Washington: The United States Justice Department announced today a coordinated international operation against Genesis Market, a criminal online marketplace that the US said it believed to be located in Russia. The online marketplace advertised and sold packages of account access credentials – such as usernames and passwords for email, bank accounts, and social media – that had been stolen from malware-infected computers around the world.
“Yesterday, the Department of Justice and its partners dismantled the Genesis Market and arrested many of its users around the world,” said Deputy Attorney General Lisa O. Monaco said. She added: “Genesis falsely promised a new age of anonymity and impunity, but in the end only provided a new way for the Department to identify, locate, and arrest online criminals. The Department of Justice is shining a light on the internet’s darkest corners – in the last year alone, our agents, prosecutors, and partners have dismantled the darknet’s largest marketplaces – Hydra Market, BreachForums, and now Genesis. Each takedown is yet another blow to the cybercrime ecosystem.”
Simultaneously in a coordinated move, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) took action to designate Genesis Market, which it termed one of the world’s largest illicit online marketplaces, for its part in the theft and sale of device credentials and related sensitive information.
As a result of today’s action, all property and interests in property of the entity that are in the United States or in the possession or control of US persons must be blocked and reported to OFAC. OFAC’s regulations generally prohibit all dealings by US persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of a blocked or designated entity. In addition, persons that engage in certain transactions with the entity designated today may themselves be exposed to sanctions.
“The United States, along with our international partners, will not allow illicit marketplaces to operate with impunity,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Treasury will continue to work closely with our law enforcement colleagues to disrupt this activity and hold malign cyber actors accountable,” Nelson added.
Treasury said it had long recognized the illicit finance risks associated with darknet markets, and today’s sanctions designation builds upon previous actions against darknet marketplaces, such as the designation of Hydra Market, which OFAC designated on April 5, 2022. In addition, Treasury’s 2022 National Money Laundering Risk Assessment identified that darknet markets provide an opportunity for criminals to profit from unauthorized access to victim computers by selling stolen data to other criminals for further exploitation. Furthermore, FinCEN’s “Advisory on Illicit Activity Involving Convertible Virtual Currency” warned that darknet markets frequently include offers for the sale of illicit goods and services that use virtual currencies as a method of payment.
Genesis Market identifies victim computer systems and gains unauthorized access to them, selling this access to cybercriminals for further exploitation. It has both a clearnet (traditional internet) and a darknet presence and is one of the most prominent brokers of stolen credentials and other sensitive information. It gained unauthorized access to victim devices and offers stolen data, including usernames and passwords, for sale, since its inception in March 2018, and has offered access to data stolen from over 1.5 million compromised computers around the world containing over 80 million account access credentials.
Account access credentials advertised for sale on Genesis Market included those connected to the financial sector, critical infrastructure, and federal, state, and local government agencies. Genesis Market was also one of the most prolific initial access brokers (IABs) in the cybercrime world, the US Justice Department said, explaining that IABs attract criminals looking to easily infiltrate a victim’s computer system.
Genesis Market was user-friendly, providing users with the ability to search for stolen access credentials based on location and/or account type (e.g., banking, social media, email, etc.). In addition to access credentials, it obtained and sold device “fingerprints,” which are unique combinations of device identifiers and browser cookies that circumvent anti-fraud detection systems used by many websites. The combination of stolen access credentials, fingerprints, and cookies allowed purchasers to assume the identity of the victim by tricking third-party websites into thinking the Genesis Market user was the actual owner of the account. It further offered for sale the type of access sought by ransomware actors to attack computer networks in the United States and around the world and published private-sector reports indicate that they indeed were used by ransomware actors to attack such systems. Its users were located all over the world.
The US Justice Department said federal law enforcement worked to identify prolific users of Genesis Market who purchased and used stolen access credentials to commit fraud and other cybercrime. “This effort resulted in hundreds of leads being sent to FBI field offices throughout the United States, as well as to foreign law enforcement partners. Further, as part of this operation, dubbed Operation Cookie Monster, law enforcement seized 11 domain names used to support Genesis Market’s infrastructure pursuant to a warrant authorized by the US District Court for the Eastern District of Wisconsin,” a Justice Department press release stated.
Attorney General Merrick B. Garland said: “Working across 45 of our FBI [Federal Bureau of Investigation] Field Offices and alongside our international partners, the Justice Department has launched an unprecedented takedown of a major criminal marketplace that enabled cybercriminals to victimize individuals, businesses, and governments around the world. “Our seizure of Genesis Market should serve as a warning to cybercriminals who operate or use these criminal marketplaces: the Justice Department and our international partners will shut down your illegal activities, find you, and bring you to justice.”
“Today’s takedown of Genesis Market is a demonstration of the FBI’s commitment to disrupting and dismantling key services used by criminals to facilitate cybercrime,” said FBI Director Christopher Wray. “The work, in this case, is a great example of the FBI’s ability to leverage our technical capabilities and work shoulder-to-shoulder with our international partners to take away the tools cybercriminals rely on to victimize people all across the world,” Wray added.
The FBI Milwaukee Field Office investigated the case, with assistance from 44 other field offices, the U.K. National Crime Agency, Italy’s Polizia de Stato, Police of Denmark, Australian Federal Police, Royal Canadian Mounted Police, Canada’s Sûreté du Québec, Romanian Police, Cybercrime Sub-directorate for French judicial police, Spain’s Policia Nacional, Spain’s Guardia Civil, Germany’s Federal Criminal Police Service, Swedish Police Authority, Poland’s Central Bureau for Combating Cybercrime, Dutch National Police, Finland’s National Bureau of Investigation, Switzerland’s Office of the Attorney General, Swiss Federal Police, Estonia’s Prosecutor General’s Office, Iceland’s Metropolitan Police, New Zealand Police, Eurojust, and Europol.
“The operation being announced today is the direct result of the hard work, dedication, and exceptional collaborative efforts of the FBI and its partners around the globe,” said U.S. Attorney Gregory J. Haanstad for the Eastern District of Wisconsin. “Along with investigative partners and our Justice Department colleagues, my office remains committed to using all available tools to protect individuals from cybercriminals like those who operate these types of online marketplaces.”
Victim credentials obtained over the course of the investigation have been provided to the website Have I Been Pwned, which is a free resource for people to quickly assess whether their access credentials have been compromised (or “pwned”) in a data breach or other activity. Victims can visit HaveIBeenPwned.com to see whether their credentials were compromised by Genesis Market so that they can know whether to change or modify passwords and other authentication credentials that may have been compromised.
– global bihari bureau
