Genesis Market, one of the largest global suppliers of stolen personal data to the cyber criminal underground, has been taken down and more than 120 arrests made in Operation Cookie Monster, a multinational effort led by the Dutch National Police and the United States’ FBI, which included the UK’s National Crime Agency (NCA) and law enforcement from 14 other countries.
The operation saw the Genesis Market website taken down on the evening of Tuesday 4 April, but to guarantee its operational security the action has not officially been made public until now.
Over the past 36 hours, the NCA, working with Regional Cyber Crime Units and police forces around the UK, has executed 47 search warrants and conducted coordinated raids in connection with Genesis. Two men, aged 34 and 36, were arrested in Grimsby, and 19 others have been arrested in the UK.
More arrests are likely to take place, with charges sought for a range of offences covered by the Fraud and Computer Misuse Acts. Many others will be contacted under the auspices of the national Cyber Prevent strategy, which aims to conduct early interventions to guide likely offenders away from a life of cyber crime.
Rob Jones, NCA director general for the National Economic Crime Centre and threat leadership, said: “Behind every cyber criminal or fraudster is the technical infrastructure that provides them with the tools to execute their attacks and the means to benefit financially from their offending.
“Genesis Market was a prime example of such a service and was one of the most significant platforms on the criminal market. Its removal will be a huge blow to criminals across the globe.
“Targeting this infrastructure is at the core of the NCA’s efforts to disrupt the highest harm offenders and protect the public from those seeking to infiltrate their lives, stealing their identities and their money,” he said.
Genesis Market was one of the top criminal marketplaces around the world, and access was granted by invitation only. It specialised in selling digital fingerprints and compromised credentials – harvested using infostealing malware – that allowed its users to masquerade as their victims to bypass online security checks.
A digital fingerprint, also sometimes referred to as a bot, is defined as something that is unique to an individual’s computer and encompasses a vast array of potential data points. This can include technical information such as software versions, and location, display and language settings, but more pertinently here, the cookies, service logon credentials, and personal and financial data that users store in their web browsers.
During the course of the investigation, authorities uncovered approximately 80 million sets of credentials relating to two million individuals, tens of thousands of them in the UK.
The cost of these bots varied from as low as about 50 pence up to several hundred pounds, depending on the amount and nature of the data available on a particular individual. In general, profiles that contained online banking credentials fetched a higher price.
Genesis Market was hosted on both the public internet and the dark web and was run as a highly “professional” operation, with cyber criminals able to take advantage of an internal wiki to answer any questions they might have and advanced search tools to let them break down available data by country or website.
Uniquely among its peers, Genesis Market then supplied its users with browser plugins that allowed them to use the internet while appearing, to every site they visited, whether it be a bank, retailer or social media site, to be the compromised user.
Useful tool for ransomware crews
The majority of Genesis Market usage related to fraud, money laundering and theft, but more disturbingly from a cyber security point of view, the NCA has obtained evidence that Genesis Market also offered digital fingerprints that enabled cyber criminals to access their victims’ workplace networks, systems and cloud services remotely, making it a valuable tool for ransomware operators.
The NCA said it had evidence that Genesis Market had facilitated ransomware attacks, as some of the credentials included remote logons to corporate systems that would have offered easy initial access into target systems to ransomware operators. It is currently unable to attribute any known incidents to activity.
Computer Weekly understands that data sold via Genesis Market has also been linked to SIM-swapping attacks and the theft of source code from technology companies.
Turning the tables
The NCA said the operation represented a sea change in how it approaches the problem of fraud – which accounts for over 40% of reported crime in the UK – by appropriating the tactics used against ordinary victims and using them on the cyber criminals responsible.
Echoing methods used in a March 2023 operation against DDoS-for-hire websites, the NCA has itself “stolen” the credentials used by the criminals that accessed those sites, and will be using them to identify and track down even more offenders.
Ultimately, it wants to undermine trust in the cyber criminal underground by making criminals understand that, just as an ordinary victim won’t know their credentials have been compromised until their bank accounts are emptied, the criminals themselves won’t know they are being watched until the police kick their front door in at six in the morning.
“Cyber crime is a key enabler of the vast majority of fraud, which is now the single largest crime type in the UK, affecting more people than any other. The NCA is attacking criminal infrastructure from all angles and those seeking to use such services should be aware that we are coming after them,” said Jones.
Advice for victims
The NCA is today encouraging members of the public to take action to find out if their devices or accounts have been compromised. You can check if your data has been compromised and accessed by users of Genesis Market by entering your email address at Check Your Hack, a certified website set up by the Dutch authorities.
If you find you have been affected, the NCA has worked with the National Cyber Security Centre (NCSC) and the City of London Police to provide further advice and guidance on what to do next, which can be accessed on the NCA’s website.
If you have been a victim of any form of digitally enabled fraud or cyber crime, you can report it at any time via Action Fraud, or in Scotland, by calling Police Scotland on 101. You should also report incidents to your bank. If you choose to report as a victim of Genesis Market, quote “Genesis” in the “Additional Information” box on the Action Fraud report, or mention it to the police.
If you are contacted by a law enforcement officer in relation to a suspected fraud, you can verify their identity by calling 101, or the NCA Control Centre on 0370 496 7622.
Suspicious emails and phishing attempts can also be forwarded to the NCSC’s reporting inbox at [email protected].