Operation Cookie Monster.
N2K logoApr 5, 2023

The FBI, in conjunction with international law enforcement agencies, seized the cybercriminal souk, Genesis Market, on Tuesday.

Operation Cookie Monster.

Genesis Market, a popular online cybercriminal shop, was seized by the FBI in an action that resulted in a takedown on Tuesday. The criminal operation, Bleeping Computer reports, has been linked to millions of cyber incidents across the world, with over 80 million stolen credentials and fingerprints present on the site.

About Genesis Market.

The Genesis Market is described by the Record as a “one-stop-shop for criminals, selling both stolen credentials and the tools to weaponize that data.” Unlike other criminal marketplaces, Genesis was unique in that it provided criminals with access to “bots” and “browser fingerprints,” Recorded Future analyst Alexander Leslie says. These enabled malicious actors to access a victim’s subscription platforms and banking services in a way that bypasses security warnings. “The Genesis Market was an invite-only marketplace that sells only what the market owners term bots,” said Matthew Gracey-McMinn, Head of Threat Research at Netacea. However, you could still discover it through a normal search engine.

How the Genesis Market operated.

Matthew Gracey-McMinn from Netacea explained how the market operated, noting that it presents itself similarly to that of a legitimate retail site, where you’d purchase an account, and navigate through their offerings:

“Having purchased the account, you could then download the free Chrome-like browser developed by the market owners. Then follow the simple online guide to load your stolen identity into the browser and you can then navigate the Internet per normal. However, you would be wearing a mask that makes you indistinguishable from the real owner of the stolen identity; every website you go to will see you as the victim rather than someone else. So, if you went to a site they had access to, say a particular online store, you would be able to access their account and use it as if you were the legitimate owner, without setting off any alarms.”

Bots would infect devices with infostealing malware to obtain personally identifiable information (PII), as well as browser cookies and the like, said Cyril Noel-Tagoe, principal security researcher at Netacea. “The Genesis Market also kept its data up to date by continuing this data collection even after the bot had been purchased. This meant that even if the victim changed their passwords after realising their account on a site was compromised, the purchaser would gain access to the new passwords.” NBC reports that the site enabled cybercriminals to access accounts on sites such as “Dropbox, PayPal, Microsoft, Twitter, and a number of cryptocurrency exchanges.”

(Added, 6:15 PM, April 5th, 2023. Mike Cook, VP of fraud commercialization and solutions at Socure, commented on the particular risk posed by theft of elements used in device fingerprinting. "Organized bad actors are using malware to gain access to elements of a device that are used for device fingerprinting. Once a fraudster knows those elements, they can emulate your device on a server and start to do things like credential stuffing using your login information. So, not only does the bad actor have your login credentials, but they also "look" like you digitally because they are very closely emulating your device. If they can keep the malware on your device, they can constantly update those device elements and constantly replicate your digital presence," he said. "Now, multiply that by millions of 'you' and you can see how the bad actors start to create a massive universe – a monetizable business – of these digital 'look alike' elements to tie to your identity, and millions of other peoples' identity. While the FBI taking a bite out of the ecosystem may prove to be a sizable bite out of those fraudulent sites who are making money helping to perpetrate fraudulent scams, there are other similar sites acting today and more inline that will take the place of Genesis Online." He ended with a call for better device identity technologies. "In the meantime, we continue to support the need for precise identity and behavioral machine learning models, increased data sharing and incremental third party data use, alongside devices, to identify fraudulent patterns that can't be identified by a device solution alone. While device elements are important to the overall equation of stopping fraud, a multi-layered approach using a combination of sophisticated technologies and analytics is key to staying ahead of dynamic fraudulent patterns.")

FBI’s Operation Cookie Monster.

CNN reports that the law enforcement action, “Operation Cookie Monster,” appears broad in nature, with involvement from a multitude of European law enforcement agencies. This follows a series of law enforcement operations involving coordinated arrests and raids. In January of last year, the FBI and Europol seized computer servers, and more recently, BreachForums was raided by the FBI, with its accused operator arrested. McMinn says that the takedown may scare off other operators, and may aid in the reduction of digital identity fraud:

“The takedown is a warning shot over the bow of digital identity stealers. The Genesis Market was a large, well-known marketplace, and takedowns such as this may scare others operating in this space, encouraging them to slow down or cease their operations, especially if arrests are made. 

“The takedown of this site will also reduce the ease with which digital identity fraud can be conducted. Genesis Market had an incredibly responsive customer service team and were focused on making sure that the stolen identities used on their site could be used very easily; buyers’ issues were resolved promptly. The loss of this service will force less-skilled attackers to either give up or get better.”

(Added, 5:30 PM ET, April 5th, 2023. Operation Cookie Monster may have organized by the FBI, but it was an international operation. James McQuiggan, Security Awareness Advocate at KnowBe4, wrote to explain why this sort of international, inter-agency cooperation is not only helpful and vital, but increasingly common.  "With more and more devices connecting in the physical world, borders that separate nations are blurred in the digital landscape," he wrote, adding, Cybercriminals have taken advantage of this reality, exploiting the internet to conduct illegal activities across these borders. As a result, the need for a unified approach to cybersecurity guidelines, standards, and collaboration is needed. This coordinated effort can serve as a blueprint for future operations and inspire governments to invest in strengthening their cybersecurity infrastructure and law enforcement capabilities."

He advocates continuing "boldness" in law enforcement. "While successful, governments must continue to be bold. Cybercrime is constantly changing and evolving, and cybercriminals will undoubtedly seek new ways to circumvent law enforcement efforts. Law enforcement agencies, governments, and private organizations must collaborate to share intelligence, resources, and expertise to stay ahead of the curve."

There are also roles for the private sectors and individual users. "In addition to law enforcement efforts, strong security awareness for users and organizations is critical. These programs can increase user awareness to recognize the importance of implementing robust cybersecurity measures, such as using strong passwords, keeping software up to date, and checking links to verify they're not malicious. If they discover a social engineering style of email, they can report it to the proper teams within their organizations and work to reduce further risks to the organization.")