Police from 17 countries, including the FBI and the RCMP, have shut down the Genesis Market, one of the biggest criminal websites for selling stolen credentials and access to bots.
In a news release today, the RCMP said the law enforcement agencies co-operated in a sequenced “global day of action” on Apr. 4 against Genesis Market, seizing domains and making arrests. The European police co-operative Europol said in a release there were 119 arrests worldwide — nine in Canada, according to the RCMP — 208 property searches and 97 knock-and-talk measures. Actions in Canada included the execution of search warrants, device seizures and orders to cease and desist communications.
The RCMP said the majority of Canadian Genesis users reside in Quebec.
The take-down is the third in the last 12 months, following the erasure of the Hydra Market, and BreachForums.
Alhough the announcement was made today, some security news sites broke the story Tuesday after noticing the main page of the Genesis Market had a notice saying the domain had been seized by the FBI and the U.S. Justice Department.
The RCMP said cybercriminals purchased what the market owners referred to as ‘bots’ that infected victims’ devices through malware or account takeover attacks to gain access and defeat two-factor authentication and other security features as the first steps to commit fraud, hack into corporations, drop ransomware, and steal intellectual property.
With a bot, criminals would get access to all the data harvested by it, such as fingerprints, cookies, saved logins and autofill form data, Europol said. This information was collected in real time, it added – the buyers would be immediately notified of any change of passwords or other data.
The price per bot would range from as little as US$0.70 up to several hundreds of dollars, depending on the amount and nature of the stolen data, Europol said. The most expensive would contain financial information which would allow access to online banking accounts.
The criminals buying these special bots were not only provided with stolen data, but also with the means of using it, Europol said. Buyers were provided with a custom browser that would mimic the one used by a victim. This allowed the criminals to access their victim’s account without triggering any of the security measures from the platform the account was on. These security measures include recognizing a different log-in location, a different browser fingerprint or a different operating system.
Genesis Market had over 1.5 million bots and over 2 million identities listed when it was shut down, said the Mounties.
Because of its content, Genesis Market was also one of the most prolific initial access brokers (IABs – people who sell hacked access to organizations) in the cybercrime world, said the U.S Justice Department.
“Cybercriminals often operate with the confidence that they’re anonymous online and won’t be held accountable for crimes committed in other countries,” said RCMP deputy commissioner Bryan Larkin, who oversees the force’s specialized policing services. “As this operation demonstrates, these assumptions are not true. The Genesis Market takedown proves the impact that law enforcement and partners can have when working together. The work doesn’t stop here; we look forward to continued collaboration and future successes.”
Twenty-eight Canadian police services and the Canadian Radio-television and Telecommunications Commission (CRTC) worked to identify a significant number of Genesis Market users in Canada as part of the take-down. The RCMP’s effort was run through its fledgling National Cybercrime Co-ordination Centre (NC3), which opened in 2020 but won’t be fully operational until next year.
The attack-day efforts by law enforcement were co-ordinated by the European Union Agency for Criminal Justice Co-operation (Eurojust). The agency hosted a co-ordination meeting in March 2023 to prepare for the operation, and hosted a command center on Tuesday.
Dutch Police have created a portal where people can check whether their information has been compromised by filling in their email address to discover whether it is part of a Genesis Market leak. The FBI has also added stolen victim credentials to the HaveIBeenPwned website and encourages everyone to visit the site to check if their identities were stolen.