A dark web market that is thought to have facilitated the sale of some 80 million credentials is now in the hands of law enforcement, after an international campaign that involved about 200 raids and 100 arrests.
Genesis, a criminal marketplace centered on selling the digital materials needed for identity theft, went online nearly five years ago and has since been one of the biggest gathering places for those trading in illicit data. This follows the 2022 bust of Hydra, a similarly large dark web market. Law enforcement is currently riding high against long-established markets, but security experts warn that this activity will almost certainly shift to smaller upstart forums and the cycle will start over again.
Big-name dark web markets continue to fall with Genesis bust
Dubbed Operation Cookie Monster, the law enforcement action involved 17 countries and coordinated raids and arrests across the world. This includes 45 of the 56 FBI field offices located around the United States.
Most of the arrests appear to have been of individual buyers rather than individuals critical to the operation, but law enforcement also seized the web domains that Genesis Market used, taking its websites entirely offline. The dark web market is based in Russia, making actual seizure of hardware and arrest of “upper management” individuals essentially impossible unless the Russian government opts to participate.
Genesis was a bit different from other dark web markets in its offerings. Instead of emphasizing individual sales, it offered a “subscription service” that allowed access to a continually updated pool of information. Personal files of individual theft victims were created, and then updated over time as more stolen data (frequently from massive data breaches) rolled in; the customers paid for continual access to these files, and were even sent alerts when a profile they were subscribed to was updated with new information. In addition to personal information these files contained known logins to services such as PayPal, Amazon and Netflix.
The FBI says that much of the stolen information found on the dark web market has been shared with Have I Been Pwned, allowing individuals to check and see if any of their stolen information was being traded.
Law enforcement on a roll, but Russia-based activity remains hard to eliminate
Though law enforcement has racked up numerous wins in the past year, the circumstances of the case demonstrate why dark web markets are not going away any time soon.
In addition to enjoying a safe haven in Russia, dark web markets offer a product that is cheap and easy to obtain yet can be leveraged for massive rewards in the right circumstances. This is illustrated by numerous attacks on major organizations that stem from login or personal information that was sold through such a marketplace for just a few dollars.
The main forces behind Genesis also have the option of shifting their business to an encrypted platform like Telegram until they are ready to re-emerge with a new underground site or forum. If past instances are any indication, they could have a new dark web market up and flourishing in just several months.
Though Genesis is thought to have sold some 80 million credentials during its run of nearly half a decade, law enforcement believes that the victim count is much lower (due to victims securing accounts and organizations becoming aware of data breaches before their information can be successfully deployed). The US-based National Cybersecurity Alliance estimates that the total Genesis victim count was about two million, an impressive number but one that indicates either a very high rate of failure for credentials purchased there or a lot of the wares not drawing any interest.
Taking down Genesis is nevertheless a substantial victory for law enforcement, as the site was thought to distribute its own malware used to continually feed its market of stolen data with fresh information. It was one of the easier dark web markets to find one’s way to, and access depended only on receiving an invitation from a current member, which of course many members sold to anyone willing to pay. It was also known for its “user friendly” features once inside. The site now displays the logos of a number of international law enforcement organizations, with a message stating that it has been seized by the FBI.
In addition to Genesis and Hydra Market, recent law enforcement operations have taken down another dark web market called BreachedForums, several prominent ransomware gangs, the cryptocurrency mixing service ChipMixer, and an illicit crypto exchange based in Russia called Bitzlato.
James McQuiggan, Security Awareness Advocate at KnowBe4, notes that law enforcement action is not the ultimate solution to these issues: “In addition to law enforcement efforts, strong security awareness for users and organizations is critical. These programs can increase user awareness to recognize the importance of implementing robust cybersecurity measures, such as using strong passwords, keeping software up to date, and checking links to verify they’re not malicious. If they discover a social engineering style of email, they can report it to the proper teams within their organizations and work to reduce further risks to the organization.”
