Published on :
Operation cookie monster, which led to the dismantling of the Genesis Market site on Tuesday, April 4, dealt a severe blow to one of the main sources of cybercrime: online identity theft. One of the players in this operation returns for France 24 to the details and the implications of the announced end of this supermarket of digital identities.
It was a big action for a big fish. The police of fourteen countries – including France – carried out a vast operation, Tuesday, April 4, to dismantle the network of cybercrime around the Genesis Market site. Result of a crackdown baptized “Operation cookie monster”: more than 110 arrests and referral to the site by the American authorities.
“Since its inception in 2018, the Genesis Market platform has given its customers access to over 80 million account credentials found on more than 1.5 million hacked computers worldwide,” the report said. FBI in a press release published Wednesday, April 5.
Luxury shop for identity theft
It is therefore a major player in the international cybercrime ecosystem that is disappearing. “The most popular of its kind”, says the online malicious activity analysis company Netecea, in a study published in 2021. Genesis Market sold its illegal wares to nearly 60,000 loyal customers. By comparison, Silk Road, the largest online drug supermarket, which caters to a much wider audience, had just under 100,000 members shortly before it was seized. by the FBI in 2013.
Genesis Market also occupied a much more specialized niche than Silk Road. It sold turnkey kits to “spoof the online identities of millions of internet users”, says John Fokker, head of threat intelligence at cybersecurity firm Trellix’s research center, who collaborated in the international operation to finish with Genesis.
This platform was like a supermarket to get access to Netflix, PayPal, Amazon, Binance accounts and a long list of financial sites. “There are a lot of other sites that are positioning themselves in a similar niche, but most of the time there are quite a few complaints about identifiers not working. With Genesis Market, this kind of problem seemed very rare”, notes John Fokker.
Genesis was a bit of a luxury store in a world of cybercrime superstores. “They did more than necessary to provide customer service,” summarizes John Fokker. Those responsible for the platform had thus, for example, developed a specific internet browser allowing their customers to more easily and discreetly use the tools and identifiers purchased on the site.
Genesis was also not content to offer usernames and passwords. This e-merchant also delivered the necessary cookies so that the site to which the usurper was trying to connect really believed that he was dealing with his legitimate customer. Cookies store all the navigation information necessary for a site to identify who is trying to connect, which “can be very useful for a cybercriminal to circumvent the obstacle of double identification”, notes John Fokker. If the cookie is still active, the targeted site will have no reason to use one of the double identification methods, such as sending a confirmation request by SMS.
Democratization of hacking
The malware used by Genesis to steal credentials also remained in place on hacked computers so that it could steal passwords as soon as they were updated. Consequence: Genesis customers were guaranteed to always have the latest version of the necessary identifiers.
This is how Genesis had established itself over the years as an essential cog in the online crime toolbox. Indeed, the theft of identifiers may seem more innocuous than the sale of drugs online or the trade in computer viruses, but “we must not forget that the majority of computer attacks rely first on the ability of the attacker to enter the target’s computer system pretending to be someone else,” said John Fokker.
Genesis Market had also participated in a certain democratization of computer hacking. “The site made the process very simple and accessible to everyone”, assured the BBC Robert Jones, the director of Britain’s National Economic Crime Centre. Beginner cybercriminals found everything they needed to get started in the deep end of online fraud.
The company Trellix has also succeeded in neutralizing the malware used by Genesis. “The Dutch police with whom we collaborated were able to find, in one of the victims, computer files containing the malicious codes that we were able to analyze and counter”, notes John Fokker. In other words, tools that could have continued to be used by cybercriminals even after the fall of Genesis have also become useless.
The king is dead, long live the king ?
However, this is not the end of the war against this type of market for cybercriminals. First because “the creators of the site were not apprehended”, notes John Fokker. They might be tempted to rebuild their empire.
Then, if Genesis was the undisputed number 1… there was also a number 2. The Fallen King’s main competitor, called Russian Market, should fill the void left.
Finally, the announcement of the definitive death of Genesis is perhaps a little premature. The operation made it possible to close the site accessible from the web “for all”, that is to say that one could find using any browser. But there “remains a version of the site on the ‘deep web'”, notes John Fokker. These are all web pages that are not referenced by Google and which can only be accessed using a specific browser.
Much ado about not much, then? This remains a blow for this environment, assures John Fokker. First, because the authorities were able to access client files, and Tuesday’s arrests could only be the first of a long list.
Then because “this kind of operation reduces the confidence that customers will have for this type of site”, notes John Fokker. There will always be a hard core of users, but the more the authorities succeed in shutting down sites like Genesis, the less the average cybercriminal will be tempted to use them, for fear of getting caught too.