It’s been hardly two days since the invite-only website of notorious cybercriminal marketplace Genesis market was shut down. However, researchers have warned that the infrastructure is still there and it’s only a matter of time before a replacement pops up.
Threat intelligence analyst Dominic Alvieri tweeted on Thursday about the Genesis infrastructure remaining active, sharing the screenshot of a long-in window. He confirmed that with The Cyber Express.
Genesis Market infra still active.
/genesis7… https://t.co/RUNfrdc2Wi pic.twitter.com/m9kxccP5Ua
— Dominic Alvieri (@AlvieriD) April 6, 2023
“One backend onion sign in is still live, which I posted. I checked again. It is still live. The domain address begins with /genesis7,” he told The Cyber Express.
“While the takedown of clear web Genesis market domains and arrests of its users is important in reducing the market’s popularity and deter future buyers,” Alon Gal, Co-founder and CTO of Israel-based cybersecurity firm Hudson Rock, told The Cyber Express.
Credentials from info-stealer logs are too lucrative a vector for threat actors to leave just like that, he said.
“It is important to note that the dark web infrastructure of Genesis is still available as of now.”
Genesis market, down but not out
Genesis market was a prominent initial access broker (IAB) in the cybercrime world, offering easy access to the type of system sought by ransomware actors who attacked computer networks globally.
The site is only accessible to users with an invitation code. However, obtaining an invitation code is relatively easy as members who spend $20 on the site can generate one, Gal wrote in his assessment of Genesis market.
In 2020, the platform offered users access to the logs of over 230,000 infected computers, including 20,000 from the United States. Users can filter results by country, infection date, IP range, and browsing history to target specific victims, Gal wrote.
On April 5, 2023, law enforcement officials announced the closure of the Genesis market and the arrest of more than 120 individuals connected to the illegal online marketplace.
With the network being seized and operators arrested by law enforcement, threat actors will just not admit defeat, Gal observed.
“First they will shift their operations to support direct sales of info-stealer logs through Telegram, XMPP, forums and so on, and eventually open a new bazaar,” he said.
Alvieri’s tweet confirms such a move but has also raised doubts whether the existing domain is a honeypot to catch opportunistic criminals.
“It is unclear at this moment whether the login is a honeypot or not,” Alvieri said.
“However, I do believe not all the members were arrested. A few of the leaders appear to know security and have hidden their ID well,” he pointed out.
Genesis market and the coordinated global action
“An unprecedented law enforcement operation involving 17 countries has resulted in the takedown of Genesis Market, one of the most dangerous marketplaces selling stolen account credentials to hackers worldwide, announced Europol.
“As a result of an action day on 4 April, this illegal service was shut down and its infrastructure seized.”
FBI led the global operation, with the assistance of police and law enforcement agencies in in the UK, Italy, Australia, Canada, Romania, France, Spain, Germany, Sweden, Poland, Holland, Finland, Switzerland, Estonia, Iceland, New Zealand Police, and the Europol.
Genesis market has been providing access to stolen data from more than 1.5 million compromised computers worldwide since March 2018, said a US Department of Justice press release.
Over 80 million account access credentials have been advertised for sale, including those belonging to the financial sector, critical infrastructure, and various government agencies.
“The total number of Australian victims is still being calculated but investigators have identified 36,000 compromised Australian devices available for sale on Genesis market,” said an Australia Federal Police (AFP) announcement.
“More than 600 reports to ReportCyber that matches stolen information available on Genesis market,” it added.
The AFP and its regional partners executed 24 search warrants, with 10 arrested in three Australian states, including a Victorian man who is reportedly the most prolific purchaser of compromised information in the country.
“Operational activity will continue over the coming weeks and further arrests are anticipated. Don’t think that because we haven’t knocked on your door yet, we won’t be at all,” the AFP
Genesis was known to be a hub for the sale of illicit drugs, stolen data, and other illegal goods and services. The Dutch Police have developed a portal to help determine the personal details of their citizens have been compromised.
Genesis market had the potential to cause $46 million in harm to the Australian community through the sale of stolen Australian credentials and access to compromised Australian devices, said AFP Assistant Commissioner Cyber Command Scott Lee.
The website was only accessible through the use of specialized software designed to obscure users’ identities and locations, making it a popular destination for criminals seeking anonymity.
“If you used this website to purchase stolen information in the belief that you’re anonymous or that police don’t take it seriously, you are mistaken. This operation proves we are committed to stamping out cybercrime at every level,” Lee said in the AFP statement.
Related
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘5969393309772353’);
fbq(‘track’, ‘PageView’);
(function(c,l,a,r,i,t,y){
c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)};
t=l.createElement(r);t.async=1;t.src=”https://www.clarity.ms/tag/”+i;
y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y);
})(window, document, “clarity”, “script”, “f1dqrc05x2”);