
A coordinated effort has brought down the largest criminal marketplace “Genesis Market” for stolen credentials, the Department of Justice confirmed.
Since March 2018, Genesis Market advertised and sold packages of account access credentials, including usernames and passwords for bank accounts, social media, and email accounts, which the threat actors stole from global victims after infecting devices with malware.
The marketplace enabled cybercriminals to victimize individuals, businesses, and governments around the world. Its influence stemmed from its sales offerings: the type of access sought by ransomware hacking groups The site was used by these actors to attack its victims.
Genesis Market boasted stolen credentials tied to the financial and critical infrastructure industries, as well as federal, state, and local government agencies. User-friendly, cybercriminal users could leverage the market to search for stolen credentials based on location or account type.
It is seen as the most prolific initial access brokers in the cybercrime world. At the time of the seizure, the market was offering access to data stolen from more than 1.5 million compromised devices and over 80 million account access credentials.
The market also posted unique combinations of device identifiers and browser cookies able to bypass anti-fraud tools used by websites. Each of the stolen offering allowed cybercriminals to assume the identity of victims to trick sites into thinking the malicious actor was indeed the account owner.
The federal law enforcement effort worked to identify prolific users of the Genesis Market, keenly focused on finding who purchased and used the stolen access credentials for fraud and other cybercrimes.
“Operation Cookie Monster” has also led to the seizure of 11 domain names used to support Genesis Market’s infrastructure, levied by a warrant authorized by the U.S. District Court for the Eastern District of Wisconsin.
The Genesis Market takedown follows multiple law enforcement efforts against dark web actors, including the dismantling of the Hive ransomware group, Hydra Market and BreachForums.