Genesis – a popular marketplace for stolen data on both the clean and dark web – has been seized in a global operation, according to the US Federal Bureau of Investigation (FBI). The US Office of Foreign Assets Control (OFAC) immediately sanctioned the market, while dozens of alleged affiliates were arrested.
Genesis Market is one of many marketplaces that form a multi-billion dollar stolen data industry that operates predominantly on the dark web. The black market for stolen passwords, credit card information, and social security numbers is conducted through a wide variety of websites, Telegram channels, and dark forums.
The clear web URL of Genesis Market was seized.
How did Genesis Market work?
Despite the many competing markets, the Genesis Market was quite different, and its unique features made it particularly desirable. Willing cybercriminals first had to buy an invite from other dark web vendors, usually for around $10-$30 in Bitcoin.
They were then able to tap into the lucrative market of stolen passwords and digital fingerprints, obtained through the multitude of infected computers that captured their victims’ personal information. Britain’s National Crime Agency (NCA) estimated that 80 million credentials and fingerprints from two million victims were put on the market.
Genesis Invite code on the now defunct dark web marketplace called Dark0de.
Unlike other sellers of stolen data, Genesis ran a casino-like business model. Cybercriminals would buy bots that accessed victims’ machines for a price. In many cases, criminals might pay for more expensive bots, but hardly steal any valuable data—especially if the victim’s two-factor authentication and cybersecurity protections are strong. However, in other cases, relatively inexpensive bots could often steal data accessing hundreds of thousands of dollars worth of bank funds or cryptoassets.
Bots for sale on the Genesis Market website.
It is not known how much Genesis Market earned during its operation, as it used the services of an illegal payment processor that serviced many other illegal sellers of stolen data. However, according to Elliptic’s internal data, sellers of stolen data and dark services have made over $1.8 billion in bitcoin since 2012 – exemplifying the extensive nature of the cybercrime underworld in which Genesis operated. However, combined with its reliance on its casino-based business model, the market has gained a unique notoriety among its more traditional competitors.
Another blow to the beleaguered stolen data market
The seizure of Genesis Market on April 5 marks a significant milestone in the fight against cybercrime. However, it’s by no means the first – or even the most lucrative – takedown of stolen data in recent years. Starting with the January 2022 shutdown of leading stolen credit card vendor UniCC, the illegal data industry has suffered serious setbacks in recent months.
Amid intense diplomatic negotiations between the US and Russia ahead of a full-scale invasion of Ukraine, Russia has seemingly caved to repeated calls from the Biden administration to crack down on Russian-origin ransomware and criminal enterprises on the dark web.
The UniCC marketplace—which handled over $358 million in stolen credit card sales over its lifetime—was the first to go. This was followed by the February 2022 seizure of four more major data providers that together processed $263 million in sales.
UniCC (closed in January 2022, left) and the four sites seized in February 2022 with their subsequent FSB seizure notification (right).
Soon after, two major credit card vendors – C2Bit and All World Cards – abruptly shut down and began dumping their accumulated Bitcoins in a classic “exit scam”. This was probably out of fear that they would be next on the Russian Federal Security Bureau (FSB) target lists. The FSB announced in March that another 60 smaller suppliers had been removed that month.
All World Cards announces its (permanent) “vacation” before its exit scam (left), and Elliptic Investigator shows C2Bit’s post-scam Bitcoin flight (right).
During the rest of 2022, two more major services were seized. SSNDOB – a seller of stolen personal data – was taken down by the FBI in June. iSpoof – a site that provided fraudsters with tools to spoof their phone numbers to appear legitimate when impersonating official agencies – was taken down in an operation led by British police in November.
Today, sellers and buyers of stolen data congregate in numerous underground cybercriminal forums, where the sentiment is largely distrustful and skeptical given recent scams and outlet seizures.
New market entrants are quickly labeled as “scams” and rarely stay in business for more than a few months. Meanwhile, the number of sellers operating exclusively on Telegram has soared – presumably in an attempt to make their services more resistant to seizures. By the end of 2022, the sale of stolen data and illegal services was less than a third of the year before.
However, major players like Genesis remain active in the industry, and millions of victims of financial fraud continue to be targeted by sellers and buyers. Elliptic conducts routine assessments of the stolen data market to ensure that virtual asset services and law enforcement investigators can effectively detect and mitigate the risks of processing illicit funds from these services.
Contact us to find out more.
EMEA Law Enforcement Sanctions