in 119 arrests, 208 property searches and 97 knock-and-talk measures. (here) A total of seventeen countries were involved in the operation including the United Kingdom, Canada, Australia and New Zealand. (here)
2. Five Eyes Participants
Three members of the Five Eyes alliance reported arrests stemming from the seizure. In an article for BBC News, Daniel Sanford said Britain’s National Crime Agency (NCA) carried out a series of raids resulting in the arrest of twenty-four people who are suspected users of the site. The National Police Corps in the Netherlands, which worked alongside the NCA, has launched a portal on its website where members of the public can check whether their data has been compromised. (here) According to Jacquelyn LeBel, reporting for Global News in Canada, Chris Lyman, the Director General of the RCMP National Cybercrime Coordination Centre, said there were seventy-nine “distinct law enforcement actions, including arrests”. However, Mr. Lyman refused to disclose how many individuals were arrested. More than half the actions taken by police involved people in Quebec. (here) And in Australia, The Guardian reported that the Australian Federal Police along with six state police agencies arrested ten people and executed twenty-four search warrants. (here)
3. How Genesis Market Worked
Genesis Market provided users with the ability to search for stolen access credentials based on location or account type such as banking, social media or email. In addition to access credentials, the site marketed device “fingerprints” which are unique combinations of device identifiers and browser cookies that circumvent anti-fraud detection systems. The combination of stolen access credentials, fingerprints and cookies allowed purchasers to assume the identity of a target by tricking third party websites into thinking the Genesis Market user was the actual owner of the account. According to the U.S. Department of Justice, account access credentials advertised for sale on the site included those connected to the financial sector, critical infrastructure, and federal, state and local government agencies. The market was also a prolific initial access broker and an enabler of ransomware. It attracted customers looking to easily infiltrate a target’s computer system and marketed the type of access sought by ransomware actors.
According to Europol, digital identities were the main commodity on the platform. The marketplace would offer “bots” for sale that had infected devices through malware or account takeover attacks. Upon acquiring a bot, the purchaser would obtain access to all the data harvested by it such as fingerprints, cookies, saved logins and autofill form data. This information was collected in real time and buyers would be notified of any change such as a new password. The price for a bot ranged from lower than one dollar up to several hundreds of dollars. The most expensive would contain financial information that would allow access to online bank accounts. The purchasers of bots were not only provided with stolen data but also with the means of using it. Buyers were provided with a custom browser that would mimic the victim’s browser. This would allow the buyer to access a victim’s account without triggering the security measures of the platform the account was on that would recognize a different login location, a different browser fingerprint or a different operating system.
4. The Disruption Tactic
On January 26, 2023, the U.S. justice department announced the seizure of the Hive ransomware group’s infrastructure after a “months-long disruption campaign”. (here) Hive used a ransomware-as-a-service model where administrators developed a ransomware strain and recruited affiliates to identify targets, deploy the software and earn a percentage of each successful ransom payment. (here) Hive actors deployed a double-extortion model of attack demanding a ransom for both the decryption key and a promise not to publish the stolen data. For approximately six months, the FBI infiltrated Hive’s computer networks, captured its decryption keys and offered them to victims worldwide averting $130 million in ransom payments. The justice department has alleged that since 2021, the Hive group targeted more than 1,500 victims worldwide and received over $100 million in ransom payments. During a press conference, U.S. Deputy Attorney General Lisa Monaco said the investigative team turned the tables on Hive. “Simply put, using lawful means we hacked the hackers,” she said.
On March 24, 2023, the U.S. justice department issued a press release announcing that Conor Brian Fitzgerald had made his first court appearance on charges alleging he was the founder and administrator of BreachForums, an online marketplace for stolen data. (here) Mr. Fitzgerald had been arrested on March 15, 2023. The FBI asserts that BreachForums, with more than 340,000 members, replaced RaidForums which had been seized by U.S. law enforcement on April 12, 2022. (here) BreachForums then grew to become one of the most prolific online marketplaces posting hacked data related to approximately 14 billion people worldwide. (here and here) Parallel with Mr. Fitzgerald’s arrest, the FBI and the Department of Health and Human Services Office of Inspector General “conducted a disruption operation that caused BreachForums to go offline.” The U.S. justice department alleges that Diogo Santos Coelho, a Portuguese national, was the founder and administrator of RaidForums. He was arrested in the United Kingdom on January 31, 2022, and remains in custody pending conclusion of extradition proceedings. (here)
On April 4, 2023, in an article published by CyperScoop, A.J. Vicens described the Genesis Market seizure as “just the latest in a wave of aggressive U.S. government cybercrime operations”. (here) On January 26, 2023, Tonya Riley had previously reported for CyberScoop that the FBI hacked into and spent months lurking inside the Hive ransomware networks before seizing the site. (here) On April 24, 2023, in a follow up piece for CyberScoop, Mr. Vicens reported that top officials at the U.S. Department of Justice knew that no arrests would be made resulting from the Hive takedown. (here) On April 24, 2023, speaking at the RSA security conference, Deputy Attorney General Monaco said prosecutors and investigators are now directed to have “a bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing”. (here) Elvis Chan, who manages the Cyber Branch of the FBI’s San Francisco Field Office, added: “We are trying to disrupt when it will make an actual impact as opposed to waiting until we’ve tied it all up in a bow for the U.S. Attorney’s Office.”
The deployment of disruption tactics is not a new strategy for law enforcement. When RaidForums was seized in 2022, Edvardas Šileris of Europol’s European Cybercrime Centre acknowledged that, “[d]isruption has always been a key technique in operating against threat actors online”. (here) But the relative anonymity and international reach of the dark net will continue to make it ideal for purveyors of stolen data. The disruption of marketplaces like BreachForums and RaidForums reveals the relative effectiveness with which one site can pick up the market share left by the other. The takedown of Genesis Market, then, may yet be another disruption of considerable but temporary reprieve in the war on cybercrime.