This post may contain affiliate links, please read our affiliate disclosure to learn more.
Genesis Market Takedown (aka Operation Cookie Monster)

Genesis Market Takedown (aka Operation Cookie Monster)

 By Charles Joseph | Cybersecurity Researcher
 Published on April 6th, 2023
This post was updated on November 25th, 2023

A huge international law enforcement operation, called Operation Cookie Monster, has successfully taken down Genesis Market.

This illegal online marketplace was known for selling stolen login information for email, bank accounts, and social media platforms.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

The operation involved 17 countries and resulted in 119 arrests and 208 property searches across 13 nations.

However, it seems that the .onion mirror site for the market is still active.

Genesis Market began in March 2018 and quickly became a hotspot for criminal activities.

It provided access to data stolen from more than 1.5 million compromised computers all over the world, adding up to over 80 million stolen credentials.

Most of the malware infections connected to Genesis Market were found in countries like the U.S., Mexico, Germany, Turkey, Sweden, Italy, France, Spain, Poland, Ukraine, Saudi Arabia, India, Pakistan, and Indonesia, according to data collected by Trellix.

The cybercriminals used various malware families, such as AZORult, Raccoon, RedLine, and DanaBot, to hack into victims’ systems and steal their sensitive information.

Additionally, DanaBot was used to spread a fake Chrome extension that secretly gathered browser data.

The U.S. Department of Justice (DOJ) explained that the stolen account login information sold on Genesis Market was linked to important sectors like finance, critical infrastructure, and federal, state, and local government agencies.

The Department of Justice (DOJ) described Genesis Market as one of the most successful initial access brokers (IABs) in the world of cybercrime.

The U.S. Treasury Department also sanctioned this criminal marketplace, calling it a crucial resource for attackers targeting U.S. government organizations.

Genesis Market didn’t just sell stolen login information; they also sold device fingerprints, which are unique identifiers and browser cookies.

These fingerprints help cybercriminals avoid anti-fraud detection systems used by many websites.

The DOJ explained that this mix of stolen access credentials, fingerprints, and cookies enabled buyers to impersonate victims by tricking websites into thinking the Genesis Market user was the actual account owner.

Court documents show that the U.S. Federal Bureau of Investigation (FBI) managed to access Genesis Market’s backend servers twice, in December 2020 and May 2022.

This allowed the FBI to gather information on approximately 59,000 users of this cybercrime marketplace.

The stolen information packages, taken from infected computers or “bots,” were sold for prices ranging from $0.70 to several hundred dollars.

The cost varied depending on the type of data, as reported by Europol and Eurojust.

The most expensive information packages sold on Genesis Market contained financial data that could grant access to online banking accounts.

Europol mentioned that criminals who bought this data were also given extra tools to help them use it without getting caught.

These buyers received a custom browser that imitated their victim’s browser, allowing them to access the victim’s account without setting off any security measures on the platform.

The special Chromium-based browser, known as Genesium, works on multiple platforms.

Its creators claim that it offers features like “anonymous surfing” and other advanced functions that help users get around anti-fraud systems.

Genesis Market was different from other illegal marketplaces like Hydra because it could also be accessed on the clearnet.

This made it easier for less experienced cybercriminals to get their hands on digital identities, which they could then use to break into individual accounts and enterprise systems.

The shutdown of Genesis Market is expected to cause a ripple effect in the underground economy, as cybercriminals look for alternatives to fill the gap left by the marketplace.

Genesis Market is just one of many illegal services that have been taken down by law enforcement over the years.

Its closure comes exactly one year after the German authorities dismantled Hydra in April 2022, which caused a massive shift in the Russian-language darknet marketplace scene.

Since Hydra’s takedown, five markets – Mega, Blacksprut, Solaris, Kraken, and OMG!OMG! Market – have become the biggest players based on the number of offers and sellers, according to a report by Flashpoint.

This development comes as a new dark web marketplace called STYX has been launched, focusing on financial fraud, money laundering, and identity theft. STYX is believed to have started operating around January 19, 2023.

Resecurity provided a detailed analysis of STYX, stating that the marketplace offers services like cash-out options, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware, and more.

Similar to Genesis Market, STYX also provides tools designed to bypass anti-fraud solutions and access compromised accounts using stolen cookie files, device data, and network settings to imitate legitimate customer logins.

The appearance of STYX as a new platform in the commercial cybercriminal ecosystem is another indication that the market for illegal services remains a lucrative business.

This allows bad actors to profit from stolen credentials and payment data.

Resecurity mentioned that most STYX marketplace vendors specialize in fraud and money laundering services targeting popular digital banking platforms, online marketplaces, e-commerce, and other payment applications.

The threat actors operate on a global scale, targeting countries like the U.S., E.U., U.K., Canada, Australia, and multiple countries in the APAC and Middle East regions.

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top