April 4, 2023

Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. The domain seizures coincided with more than a hundred arrests in the United States and abroad targeting those who allegedly operated the service, as well as suppliers who continuously fed Genesis Market with freshly-stolen data.

Several websites tied to the cybercrime store Genesis Market had their homepages changed today to this seizure notice.

Active since 2018, Genesis Market’s slogan was, “Our store sells bots with logs, cookies, and their real fingerprints.” Customers could search for infected systems with a variety of options, including by Internet address or by specific domain names associated with stolen credentials.

But earlier today, multiple domains associated with Genesis had their homepages replaced with a seizure notice from the FBI, which said the domains were seized pursuant to a warrant issued by the U.S. District Court for the Eastern District of Wisconsin.

The U.S. Attorney’s Office for the Eastern District of Wisconsin did not respond to requests for comment. The FBI declined to comment.

Update, April 5, 11:40 a.m. ET: The U.S. Department of Justice just released a statement on its investigation into Genesis Market. In a press briefing this morning, FBI and DOJ officials said the international law enforcement investigation involved 14 countries and resulted in 400 law enforcement actions, including 119 arrests and 208 searches and interviews worldwide. The FBI confirmed that some American suspects are among those arrested, although officials declined to share more details on the arrests.

The DOJ said investigators were able to access the user database for Genesis Market, and found the invite-only service had more than 59,000 registered users. The database contained the purchase and activity history on all users, which the feds say helped them uncover the true identities of many users.

Original story: But sources close to the investigation tell KrebsOnSecurity that law enforcement agencies in the United States, Canada and across Europe are currently serving arrest warrants on dozens of individuals thought to support Genesis, either by maintaining the site or selling the service bot logs from infected systems.

The seizure notice includes the seals of law enforcement entities from several countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the United Kingdom.

When Genesis customers purchase a bot, they’re purchasing the ability to have all of the victim’s authentication cookies loaded into their browser, so that online accounts belonging to that victim can be accessed without the need of a password, and in some cases without multi-factor authentication.

“You can buy a bot with a real fingerprint, access to e-mail, social networks, bank accounts, payment systems!,” a cybercrime forum ad for Genesis enthused. “You also get all previous digital life (history) of the bot – most services won’t even ask for login and password and identify you as their returning customer. Purchasing a bot kit with the fingerprint, cookies and accesses, you become the unique user of all his or her services and other web-sites. The other use of our kit of real fingerprints is to cover-up the traces of your real internet activity.”

The Genesis Store had more than 450,000 bots for sale as of Mar. 21, 2023. Image: KrebsOnSecurity.

The pricing for Genesis bots ranged quite a bit, but in general bots with large amounts of passwords and authentication cookies — or those with access to specific financial websites such as PayPal and Coinbase — tended to fetch far higher prices.

New York based cyber intelligence firm Flashpoint says that in addition to containing a large number of resources, the most expensive bots overwhelmingly seem to have access to accounts that are easy to monetize.

“The high incidence of Google and Facebook is expected, as they are such widely used platforms,” Flashpoint noted in an analysis of Genesis Market, observing that all ten of the ten most expensive bots at the time included Coinbase credentials.

Genesis Market has introduced a number of cybercriminal innovations throughout its existence. Probably the best example is Genesis Security, a custom Web browser plugin which can load a Genesis bot profile so that the browser mimics virtually every important aspect of the victim’s device, from screen size and refresh rate to the unique user agent string tied to the victim’s web browser.

Flashpoint said the administrators of Genesis Market claim they are a team of specialists with “extensive experience in the field of systems metrics.” They say they developed the Genesis Security software by analyzing the top forty-seven browser fingerprinting and tracking systems, as well as those utilized by 283 different banking and payment systems.

Cybersecurity experts say Genesis and a handful of other bot shops are also popular among cybercriminals who work to identify and purchase bots inside corporate networks, and then turn around and resell that access to ransomware gangs.

Michael Debolt, chief intelligence officer for Intel 471, said so-called “network access brokers” will scour automated bot shops for high value targets, and then resell them for a bigger profit.

