Unmasking Genesis Market: International crackdown on cybercriminals

Unmasking Genesis Market: International crackdown on cybercriminals

  • A joint effort dismantles a major underground marketplace, revealing cybersecurity threats to consumers and enterprises.

A collaboration between Europol, the FBI, and law enforcement agencies across 17 countries recently dismantled the notorious Genesis Market. This vast marketplace traded browser cookies, login credentials, email information, e-commerce accounts, and sensitive data of countless individuals.

The large-scale operation led to multiple arrests, including the marketplace’s operators and cybercriminals who exploited the platform. Trellix Advanced Research Center played a key role by neutralizing market scripts and binaries, assisting in arrests and uncovering the organization’s tactics.

Established in 2018, Genesis Market was a leading underground platform specializing in the sale of login information, browser fingerprints, and cookies. The Genesis team, known as GenesisStore, advertised on various underground forums, mainly targeting Russian-speaking users.

Unmasking Genesis Market: International crackdown on cybercriminals

Screenshot of takedown notice. (Source – Trellix)

Understanding the usage of Genesis Market

Cybercriminals impersonate victims by utilizing acquired browser fingerprints and cookies, combined with a VPN service or the victim’s device as a proxy. Often, services depend on cookies and fingerprints for identification, even after initial MFA authentication, enabling cybercriminals to take advantage of the stolen information.

A cookie’s validity is determined by its lifespan, and security depends on a password, a browser fingerprint, and an individual linked to these factors. When handling stolen cookies and fingerprints, an actor can impersonate the victim by reusing the session.

Using an analogy: to enter a movie theater restricted to those over 16, a 12-year-old might stand on a classmate’s shoulders, wear a trench coat, and use a stolen ID. The theater could perceive them as eligible based on the stolen ID (the cookie) and disguised appearance (the fingerprint).

Genesis Market was among the first to focus on fingerprints and browser cookies, enabling account takeovers despite the growing adoption of MFA. They collaborated with various malware families, using info-stealing scripts to gather information for their store.

In February 2023, Genesis Market began actively recruiting sellers to meet user demand. They deployed their own JavaScript (JS) scripts on infected machines to collect relevant information in a structured manner.

John Fokker, the Head of Threat Intelligence at Trellix Advanced Research Center, explains that the Genesis Market exemplifies how cyber threats to consumers in a post-Covid world can rapidly evolve into cyber threats targeting enterprises.

“The numerous accounts for sale on the cybercriminal marketplace that included corporate emails represent the very cybersecurity challenge of having a dispersed workforce using personal devices for their jobs,” he added. “Enterprises and organizations should enforce strict password management and MFA for remote employees, ensuring employees leverage VPNs on their work devices to protect themselves and their employers.”

Law enforcement collaboration and cybercrime prevention

In a global effort to dismantle the largest marketplace of its kind, law enforcement agencies worldwide collaborated to take down the Genesis Market. This joint force operation wasn’t limited to high-profile cases. For instance, Europol’s collaboration with EU countries protected private companies from HIVE ransomware, preventing over US$130 million in potential ransom payments. They facilitated information exchange and operation coordination and provided analytical support in cryptocurrency, malware, decryption, and forensic analysis.

During the action days, four Europol specialists assisted with on-site coordination and backed law enforcement efforts. The Joint Cybercrime Action Taskforce (J-CAT) at Europol, which consists of cybercrime liaison officers from various nations, played a supporting role in the operation as well.

In the APAC region, financial crime, specifically financial fraud (76%) and money laundering (67%), ranked as top crime threats, alongside synthetic drug trafficking, which 67% of respondents considered a high or very high threat. Law enforcement respondents from the region anticipate an increase in synthetic drug trafficking (67%) and cyber threats such as ransomware (79%), phishing attacks, business email compromise, identity theft, and online extortion (63%).

The future of cybersecurity and recommendations

The takedown of Genesis Market serves as a powerful reminder that cyber threats are evolving and growing more sophisticated. As cybercriminals continue to adapt and find new ways to exploit vulnerabilities, businesses and individuals must prioritize cybersecurity measures.

Continuous education and training on cybersecurity best practices can empower employees to recognize and avoid common threats, such as phishing attacks and business email compromise schemes. Additionally, organizations should invest in advanced security tools and technologies to proactively detect and mitigate potential cyberattacks.

The successful dismantling of the Genesis Market showcases the importance of international collaboration and information sharing among law enforcement agencies to combat cybercrime effectively. As cyber threats continue to evolve, a united front in the fight against cybercriminals is crucial to safeguard consumers and enterprises from future attacks.