One of the world’s largest and most sophisticated marketplaces for stolen account data was dealt a significant blow on Weds, April 5, as the FBI seized the clearnet domains of Genesis Market. Around the same time of the seizure, law enforcement in 13 countries executed arrest warrants for 119 individuals in a total of 208 property searches. Most of the arrested are believed to be users of the market, with many implicated in various cases of fraud and cybercrime.
An invite-only site, Genesis Market opened for business in March 2018. Over the five years of its existence, it grew into a focal point for sales of stolen credentials, with over 80 million records from 1.5 million bot-infected computers up for sale in all. Most of the infected computers were found to be located in the US, Germany, France, Sweden, Italy, Mexico, Spain, Poland, Pakistan, and Indonesia, among other countries.
A vendor from Genesis Market claims the market will get a new clearnet domain soon
Separating Genesis from most of its competitors was the fact that it sold browser fingerprints along with its credentials, allowing the purchaser to bypass anti-fraud detection system used by Amazon and Netflix, as well as banking and other finance-related websites. With the help of a specially-developed browser extension, the fingerprints recreated the conditions of the victim’s normal browser settings and data, rendering activity by those who purchased the credentials to be indistinguishable from the user themselves.
The Tor site for Genesis Market appeared to remain active after the seizure and arrests, with sales continuing there as if business was still operating as usual. This has led to confusion over whether the FBI had yet gained access to the infostealer malware used by Genesis to extract credentials from infected computers, or if they only had control over the clearnet domains.
“There’s no way of knowing how deeply compromised the Genesis operation was and still is,” said threat analyst Brett Callow of Emsisoft, in an interview with TechTarget. “While the Tor site is still operational, smart cybercriminals will avoid using it,” he added.
Meanwhile, accounts associated with Genesis Market administration announced plans on various forums to open new clearnet domains in the future, suggesting they will continue on with their operation, despite the recent setback.