Law enforcement agencies from multiple countries, including the Federal Bureau of Investigation, have seized a sprawling dark web marketplace popular with cybercriminals, arresting dozens, United Kingdom’s National Crime Agency (NCA) said on Wednesday, in an operation dubbed by the FBI “Operation Cookie Monster”.
British authorities said 17 countries were involved in the operation, led by the FBI and Dutch police which resulted in about 120 arrests, more than 200 searches and almost 100 pieces of “preventative activity”.
Genesis Market, an online forum, hosted about 80 million credentials and digital fingerprints stolen from more than two million people, NCA estimated.
“We assess that the Genesis is one of the most significant access marketplaces anywhere in the world,” said Rob Jones, the NCA’s director general of threat leadership.
United States Justice Department Deputy Attorney General Lisa Monaco said in a statement many of the forum’s users were arrested on Tuesday. A senior FBI official said arrests had been made in the US but declined to provide further details. The investigation into Genesis is still ongoing.
The US Treasury Department, in a statement announcing sanctions against the market, called it “one of the most prominent brokers of stolen credentials and other sensitive information”.
A banner plastered across Genesis Market’s site late on Tuesday said domains belonging to the organisation had been seized by the FBI. Logos of other European, Canadian and Australian police organisations were also emblazoned across the site, along with that of cybersecurity firm Qintel.
🚨BREAKING🚨
An international operation involving the National Crime Agency has taken down one of the biggest online marketplaces selling stolen credentials to criminals worldwide.
FULL STORY ➡️ https://t.co/Owo1p2A2ku pic.twitter.com/nHuKI9kXxc
— National Crime Agency (NCA) (@NCA_UK) April 5, 2023
Operation Cookie Monster
Qintel did not immediately return messages seeking comment, and Reuters news agency could not locate contact details for Genesis Market’s administrators, which the US Treasury said were believed to operate from Russia.
Genesis specialised in the sale of digital products, especially “browser fingerprints” harvested from computers infected with malicious software, said Louise Ferrett, an analyst at British cybersecurity firm Searchlight Cyber.
Because those fingerprints often include credentials, cookies, internet protocol addresses and other browser or operating system details, they can be used by criminals to bypass anti-fraud solutions such as multifactor authentication or device fingerprinting, she said.
The site had been active since 2018.
The NCA said Genesis had operated by selling credentials from as little as 70 cents to hundreds of dollars, depending on the stolen data available.
“To get up and running on this, you just have to know of the site, potentially be able to get yourself an invite which given the volume of users probably wouldn’t be particularly difficult,” said Will Lyne, NCA head of cyber-intelligence.
“Once you become a user, it’s really easy to then … perpetrate criminal activity.”
The NCA said countries involved in the investigation included Australia, Canada, Denmark, Estonia, Finland, France, the US, the UK, Germany, Iceland, Italy, New Zealand, Poland, Romania, Spain, Sweden and Switzerland.
“The Genesis Market lowered the barrier to entry for ransomware groups and allowed many cybercriminals to swiftly scale their operations and carry out targeted attacks for immediate financial benefit,” said John Fokker, head of threat intelligence for US cybersecurity firm Trellix.
“Without even factoring in the arrests of Genesis Market members, simply removing this immense cybercriminal marketplace from the web will significantly slow down cybercriminal activity.”
Have you been targeted by criminals using #GenesisMarket ?
In the wake of an operation to take down the global online platform that sold stolen identities, people are being urged to check if they have been affected.
Find out how on our website ➡️ https://t.co/dBtnwpzwp7 pic.twitter.com/PTyLDOxbsR
— National Crime Agency (NCA) (@NCA_UK) April 5, 2023