A month on from an international operation that culminated in the FBI seizing the web domains used by the fraud platform Genesis Market, the cybercrime underworld remains suspicious of its surviving darknet site and slow to move to its competitors.
Researchers and law enforcement intelligence officials monitoring Genesis Market’s primary alternatives, Russian Market and 2easy Shop — sites that similarly sold browser data that allowed scammers to commit fraud — say the takedown has had a global impact on online crime.
Although a darknet mirror of Genesis Market remains online, criminals appear hesitant to use that .onion site due to fears it is actually being controlled by the FBI, while Treasury sanctions also complicate cryptocurrency interactions with the platform.
In the first few days following the FBI raid — known as Operation Cookie Monster — an account run by Genesis Market’s operators across a number of criminal forums attempted to dispel users’ concerns. The account argued that the FBI had only seized open web domains and that the darknet platform was still safe to use.
The account made these arguments for a short while — “maybe days, maybe a week” — before the forum administrators decided to ban it, as András Tóth-Czifra, a senior analyst at Flashpoint, told The Record. This was a standard move, he said, showing how little trust the underworld had for operators who had been successfully targeted by law enforcement.
There was no evidence that the account was authentically the market’s operators or if it was an FBI honeypot operation. Even if it was real, there was no way to know if it was fully secure following the takedown. For cybercrime forum operators, banning the account was the safest thing to do from an operational security perspective.
Impact on competitors
While that account was busy claiming Genesis Market would survive, its main competitor, Russian Market, effectively froze, said Alexander Leslie, a cybercrime specialist at Recorded Future. The Record is an editorially independent business owned by Recorded Future.
“For Russian Market, we observed an immediate stop to the daily listing of all new infostealer logs, beginning on April 4, 2023,” said Leslie. Immediately the question was whether a vendor who had been supplying Russian Market as well as Genesis Market had been arrested as part of Operation Cookie Monster.
“We’re not sure,” said Leslie. “It’s also possible that Russian Market itself halted all new listings as a precautionary measure.”
However, a week afterward, the listings on Russian Market began again. Flashpoint’s Tóth-Czifra estimated that as of mid-May there were about 15% more than there had been before the takedown, though he cautioned that while there was a trend, it wasn’t possible to say logs that would have been sold on Genesis Market were now being sold on Russian Market.
“We’re talking about apples and oranges a little,” he explained. The logs on Genesis Market had been processed so they could be used by the criminal consumers.
“The logs that we see on places like Russian Market, 2easy, are just raw logs, they are as they come out of the stealer malware,” meaning that they were less easy to deploy for less-experienced criminals, Tóth-Czifra said.
Leslie said the effect on 2easy Shop was “a little more opaque,” as it had for been plagued by rumors that it was a scam for several months stretching back to late 2022.
Kateryna Zabavko, a senior intelligence analyst also at Flashpoint, said that 2easy Shop hadn’t shown the kinds of increase in listings that Russian Market had following Operation Cookie Monster.
Its administrators had worked hard to build its reputation and popularity across a number of the most important dark web forums, even operating their own Telegram channel, but “doubts have begun to creep in about the administration team,” she said, due to their suspicious behavior.
Leslie explained: “Threat actors had alleged that 2easy Shop was reposting old or invalid data from Russian Market, Genesis Market, and 2easy Shop itself, after a buyer made a purchase. There were also allegations that 2easy Shop was stealing registration fees.”
“The market right now is very much in flux,” said Tóth-Czifra, who stressed that the takedown was a relatively recent event.
“I want to draw a parallel. After Hydra was taken down last year — it was a market that sold different things [than Genesis Market did] — but it took about six months for the market to re-establish itself,” he said. “I think we see a similar movement here, it may be a little less chaotic in the sense that we see higher volumes on Russian Market. “Not hugely higher volumes, it’s just noticeably higher volumes.”
The path to distrust
Back in April, the FBI seized Genesis Market’s open web domains, replacing them with a splash notice stating they had been seized following an operation by a coalition of international law enforcement agencies, although as The Record reported at the time, the platform’s website on the Tor network remained up and running.
Will Lyne, the head of intelligence at the U.K. National Crime Agency’s cybercrime unit, told The Record that the dark web version of the site “remains active due to the fact it is hosted in an inaccessible jurisdiction.” Despite this, he said, the volumes of stolen data and users on the platform have been “measurably reduced.”
Among its rivals, Genesis Market had been the best in class. It hadn’t just been a place for criminals to sell stolen credentials, but had processed the logs captured by infostealer malware into special packages that could be plugged into a browser extension the platform had developed.
As a platform, Genesis Market was effectively a one-stop-shop for fraud, letting criminals buy a package of stolen credentials and then “plug-and-play” with the stolen data using the plugin, browsing the web exactly as if they were physically using their victim’s machines and bypassing anti-fraud detection systems.
Within the first 24 hours of the splash pages being uploaded, police said they had arrested almost 120 people globally who had been using the platform. Even more significantly for the userbase, senior officials at the FBI said they had identified and located Genesis Market’s backend servers, obtaining “information about approximately 59,000 individual user accounts,” the officials said.
That provoked fear among Genesis Market’s users that their cryptocurrency addresses and usernames could be used by police to pursue their real-world identities, Tóth-Czifra said.
More arrests have been made since the original announcement, Lyne told The Record, adding: “We have no doubt that this operation has significantly degraded trust in Genesis and its administrators.”