Genesis Market: What Was It and How to Protect Yourself from Alternatives
6 minutes read
As reported widely in the press, the Genesis Market is no more.
On Tuesday 4th April 2023, the FBI seized control of the infamous marketplace that’d had hundreds of thousands of stolen digital identities for sale, replacing its login page with a takedown notice and call for further information from its users.
Source: FBI
What is (or was) the Genesis Market?
Netacea’s threat research team has had a close eye on the Genesis Market for many years, first publishing an exposé about the site in 2021. In our report, we revealed how the site worked, the high level of organization and sophistication behind its operation, and the danger it posed to general users of the internet.
The Genesis Market worked like any other eCommerce site, with a user-friendly interface and even customer support in multiple languages. But the only products for sale were digital identities, stolen from unsuspecting victims of malware that snatched “digital fingerprints” such as login credentials, form autofill details, session cookies and even device and browser IDs.
By buying one of these identities, Genesis customers could plug the “bot” into a specially created version of Chrome and access the victim’s accounts whilst appearing to be that person. These “bots” varied in price, from as little as 70c to over $370 depending on how many accounts they had access to and whether they included financial accounts such as banks.
Famously, one Genesis Market customer was able to access the EA corporate Slack account with credentials bought for $10, leading to the theft of source code for several games.
Back in April 2019 there were around 100,000 digital identities for sale on Genesis Market. As of March 2023, that number had exploded to over 450,000. The FBI has stated that this equated to 80 million individual credentials being on sale via Genesis Market at the time of its closure.
How did Genesis Market get shut down?
On 4th April 2023, the Genesis Market was taken offline by law enforcement agencies from 17 countries working together, being led by the FBI and the Dutch National Police.
Codenamed Operation Cookie Monster, the action involved taking over the Genesis Market domain whilst conducting a series of raids on the site’s operators. In all, 200 searches took place globally with officers making 120 arrests.
Potential victims of the Genesis Market can now check a portal created by the Dutch police to find out if their digital identity had been on sale on the Genesis Market, whilst the FBI has uploaded the list to haveibeenpwned.com.
What happens now Genesis Market is finished?
There’s no doubt the Genesis Market was a major player in the criminal world of stolen credentials and digital identities, with our Head of Threat Research, Matthew Gracey-McMinn calling it a “big fish” in a CNBC article.
With Genesis Market offline for good, it’s inevitable that its users will be looking elsewhere for means to access stolen accounts. There are several possibilities for what happens next.
A splinter group of Genesis could emerge
From the cooperation between law enforcement agencies across the world, it’s clear that, as with many online criminal operations, Genesis Market was an international project. This makes tracking and prosecuting them all very difficult, although the scale of Operation Cookie Monster and the number of raids and arrests made as part of it have been impressive.
Still, it’s possible a few of the perpetrators slipped through the net. It wouldn’t take many to form a splinter group of Genesis and “rise from the ashes” of their fallen marketplace, once the heat has died down. There have already been rumblings of a “new” Genesis on the dark web (Genesis, while invite-only, was accessible on the open web).
Competitors could seize Genesis’s market share
As Genesis Market was such a big player in the space, its sudden removal leaves a gap for competitors to fill. This might not happen immediately as other sites may not wish to bring too much attention to themselves under the shadow of Operation Cookie Monster, but there’s no shortage of much smaller groups to potentially step into the void Genesis has left.
Adversaries may pivot from malware to credential stuffing
For some time, our threat research team has noticed a trend away from Genesis Market’s modus operandi of using malware to snatch digital fingerprints and access accounts. This method is risky and requires some technical know-how to maintain as vulnerabilities get patched.
As the aforementioned haveibeenpwned.com demonstrates, there’s no shortage of data leaks taking place, sometimes containing millions of credentials (username and password pairs) for a particular service.
These leaks can then be used by criminals to test whether people have reused their passwords elsewhere online using a business logic attack called credential stuffing. By exploiting the login page of any site and automating the process, attacks can validate credentials leaked from one site across many others until they get a hit.
These accounts can then be sold on, or even accessed by the criminals who exposed them, stealing whatever the accounts contain (even financial details).
Credential stuffing attacks can be launched using freely obtainable leaks, using free tools, at massive scale without the need for expensive infrastructure. Watch a live demonstration of a credential stuffing attack in our on-demand webinar: Dissecting a Malicious Bot Attack.
Genesis Market alternatives: how to protect yourself from sites like Genesis Market
Given the size and value of Genesis Market’s operations and the opportunities it presented to cybercriminals, it’s no surprise that authorities expect copycat websites and similar marketplaces to try and take its place. The most effective way to prevent your own customers falling victim to these sites is to have appropriate measures against account takeover in place.
Protect your customers from account takeover
If you’re a business that deals with customer accounts, or even employee accounts that could be a target for criminals, this article might have been difficult reading given the real threats to digital identities.
After all, you can’t force users to use a unique password on your service, leaving them (and you) exposed to account takeover.
What you can do is detect credential stuffing attacks and block them instantly, using Netacea Bot Management. Powered by Intent Analytics™, our machine learning fraud detection platform, we can spot malicious activity across your websites, mobiles app and even APIs and mitigate them before they have chance to cause harm.
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.
By registering, you confirm that you agree to Netacea's privacy policy.