What was the Genesis Market? (Matthew Gracey-McMinn)
The Genesis Market was an invite-only marketplace that sells only what the market owners term bots. However, unlike the generally accepted use of the term bots to mean the automated functioning of a task, the bots for sale on the Genesis Market instead represent the output of those tasks. The tasks that Genesis Market bots undertake is the large-scale infection of consumer devices to steal their fingerprints, cookies, saved logins and autofill form data. That data is packaged up and put for sale on the Genesis Market. On purchase, consumers are provided with a custom browser to load the data into and may browse the Internet masquerading as the hapless victim, use saved logins to access their accounts and where login cookies exist – continue a victim’s session. All without any access to the original device.
Hackers use this information to access everything from the victim’s streaming services (such as Netflix or Spotify) to bank accounts or even their places of work. In June 2021 hackers broke into EA using a $10 bot they bought from Genesis Market that gave them access to a Slack (an instant messaging service used by many businesses) account.
How did it work? (Matthew Gracey-McMinn)
The marketplace looked a lot like any other online shopping catalogue. After receiving an invite to join, you would log in and be able to look through the online catalogue of stolen identities. You could search for one based in a specific country or with access to a particular store or type of data that you wanted. For instance, if you wanted access to a Canadian bank account you could very easily set your search to look for a bot located in Canada and with access to financial details. Then you simply click either the “buy now” or “add to cart” options – just like a regular online retail site.
Having purchased the account, you could then download the free Chrome-like browser developed by the market owners. Then follow the simple online guide to load your stolen identity into the browser and you can then navigate the Internet per normal. However, you would be wearing a mask that makes you indistinguishable from the real owner of the stolen identity; every website you go to will see you as the victim rather than someone else. So, if you went to a site they had access to, say a particular online store, you would be able to access their account and use it as if you were the legitimate owner, without setting off any alarms.
How were credentials and fingerprints sourced? (Cyril Noel-Tagoe)
The Genesis Market sellers used bots to infect consumer devices with infostealer malware, and steal their personal information, browser cookies, saved logins and autofill form data, and fingerprints: the unique identifiers left behind by browsers and devices when visiting websites - for example, browser version, screen resolution, IP address or operating system. According to the Wiki on the Genesis market, these fingerprints were either pulled directly by the bot from the victim’s device or generated based on data stolen from the bot on the victim’s device.
The Genesis Market also kept its data up to date by continuing this data collection even after the bot had been purchased. This meant that even if the victim changed their passwords after realising their account on a site was compromised, the purchaser would gain access to the new passwords.
How did the Genesis Market grow over the years? (Cyril Noel-Tagoe)
The Genesis Market and the number of devices being infected by its botnet were growing rapidly until its seizure. In April 2019, the market had over 100,000 bots available for sale, rising to over 350,000 by March 2021. Our researchers estimated that in 2021, over 20,000 new bots a month were being added to the site. The market was temporarily down in the middle of 2022, however despite this, by March 2023, the number of bots available for sale had grown to over 450,000.
Who were the users of the Genesis Market? (Cyril Noel-Tagoe)
We have not been able to quantify the number of users on the Genesis Market, due to the operational security measures in place by both the Market and its users. Notably, the hackers who broke into EA in 2021 got a foothold in the network by purchasing a $10 bot from the Genesis Market. This gave them access to a Slack (an instant messaging service used by many businesses) account, which they used to escalate access and ultimately steal source code. However, the Genesis Market was not only used by hackers looking to exploit access to accounts themselves, but also by initial access brokers to identify bots with access with high value accounts to resell. There was even a subeconomy of sellers who would purchase newly added bots with access to only a few accounts and resell these once the malware had gathered additional credentials, raising the value of the bot.
What is the impact of the Genesis Market takedown? (Matthew Gracey-McMinn)
The takedown is a warning shot over the bow of digital identity stealers. The Genesis Market was a large, well-known marketplace, and takedowns such as this may scare others operating in this space, encouraging them to slow down or cease their operations, especially if arrests are made.
The takedown of this site will also reduce the ease with which digital identity fraud can be conducted. Genesis Market had an incredibly responsive customer service team and were focused on making sure that the stolen identities used on their site could be used very easily; buyers’ issues were resolved promptly. The loss of this service will force less-skilled attackers to either give up or get better.
However, in the recent past we have seen a trend amongst some Genesis Market competitors who are moving away from using infostealer malware to steal fingerprints and towards alternative attack vectors for breaking into online accounts. For instance, one site we monitor that used to employ the same methodology as the Genesis Market, has now developed ways of enumerating which emails have registered accounts on a target website. They then compare these emails to data breaches and see if there are any passwords linked to these emails. Once they have a list of emails and passwords, they then try these combinations against the target site to try and break into customer accounts, taking advantage of password reuse. The taken-over accounts are then listed for sale on the store. This approach brings less risk for the attackers, and requires far less technical skill than spreading malware infections. The success rate is lower, but attackers are still able to make significant amounts of money.
Are there any competitors likely to replace Genesis? (Cyril Noel-Tagoe)
As a result of the Genesis Market’s seizure, we expect to see an exodus of sellers and customers to competitor marketplaces. There are multiple other illicit marketplaces selling logs and credentials, although not on the scale of the Genesis Market. Alternatively, if a significant core of the Genesis Market administrators evade law enforcement, they may splinter off and create a new version of the site.
However, it is important to note that Genesis’ unique selling point was providing fingerprint data which could be loaded through a specialised chromium-based browser alongside their logs. Any service looking to replicate the Genesis Market may look to include this functionality.
- Malware & Phishing dominate the 2023 cyber threat landscapeOperational Security
- Wireless Logic: The impact of IoT cybersecurity guidanceApplication Security
- Veeam champions cyber resilience to fight ransomwareApplication Security
- Enea SVP on how cybercriminals exploit mobile communicationCyber Security