Threats

Operation Cookie Monster: Taking Down Genesis Market

The global cybercrime ecosystem is a complex multi-tiered operation where criminal organizations maintain the IT infrastructure needed to conduct malicious activity such as command-and-control (C2) servers, underground marketplaces for selling stolen data, malware development hubs, and sophisticated networks for phishing and other social engineering attacks. All of this needs to be underpinned by financial services to facilitate transactions for illicit deeds done. Due to the number of covert ways for cyber criminals to hide their infrastructure and malware payloads combined with the difficulty of attack attribution, law enforcement are stuck in a game of "whack-a-mole".   

Operation Cookie Monster was a significant international law enforcement effort aimed at dismantling the Genesis Market, one of the largest online marketplace in recent years, that sold stolen personal data for identity theft and offered custom malware, hacking-as-a-service, and other cybercrime related services. In this article, we will outline how Genesis Market operated, and the role that law enforcement, including Canadian authorities played in taking down this rogue marketplace. 

What is Genesis Market?

Genesis Market first emerged in 2017 on the dark web, catering to a global clientele of cybercriminals by offering a range of illicit goods and services, including stolen data and malicious software capabilities. Many customers accessed Genesis via the Tor network, to protect their own identity and anonymity, but Genesis was also accessible directly via the Internet. The IT infrastructure for hosting the market was believed to be located in Russia, according to the FBI

Genesis Market was known to offer over 1.5 million bots and two million identities for sale. These bots and stolen identities enabled a range of criminal activities, including fraud, hacking into corporations, deploying ransomware, and stealing intellectual property. In addition to these digital goods, Genesis also offered access to stolen cookies - the digital tokens used to identify users online - allowing session hijacking attacks by replaying authenticated tokens and account takeover hacks.

As such, Genesis Market was recognized as one of the most prolific initial access brokers (IABs), providing easy entry points for ransomware actors and other cybercriminals, and each bot purchase included options such as a dedicated browser or a plugin, allowing users to utilize the stolen data without detection, and even featured a user-friendly interface complete with an escrow system, attracting a diverse range of buyers and sellers.

Statistics about Genesis Market

  • At its peak, Genesis listed over 1.5 million bots and over 2 million identities.

  • Offered stolen information from over 1.5 million compromised computers worldwide.

  • Hosted over 80 million account access credentials covering a wide spectrum including the financial sector and critical infrastructure.

In 2023, Operation Cookie Monster disrupted the Genesis Market, an online cybercrime portal selling digital fingerprints, stolen personally identifiable information (PII), and credentials to skilled and low skilled would-be cybercriminals. The digital products sold on Genesis Market were used by cybercriminals, to execute a range of small crimes to massive theft, ransomware attacks, and bank fraud via identity theft.

Led by the FBI, the operation brought together private industry, and both U.S. and international law enforcement agencies. FBI Intelligence Analysts Thomas Gathman and Supervisory Special Agent Amanda Knutson discussed at the 2024 RSA Conference in San Francisco the lessons learned from Operation Cookie Monster and how federal law enforcement efforts are disrupting illicit online marketplaces.

Key activities during Operation Cookie Monster included:

  • Execution of search warrants at multiple locations, including three in Ontario, Canada.

  • Seizure of electronic devices which were subjected to detailed analysis.

  • Issuance of cease and desist communications to disrupt the operation of Genesis Market.

  • The National Police Corps of the Netherlands introduced a service called 'CheckYourHack' to determine if your email address was listed on Genesis Market. If found, the service sends an email to the victim with advice on how to address their security vulnerabilities.

Canada's Role In Taking Down Genesis Market

Canada played a notable role in this operation, which was led by the FBI with collaboration from 17 countries, including 28 Canadian forces. Canadian involvement was spearheaded by the RCMP’s National Cybercrime Coordination Centre (NC3), with a focus on several actions across the country, particularly in Quebec where the majority of Canadian Genesis users resided. Law enforcement activities in Canada included executing search warrants, seizing electronic devices, and issuing cease and desist communications. Notably, Canadian police services conducted 79 distinct law enforcement actions, which included direct engagement with suspected users and the execution of search warrants.

Canadian authorities emphasized the complexity of assessing the full impact on Canadians, given the international nature of Genesis Market's activities. However, they provided resources for Canadians to check if their data was compromised and urged those affected to take protective measures, such as changing passwords and enabling multi-factor authentication, and installing antivirus software.

Conclusion

In late 2023, Operation Cookie Monster represented a landmark success in the ongoing global fight against cybercrime. This meticulously orchestrated international law enforcement initiative, led by the FBI with vital contributions from Canada and several other countries, targeted Genesis Market—an infamous digital marketplace known for trafficking in stolen digital fingerprints and other illicit cyber goods.

The operation involved significant coordination among international law enforcement agencies, resulting in numerous search warrants, seizures of electronic devices, and the execution of cease and desist orders to disrupt the operation of Genesis Market. Canada's role was particularly noteworthy, with the RCMP’s National Cybercrime Coordination Centre (NC3) leading multiple actions, reflecting the country's commitment to combating digital crime and enhancing cybersecurity.

Featured Posts

See All

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104
Contact Us
Partner Program
Learn
Careers
Services
About
Packetlabs Portal
FAQ
LinkedIn Icon SquareX Icon SquareFacebook Icon Square
Cyber Right Now
CREST Logo
AICPA SOC 2 Logo
Clutch 2023 Certification Logo

© 2024 Packetlabs. All rights reserved.

Privacy Policy