FBI seizes Genesis Market, a notorious hacker marketplace for stolen logins

U.S. and international law enforcement agencies have seized Genesis Market, a notorious hacker marketplace used to acquire compromised credentials and digital browser fingerprints.

The FBI announced the takedown, dubbed “Operation Cookie Monster,” on Wednesday. Genesis Market domains now display a notice stating that U.S. law enforcement officials have executed a seizure warrant. “Genesis Market’s domains have been seized by the FBI pursuant to a seizure warrant issued by the United States District Court for the Eastern District of Wisconsin,” the message reads.

In addition to the FBI, the notice says the takedown involved law enforcement agencies from the United Kingdom, Europe, Australia, Canada, Germany, Poland and Sweden.

The operation also saw about 120 people arrested and 200 searches carried out globally. The U.K.’s National Crime Agency said it arrested 19 suspected site users, including two men aged 34 and 36, who are being held on suspicion of fraud and computer misuse. A senior FBI official told TechCrunch that arrests have also been made in the United States, but exact numbers were not confirmed.

“This is the biggest operation of its kind. We’re not just going after administrators or taking sites down; we’re going after users on a global scale,” the official said. They added that by obtaining Genesis Market’s computer systems, officials have identified approximately 59,000 users of the marketplace.

The FBI also provided data breach notification website Have I Been Pwned with “millions” of email addresses and passwords from the Genesis Market, which internet users can check to see if they were compromised.

Genesis Market has been active since 2017 as an invitation-only online marketplace that sells stolen credentials, cookies and digital browser fingerprints gathered from compromised systems. These fingerprints, or “bots,” included IP addresses, session cookies, plugins and operating system details, enabling attackers to impersonate victims’ browsers to access their online banking and subscription services, such as Amazon and Netflix, without needing the victim’s password or two-factor token.

Before its shutdown, Genesis claimed that these browser fingerprints would be kept up to date for as long as it retained access to a compromised device.

“In other words, Genesis customers aren’t making a one-time buy of stolen information of unknown vintage; they’re paying for a de facto subscription to the victim’s information, even if that information changes,” Yusuf Arslan Polat, senior threat researcher at Sophos, said in an analysis of Genesis Market last year.

Even up to its seizure, the number of infected devices for sale on the marketplace was growing in size.

“In 2021, over 20,000 new bots a month were being added to the site,” said Cyril Noel-Tagoe, principal researcher at cybersecurity and bot management company Netacea. “The market was temporarily down in the middle of 2022, however despite this, by March 2023, the number of bots available for sale had grown to over 450,000.”

The FBI said that Genesis Market, since its inception, offered access to data stolen from more than 1.5 million compromised computers worldwide containing over 80 million account access credentials. While overall financial losses have not yet been determined, the FBI says Genesis has made at least $8.7 million from the sale of stolen credentials, but noted that complete total losses likely exceed tens of millions of dollars.

According to reports, the now-defunct marketplace has been linked to millions of financially motivated cyber incidents globally. In June 2021, the hackers who breached gaming giant Electronic Arts claimed to gain access to the gaming giant by purchasing a $10 bot from Genesis Market that let them log into a company Slack account.

“As a result of the Genesis Market’s seizure, we expect to see an exodus of sellers and customers to competitor marketplaces,” Noel-Tagoe tells TechCrunch. “There are multiple other illicit marketplaces selling logs and credentials, although not on the scale of the Genesis Market. Alternatively, if a significant core of the Genesis Market administrators evade law enforcement, they may splinter off and create a new version of the site.”

The takedown of Genesis Market comes just weeks after the FBI gained access to the infamous BreachForums hacking forum and arrested a 20-year-old New York man accused of running the site. It also comes after U.S. law enforcement last year announced the takedown of SSNDOB, a notorious marketplace used for trading the personal information — including Social Security numbers — of millions of Americans.

Updated with additional information from the FBI.