119 arrested in Genesis Market takedown

Genesis Market, an illicit marketplace that specializes in the sale of stolen credentials, was subject to a takedown Tuesday in an international law enforcement operation that resulted in 119 arrests.

The operation, named "Operation Cookie Monster," was announced Wednesday and led by the FBI's Milwaukee field office (with assistance from 44 other field offices), as well as the Dutch National Police. According to a press release from the U.S. Department of Justice (DOJ), international law enforcement partners included the U.K., Canada, Italy, Spain, Romania and others.

Since the founding of Genesis Market in 2018, it "has offered access to data stolen from over 1.5 million compromised computers around the world, containing over 80 million account access credentials," according to the DOJ's press release.

Credentials included individual banking, social media accounts and emails, plus initial access to organization networks. These organizations, the DOJ said, include those "connected to the financial sector; critical infrastructure; and federal, state and local government agencies."

"Genesis Market was also one of the most prolific initial access brokers (IABs) in the cybercrime world. IABs attract criminals looking to easily infiltrate a victim's computer system," the report read. "Genesis Market offered for sale the type of access sought by ransomware actors to attack computer networks in the United States and around the world, and published private-sector reports indicate that they indeed were used by ransomware actors to attack such systems."

Law enforcement also managed to identify numerous prolific Genesis Market users who either purchased or utilized the stolen credentials. Eleven domain names and 119 arrests occurred as a result of Operation Cookie Monster. A Europol news release said the operation also included "208 property searches and 97 knock-and-talk measures."

According to the FBI's warrant for the operation, the bureau has been investigating Genesis Market since 2018. The affidavit revealed that as part of the FBI's investigation, it funded the sale of approximately 115 "packages" of stolen data from the marketplace using bitcoin. The bureau then tracked the payments and utilized a cryptocurrency payment processor and a hosting provider to gain insights into both the marketplace's merchants and how the marketplace works.

The FBI also, as part of its investigation, gained access to multiple Genesis back-end servers. A forensic image of a server obtained in late 2020 contained "voluminous records," the affidavit said, including usernames and passwords, email accounts, bitcoin addresses, user search and purchase history, user tickets and comments, and records of packages sold or displayed for sale on Genesis.

"The FBI reviewed this data and found (1) that as of on or about Dec. 7, 2020, there were approximately 33,000 Genesis Market users and approximately 900,000 individual packages (or "bots") that had been listed for sale or sold on Genesis Market, and (2) that more than $4,000,000 dollars' worth of virtual currency had been deposited into Genesis Market," the warrant read.

The FBI obtained a forensic image of a second server located outside the United States in mid-2022 with updated figures. Through "on or about May 18" of that year, Genesis Market had 59,000 individual user accounts, 1.5 million packages for sale and "more than 200,000 account access credentials for sale on Genesis Market that were associated with federal, state and local government accounts."

The Genesis Market takedown is the latest in a line of recent marketplace disruptions. The FBI last month arrested the alleged owner and administrator of BreachForums, a darknet message board that facilitates the sale of stolen breach data. Hydra, another illicit darknet market, was taken down by law enforcement approximately one year ago.

However, questions remain regarding how the complete the FBI's takedown of Genesis Market actually was. Security vendor ZeroFox said in a Wednesday blog post that the Tor version of the marketplace is still live, and Emsisoft threat analyst Brett Callow told TechTarget Editorial that a darknet version of the market is still up as of press time.

"There's no way of knowing how deeply compromised the Genesis operation was and still is," Callow said via email. "While the Tor site is still operational, smart cybercriminals will avoid using it. While something will eventually take Genesis' place, the takedown operation was undoubtedly a success. Cybercriminals operated with near-complete impunity in the past, but that's starting to change -- and that means there's more of a deterrent."

The FBI declined TechTarget Editorial's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.