Notorious criminal marketplace selling victim identities taken down in international operation

An international operation involving the National Crime Agency has taken down one of the biggest online marketplaces selling stolen credentials to criminals worldwide.

The activity, which involved 17 countries and was led by the FBI and Dutch National Police, saw Genesis Market taken offline yesterday, 4 April.

Genesis Market was a go-to service for criminals seeking to defraud victims, having hosted approximately 80 million credentials and digital fingerprints stolen from over two million people.

As part of the investigation the NCA, working with City of London Police and policing partners across the UK, identified hundreds of UK-based users of the platform. This resulted in 31 warrants being executed yesterday and this morning in coordinated raids by the NCA, Regional Cyber Crime Units and police forces.

24 people were arrested in the UK, including two men, aged 34 and 36, who were detained by the NCA in Grimsby on suspicion of Computer Misuse Act and fraud offences.

UK activity will continue in the form of arrests and preventative action, where many users will be contacted by law enforcement and warned about their potentially criminal activity.

In total, there were around 120 arrests, over 200 searches and close to 100 pieces of preventative activity carried out across the globe.

Rob Jones, NCA Director General NECC and Threat Leadership, said: “Behind every cyber criminal or fraudster is the technical infrastructure that provides them with the tools to execute their attacks and the means to benefit financially from their offending.

“Genesis Market was a prime example of such a service and was one of the most significant platforms on the criminal market. Its removal will be a huge blow to criminals across the globe.

“Targeting this infrastructure is at the core of the NCA’s efforts to disrupt the highest harm offenders and protect the public from those seeking to infiltrate their lives, stealing their identities and their money.

Genesis Market traded in digital identities, selling ‘bots’ that contained information harvested from victim devices, which had been infected using malicious attacks.

These indiscriminate attacks were conducted against both members of the public and companies operating in a variety of sectors.

The bots would give criminals access  to all the data pertaining to an individual identity, such as cookies, saved logins and autofill form data. This information was collected in real time, meaning the buyers would be notified of any change of passwords etc.

The price per bot would range from as little as $0.70 up to several hundreds of dollars depending on the amount and nature of the stolen data. The most expensive bots would contain financial information, which would allow access to online banking accounts.Genesis wide social graphic

Criminals could use this access to steal from victims, either by directly moving money out of an account, or using the credentials to pay for goods and services for their own benefit.

They may also have used the victim account in the process of laundering the profits of other criminal activity – also known as money muling.

Genesis Market was unique in that it provided users with a custom browser, which would mimic that of their victim. This allowed the criminals to essentially masquerade as the victim, making it look like they were accessing their accounts from the usual location and operating system, thus not triggering security measures.

It’s likely that criminals would use information about a victim they had obtained from their various accounts, such as interests, names of friends and family, and personal circumstance, to socially engineer them for further offences.

This process sees a fraudster using the information to build trust with a victim, then manipulating them into handing over money voluntarily, e.g. via romance or investment frauds.