“From ‘used’ or ‘processed’ logs — it is actually quite common for the same log to be used by multiple different actors who are all using it for different purposes – for instance, some actors are only interested in crypto wallet or banking credentials so they bypass credentials that network access brokers are interested in,” Debolt said. “These network access brokers buy these ‘used’ logs for very cheap (or sometimes for free) and search for big fish targets from there.”

In June 2021, hackers who broke into and stole a wealth of source code and game data from the computer gaming giant EA told Motherboard they gained access by purchasing a $10 bot from Genesis Market that let them log into a company Slack account.

One feature of Genesis that sets it apart from other bot shops is that customers can retain access to infected systems in real-time, so that if the rightful owner of an infected system creates a new account online, those new credentials will get stolen and displayed in the web-based panel of the Genesis customer who purchased that bot.

“While some infostealers are designed to remove themselves after execution, others create persistent access,” reads a March 2023 report from cybersecurity firm SpyCloud. “That means bad actors have access to the current data for as long as the device remains infected, even if the user changes passwords.”

SpyCloud says Genesis even advertises its commitment to keep the stolen data and the compromised systems’ fingerprints up to date.

“According to our research, Genesis Market had more than 430,000 stolen identities for sale as of early last year – and there are many other marketplaces like this one,” the SpyCloud report concludes.

It appears this week’s action targeted only the clear web versions of Genesis Market, and that the store is still operating on a dark web address that is only reachable through the Tor network. In today’s press briefing, DOJ officials said their investigation is ongoing, and that actions taken already have allowed them to disrupt Genesis in a way that may not be readily apparent.

In a blog post today, security firm Trellix said it was approached by the Dutch Police, who were seeking assistance with the analysis and detection of the malicious files linked to Genesis Market.

“The primary goal was to render the market’s scripts and binaries useless,” Trellix researchers wrote.

As described in the Trellix blog, a major part of this effort against Genesis Market involves targeting its suppliers, or cybercriminals who are constantly feeding the market with freshly-stolen bot data. The company says Genesis partnered with multiple cybercriminals responsible for selling, distributing and maintaining different strains of infostealer malware, including malware families such as Raccoon Stealer.

“Over the years, Genesis Market has worked with a large variety of malware families to infect victims, where their info stealing scripts were used to steal information, which was used to populate the Genesis Market store,” the Trellix researchers continued. “It comes as no surprise that the malware families linked to Genesis Market belong to the usual suspects of common info-stealers, like AZORult, Raccoon, Redline and DanaBot. In February 2023, Genesis Market started to actively recruit sellers. We believe with a moderate level of confidence that this was done to keep up with the growing demand of their users.”

How does one’s computer become a bot in one of these fraud networks? Infostealers are continuously mass-deployed via several methods, including malicious attachments in email; manipulating search engine results for popular software titles; and malware that is secretly attached to legitimate software made available for download via software crack websites and file-sharing networks.

John Fokker, head of threat intelligence at Trellix, told KrebsOnSecurity that the Dutch Police tracked down several people whose data was for sale on Genesis Market, and discovered that the victims had installed infostealer malware that was bundled with pirated software.

The Dutch Police have stood up a website that lets visitors check whether their information was part of the stolen data for sale on Genesis. Troy Hunt‘s Have I Been Pwned website is also offering a lookup service based on data seized by the FBI.

Ruben van Well, team leader of the Dutch police cybercrime unit in Rotterdam, said more than 800,000 visitors have already checked their website, and that more than 2,000 of those visitors were alerted to active infostealer malware infections.

Van Well said Dutch authorities executed at least 17 arrests in connection with the investigation so far. He added that while the cybercriminals running Genesis Market promised their customers that user account security was a high priority, the service stored all of its data in plain text.

“If users would say can you please delete my account, they’d do it, but we can still see in the logs that they asked for that,” van Well said. “Genesis Market was not very good at protecting the security of its users, which made a mess for them but it’s been great for law enforcement.”

According to the Dutch Police, Microsoft this morning shipped an update to supported Windows computers that can remove infections from infostealer malware families associated with Genesis Market.

The Dutch computer security firm Computest worked with Trellix and the Dutch Police to analyze the Genesis Market malware. Their highly technical deep-dive is available here.

