A coordinated international law enforcement operation has dismantled Genesis Market, an illegal online marketplace that specializes in the sale of stolen credentials linked to emails, bank accounts and social media platforms.
Coinciding with the seizure of infrastructure, the massive crackdown, which involved authorities from 17 countries, resulted in 119 arrests and 208 property searches in 13 countries. However, .onion mirror market it seems like still up and running.
Genesis Market has, since its inception in March 2018, grown into a major hub of criminal activity, offering access to stolen data from more than 1.5 million compromised computers worldwide with a total of over 80 million credentials.
The majority of infections related to Genesis Market related malware have been detected in the US, Mexico, Germany, Turkey, Sweden, Italy, France, Spain, Poland, Ukraine, Saudi Arabia, India, Pakistan and Indonesia, among others, per data compiled by Trellis.
Some of leading malware family Those exploited to compromise victims include AZORult, Raccoon, RedLine, and DanaBot, all of which are capable of stealing sensitive information from users’ systems. Also delivered via DanaBot is a rogue Chrome extension designed to suck up browser data.
“Account access credentials advertised for sale on Genesis Market include those connected to the financial sector, critical infrastructure, and federal, state, and local government agencies,” the US Department of Justice (DoJ) said in a statement.
The DoJ named Genesis Markets one of the “most prolific early access brokers (IABs) in the cybercrime world.” US Department of the Treasury, at a coordinated announcementscriminal shop sanctions, describing it as a “key resource” used by threat actors to target US government organizations.
In addition to credentials, Genesis also offers device fingerprinting – including unique identifiers and browser cookies – to help attackers circumvent the anti-fraud detection systems used by many websites.
“The combination of stolen access credentials, fingerprints and cookies allows the purchaser to assume the identity of the victim by tricking a third-party website into thinking the Genesis Market user is the real owner of the account,” the DoJ added.
court documents reveal that the US Federal Bureau of Investigation (FBI) gained access to Genesis Market’s backend servers twice in December 2020 and May 2022, enabling the agency to access information relating to approximately 59,000 cybercrime bazaar users.
Packages of stolen information retrieved from infected computers (aka “bots”) sell for between $0.70 and several hundred dollars depending on the nature of the data, according to Europol And Eurojust.
“The most expensive will contain financial information that allows access to online banking accounts,” noted Europol, which stated that criminals who buy the data are also provided with additional tools to use it without attracting attention.
“The purchaser is provided with a special browser that will impersonate one of their victims. This allows the criminal to access their victim’s account without triggering any security measures from the platform on which the account resides.”
The proprietary Chromium-based browser, referred to as Genesium, is cross-platform, with maintainers claiming features such as “anonymous browsing” and other advanced functionality that allow its users to bypass anti-fraud systems.
Genesis Market, unlike Hydra and other black markets, is also accessible via the clearnet, lowering the barrier to entry for less skilled threat actors seeking digital identities to penetrate individual accounts and corporate systems.
Genesis Market is the latest in a long line of unauthorized services that have been discontinued by law enforcement. It also arrives exactly a year after the dismantling of Hydra, which was chopped down by German authorities in April 2022 and created a “seismic shift in the landscape of the Russian-speaking darknet market.”
“Almost a year after Hydra’s takedown, five marketplaces — Mega, Blacksprut, Solaris, Kraken, and OMG! OMG! Market — have emerged as the largest players based on bid volume and number of sellers,” Flashpoint said in a new report.
The development also follows the launch of a new dark web marketplace known as STYX primarily aimed at financial fraud, money laundering and identity theft. It is said to have opened its doors around January 19, 2023.
“Some examples of customized service offerings marketed on STYX include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware, and more,” Resecurity said in detailed writing.
Like Genesis Market, STYX also offers utilities designed to circumvent anti-fraud solutions and access compromised accounts using granular digital identifiers such as stolen cookie files, physical device data, and network settings to spoof legitimate customer logins.
The emergence of STYX as a new platform within the commercial cybercrime ecosystem is another sign that the market for illegal services continues to be a lucrative business, allowing criminals to profit from theft of credentials and payment data.
“The majority of STYX Marketplace vendors specialize in fraud and money laundering services targeting popular digital banking platforms, online marketplaces, e-commerce, and other payment applications,” noted Resecurity. “The geographies targeted by these threat actors are global, spanning the US, EU, UK, Canada, Australia and several countries in APAC and the Middle East.”