Identity, Threat Management, Data Security

Genesis Market seized in ‘Operation Cookie Monster,’ DoJ confirms

Cookie Monster muppet

A coordinated effort has brought down the largest criminal marketplace for stolen credentials, Genesis Market, the Department of Justice confirmed.

The DoJ notice on April 5 follows several reports that spotted an FBI seizure notice on the dark web site earlier this morning.

DoJ worked with 45 of its FBI field offices and international partners for its “unprecedented takedown.”

Attorney General Merrick Garland warned that its seizure “should serve as a warning to cybercriminals who operate or use these criminal marketplaces: DoJ and our international partners will shut down your illegal activities, find you, and bring you to justice.”

Launched in March 2018, Genesis Market advertised and sold packages of account access credentials, including usernames and passwords for bank accounts, social media and email accounts, which the threat actors stole from global victims after infecting devices with malware.

The marketplace enabled cybercriminals to victimize individuals, businesses, and governments around the world,” said Garland, in a statement. Its influence stemmed from its sales offerings: the type of access sought by ransomware hacking groups. It offered sector reports, confirming the site was used by these actors to attack its victims.

Genesis Market boasted stolen credentials tied to the financial and critical infrastructure industries, as well as federal, state and local government agencies. User-friendly, cybercriminal users could leverage the market to search for stolen credentials based on location or account type.

It was also seen as one of the “most prolific initial access brokers in the cybercrime world.” At the time of the seizure, the market was offering access to data stolen from more than 1.5 million compromised devices and over 80 million account access credentials. 

The market also posted device “fingerprints,” or unique combinations of device identifiers and browser cookies able to bypass anti-fraud tools used by websites. Overall, each stolen offering allowed cybercriminals to assume the identity of victims to trick sites into thinking the malicious actor was indeed the account owner.

The federal law enforcement effort worked to identify prolific users of the Genesis Market, keenly focused on finding who purchased and used the stolen access credentials for fraud and other cybercrimes. Hundreds of leads have been sent to the FBI and foreign law enforcement, which have already led to “many arrests.”

“Operation Cookie Monster” has also led to the seizure of 11 domain names used to support Genesis Market’s infrastructure, levied by a warrant authorized by the U.S. District Court for the Eastern District of Wisconsin.

“Genesis falsely promised a new age of anonymity and impunity, but in the end only provided a new way for the department to identify, locate and arrest on-line criminals,” said Deputy Attorney General Lisa Monaco. 

The Genesis Market takedown follows multiple law enforcement efforts against dark web actors, including the dismantling of the Hive ransomware group, Hydra Market and BreachForums, as well as the takedown of major botnets like Coreflood. Monaco stressed that “each takedown is yet another blow to the cybercrime ecosystem.”

These law enforcement agencies are committed “to disrupting and dismantling key services used by criminals to facilitate cybercrime,” warned FBI Director Christopher Wray. The identified stolen credentials were provided to the “Have I Been Pwned” resource to support remediation.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.