Genesis Market Offered Access to Data Stolen From Over 1.5M Compromised Computers Worldwide and Was a Key Enabler of Ransomware
A coordinated international operation has dismantled the Genesis Market, a criminal online marketplace that advertised and sold packages of account access credentials – such as usernames and passwords for email, bank accounts, and social media – that had been stolen from malware-infected computers around the world.
Since its inception in March 2018, Genesis Market has offered access to data stolen from over 1.5 million compromised computers around the world containing over 80 million account access credentials. Account access credentials advertised for sale on Genesis Market included those connected to the financial sector, critical infrastructure, and federal, state, and local government agencies. Genesis Market was also one of the most prolific initial access brokers (IABs) in the cybercrime world. IABs attract criminals looking to easily infiltrate a victim’s computer system. Genesis Market offered for sale the type of access sought by ransomware actors to attack computer networks in the United States and around the world, and published private-sector reports indicate that they indeed were used by ransomware actors to attack such systems.
Genesis Market was user-friendly, providing users with the ability to search for stolen access credentials based on location and/or account type (e.g., banking, social media, email, etc.). In addition to access credentials, Genesis Market obtained and sold device “fingerprints,” which are unique combinations of device identifiers and browser cookies that circumvent anti-fraud detection systems used by many websites. The combination of stolen access credentials, fingerprints, and cookies allowed purchasers to assume the identity of the victim by tricking third party websites into thinking the Genesis Market user was the actual owner of the account.
Genesis Market users were located all over the world. Federal law enforcement has worked to identify prolific users of Genesis Market who purchased and used stolen access credentials to commit fraud and other cybercrimes. This effort resulted in hundreds of leads being sent to FBI field offices throughout the United States, as well as to foreign law enforcement partners. Further, as part of this operation, dubbed Operation Cookie Monster, law enforcement seized 11 domain names used to support Genesis Market’s infrastructure pursuant to a warrant authorized by the U.S. District Court for the Eastern District of Wisconsin.
The FBI Milwaukee Field Office investigated the case, with assistance from 44 other field offices, the U.K. National Crime Agency, Italy’s Polizia de Stato, Police of Denmark, Australian Federal Police, Royal Canadian Mounted Police, Canada’s Sûreté du Québec, Romanian Police, Cybercrime Sub-directorate for French judicial police, Spain’s Policia Nacional, Spain’s Guardia Civil, Germany’s Federal Criminal Police Service, Swedish Police Authority, Poland’s Central Bureau for Combating Cybercrime, Dutch National Police, Finland’s National Bureau of Investigation, Switzerland’s Office of the Attorney General, Swiss Federal Police, Estonia’s Prosecutor General’s Office, Iceland’s Metropolitan Police, New Zealand Police, Eurojust, and Europol.