Genesis is one of the largest marketplaces on the dark web while its presence on clearnet is also quite significant. The latest news reports indicate that the FBI and law enforcement agencies from 16 other countries have seized clearnet domains belonging to the Genesis marketplace as part of the ongoing Operation Cookie Monster.
When accessed, the marketplace’s domain displays a banner stating that the website is inaccessible because the FBI has executed a seizure warrant.
Although the marketplace administrator(s) have not been identified or caught yet, it is evident that authorities have only seized clearnet domains while its main dark web domain remains online, which suggests that they have not been able to take down the entire Genesis infrastructure. Regardless, it is still too early to make any assumptions or predictions about what might happen next.
Additionally, Dark Owl, a US-based cybersecurity firm, has also conducted an analysis that corroborates similar findings. They have reported that the dark web domain of Genesis is still online, and vendors are still engaging in malicious activities.
A look at Dark Owl’s analysis reveals malicious activities on the Genesis market are ongoing including buying and selling illegal goods and software. It is possible that the authorities are using it as a honeypot to gather more information on its vendors and users.
Moreover, the administrator accounts of the Genesis market have posted on two Russian cybercrime forums, Exploit.in and XSS, announcing that they will be using the old Tor domain going forward, as their other domains have been seized. However, this could also be a honeypot.
How Did the Seizure Happen?
According to the FBI, the seizing was carried out with the collaboration of multiple organizations from the private and public sectors, and international law enforcement agencies. The seizure notice displayed on the domain also had a message for the site visitors, which read:
“Been active on Genesis Market? In contact with Genesis Market administrators? Email us, we’re interested,” followed by an official email address.
The bureau noted that around two dozen partners were on board for this operation. The seizure was followed by a worldwide applicable search and arrest operation. A federal court in the Eastern District of Wisconsin had issued the seizure warrant.
According to Europol’s press release, a total of 119 arrests were made in connection with the platform, with law enforcement officers also executing 208 property searches and 97 knock-and-talk measures.
It is currently unclear who was operating this marketplace as they have maintained a low profile over the years, indicating they have sufficient operational security know-how.
Why Genesis Market Seizure a Big Blow?
Genesis Market was established in late 2017 and played a vital role to fill the gap, especially after the seizure of the Hansa and AlphaBay marketplace by the Dutch police.
By 2020, Genesis had become the world’s most popular marketplace for buying stolen credentials, cookies, and device fingerprints. Considered the largest platform in the world for illicit activities, Genesis Market offered stolen credentials for corporate and consumer accounts.
This market provided access to an extensive range of services with accounts from Gmail, Netflix, Facebook, PayPal, WordPress, Amazon, Zoom, eBay, Cloudflare, Reddit, Spotify, Twitter, and LinkedIn. Therefore, it is understandable that seizing such a thriving platform will be a huge blow to its users.
The seizure of Genesis marketplace should not come as a surprise. This development came just a month after the FBI arrested PomPomPurin (aka Pompompurin, aka Pom), the owner and admin of popular hacker and cybercrime forum Breach Forums, a hacker forum that surfaced as an alternative to the popular and now-seized Raidforums.
How did Genesis Market operate?
The market operators used information stealers to collect login credentials with fingerprint data, such as time zones, IP addresses, cookies, device information, etc.
The operators earned profits from renting the account identities via bots, including stolen accounts, and browser plug-ins that imported the login and fingerprint data of the compromised account to let attackers assume the real owner’s digital identity. As per the account type, buyers paid up to $10 to get access to an account for a specific period.
Editor’s note: Hackread.com has reached out to Europol for clarification, and this article will be updated accordingly.