This is a developing story. Any updates will be added with notice and timestamp here.

Apr. 5, 11:00 am ET: Added statement from Justice Department, and background from a press briefing this morning.

Apr. 5, 12:24 pm ET: Added perspective from Trellix, and context from DOJ officials.

Apr. 5, 1:27 pm ET: Added links to lookup services by the Dutch Police and Troy Hunt.


26 thoughts on “FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers

  1. Jay

    The consequences of engagement in these criminal cyber activities and “businesses” need to get extremely harsh for these criminals in order to reduce the attractiveness for this ever developing and proliferation of the practice by so many computer savvy users.

    1. Yaj

      This is such a low quality statement. Even death sentence wouldn’t help. Trust me.

  2. jon bondy

    Bot is so generic. I wish I better understood how these particular bots work. The story could benefit from a little more background information

    1. Diogenes

      They work the same way all botnet bots work. Hacker gains access to your computer, steals your cookies and browser configuration (fingerprint). He installs software allowing the use of your computer as a proxy. You are now a bot. He sells the cookies, fingerprint, and proxy to someone on Genesis Market, who uses them to access the web accounts you are already logged into.

  3. Cindy Toon

    Great work, I know it,s a never ending process bye the timme you take one down another arises.than you for working on secure the lines for us

  4. Jsmith

    This is why I joined fortinet and have been so busy learning. Because I want to help stop these morons before they ruin the internet for all the good people and young youth who haven’t got to fully enjoy the net and it’s awsome stuff to learn.
    Cyber response.

  5. Joseph W Thompson Jr

    I am one of these people that has been robbed of everything I would give part of all rights to any publication to whom ever gives me proper help and financial legal help.

    1. Micah

      Just write down your name; your address; and your phone# and someone will send you as much money as you need.

  6. Chazer

    The genesis Tor address still works perfectly fine. Seems like they only seized the top level domains.

    1. mealy

      As the article noted, just before “In today’s press briefing, DOJ officials said their investigation is ongoing, and that actions taken already have allowed them to disrupt Genesis in a way that may not be readily apparent.”

      The question is would you trust the service as a (criminal) buyer, knowing they’re raided by all these LE agencies worldwide with hundreds of arrests and which just happens to store customer data in plaintext, even through TOR? Talk about a web of trust…

  7. David Reyes

    It’s about time that there doing something about these parasites!!
    I’ve been taken for over 110,000.00!!!
    Keep getting fake emails from people I don’t even know!!!
    These are people who don’t have any job nothing else to do.
    As far as age is concerned more than likely there in the age bracket from there teen’s into their 30s living with mom and dad!!!
    Called age of the New World Order!!!

  8. Clive Robinson

    I hate to say it but “these parasites” only exisy because there is a “food chain” for them to not just feed and grow but bring in others.

    The Internet is such a target rich environment the only reason most have not been attacked is that the parasites have not had the time to get around to them “yet”…

    The sad fact is all those big Silicon Valley Corps are the reason why it’s technically possible for the food chain to exist. The reason that the food chain is so bountiful is all the financial instititions pushing Internet use as a way for them to lay off staff close bank branches etc and most importantly “externalise risk” onto either the account holders or merchants.

    The way to protect yourself as an individual is never ever do any kind of personal or other transaction online.

    The way to kill the food chain is to use heavy customer and metchant friendly legislation to force all the risk back into the banks and other financial organisations.

    Yes the law of “unintended consequences” will cause some issues, but are thr harms going to be any worse than they currently are?

    Very probably not.

    One side effect of pushing the risk back where it belongs, is that the banks etc will “push-back” against the Silicon Valley and other Corps that make it so easily possible for the food chains that feed the parasites to exist.

      1. mealy

        Alexa, please remand the prisoner to custody.

  9. Mak

    The US regime is the largest international crime syndicate in all of history who are they to prosecute anyone

  10. Robert Garback

    What these criminals need is a little electroconvulsive therapy–about 3000 volts worth.

    1. Justin H

      Loved Spam Nation! Just wanted to say I’ve been a fan of yours since you shut down Atrivo!
      Appreciate that you are still at it and the mission is still the same.
      Cheers!

Comments are closed.