Cops put the squeeze on Genesis crime souk denizens, not just the admins this time
Feds managed to image entire backend server with full details
The FBI today released additional information about its takedown of the Genesis Market, a major online shop for stolen account access credentials, revealing that they'd pwned the marketplace for at least two years.
Working with law enforcement from 15 other nations, the US Department of Justice yesterday seized [PDF] the criminal souk's main website, domains, and servers, and "conducted a number of law enforcement actions against hundreds of Genesis Market users worldwide" as part of a global law enforcement effort dubbed Operation Cookie Monster, according to a senior FBI official.
According to court documents, in December 2020 the FBI, in conjunction with an unnamed foreign law enforcement, managed to image the Genesis backend server, and downloaded usernames, passwords, email account, search histories, purchase history and comment for 33,000 Genesis Market users and approximately 900,000 individual packages. That's going to prove very useful in going not only the operators, but also the users, of the online souk.
The operation also included more than 400 law enforcement actions across 15 different countries, the FBI official said, speaking to reporters on Wednesday. Police arrested 119 individuals and conducted 208 searches and interviews across the globe, he added. These arrests include US citizens, although the official declined to comment further on what role the Americans played in the broader criminal ecosystem.
Also today, in a related action the US Treasury issued sanctions against Genesis Market, which the Feds say has been used by cybercriminals to target US government organizations.
"Genesis Market is believed to operate out of Russia and sells stolen credentials from leading US companies and facilitates cybercrimes against them," US Secretary of State Antony Blinken said in a statement.
Since its inception in 2018, Genesis Market trafficked in access to data stolen from more than 1.5 million compromised computers worldwide, containing more than 80 million stolen access credentials including digital fingerprints, account credentials and cookies, according to the Feds.
While the total financial loss to victims has not been determined, the FBI confirmed $8.7 million in cryptocurrency losses from the sale of the stolen credentials. However, law enforcement estimates the overall losses to "exceed tens of millions of dollars," the FBI official said.
Genesis Market also served as an extremely prolific initial access broker to other cybercrime gangs. Initial access brokers, as the name suggests, are the folks in the criminal ecosystem to steal, and then sell, initial access, allowing others to break into a victim's network and then deploy ransomware, or steal sensitive data, or all manner of other illicit activities.
"I cannot emphasize enough the importance of initial access brokers as key enablers of cybercrime-as-a-service," the FBI official said.
- Notorious stolen credential warehouse Genesis Market seized by FBI
- BreachForums shuts down ... but the RaidForums cybercrime universe will likely spawn a trilogy
- US, UK slap sanctions on Russians linked to Conti, Ryuk, Trickbot malware
- Feds slay dark-web souk Hydra: Servers and $25m in crypto-coins seized
The Genesis Market takedown comes about two weeks after the FBI and international law enforcement shut down BreachForums, another major cybercrime marketplace, and arrested its alleged chief administrator.
"What is different here, is that we aren't just going after administrators or taking the site down," the FBI official said. "We're going after the users who leverage a service like Genesis Market, and we're doing that on a global scale. The administrators of the services are operating globally, and so are the users."
However, the problem with shuttering one online criminal shop is that two more emerge in its place — like the fabled Hydra, which shared a name with another criminal marketplace trafficking in illegal drugs and money-laundering services that US and Germany shut down last year.
The US law enforcement officials acknowledged as much during the call with reporters on Wednesday.
"There are a number of these marketplaces that are out there, and there is no panacea," the FBI official said. "It's not going to be a situation where you take one of these down, it's gonna end the activity."
This is why global cops are focused on arresting not only the site admins, but also users, the Feds explained.
"If you're a user of the site, you may make you think twice about whether this is a good place for you to be doing business, whether you might be identified as a result of law enforcement activity against the site and being able to identify users and arrest them," according to a senior US Department of Justice official. "So there may well be difficulties for the reconstituting of the site in terms of the trust of its criminal user base."
This coordinated effort between counties, and targeting the crooks who use illegal online marketplaces, make these types of global cybercrime business models "less safe" for cybercriminals, said Max Kersten, a security researcher at Trellix Advanced Research Center.
"Targeting not only the provider but also said customers signals that cybercrime is not as 'risk free' as other criminals often advertise, especially if this approach were to become a standard practice by law enforcement agencies," he told The Register.
"Another reason as to why cybercrime is often seen as risk free is the ease to cross geographic borders, all from within the safe space of one's own home country – saving time and lowering the risk of getting caught," Kersten added. ®