Law enforcement agencies in the United States and Europe announced the dismantling of a major online marketplace for stolen login credentials.
The marketplace, known as Genesis Market, had been operational since 2018 and had enabled cybercriminals to gain access to millions of compromised accounts.
The operation, which was dubbed “Operation Cookie Monster” involved the efforts by law enforcement agencies in 17 countries.
The international initiative was led by the US Federal Bureau of Investigation (FBI) and the Dutch National Police (Politie), with a command post set up at Europol’s headquarters on the action day.
Merrick Garland, the US Attorney General, described the cybercrime operation against Genesis as “unprecedented” for law enforcement. He also noted that 45 out of the 56 FBI field offices in the US participated in the sting.
The operation involved the arrest of around 120 users across the globe and the seizure of 11 domain names associated with Genesis Market.
According to the US Justice Department, Genesis Market had provided its users with access to data from over 1.5 million infected computers, including over 80 million account access credentials.
A report by Trellix, a cybersecurity firm that provided assistance in the investigation, revealed that the market was advertised on various underground forums predominantly used by Russian speakers as a “one-stop shop for account takeovers.”
Why shutting down Genesis Market matters
Genesis Market primarily dealt in digital identities, offering “bots” for sale that provided access to real-time harvested data, including financial information for online banking accounts.
Criminals were also provided with a custom browser that mimicked their victim’s, making it easy to bypass security measures. The marketplace was accessible on the open web and was popular among hackers due to its affordability and ease of access.
“While underground marketplaces that sell stolen credentials aren’t a new thing, Genesis Market was one of the first that focused on fingerprints and browser cookies to enable account takeovers despite growing MFA adoption,” the Trellix researchers said.
A specialised browser it offered customers made “account takeover child’s play for criminals,” said the Trellix report.
