On April 4, 2023, authorities shut down popular fraud shop Genesis Market and arrested hundreds of its users around the world in a coordinated international law enforcement effort dubbed Operation Cookie Monster. Additionally, OFAC sanctioned the criminal marketplace the next day on April 5.
Fraud shops like Genesis are an important part of the cybercriminal ecosystem. Typically operating on the dark web, they facilitate the sale of stolen data and personally identifiable information (PII), which in turn can be used for several different forms of cybercrime, including scamming, identity theft, and ransomware. Below, we’ll break down Genesis Market’s role in the cybercriminal ecosystem plus its on-chain activity, and show you how today’s law enforcement action makes the internet a safer place.
What was Genesis Market?
Genesis Market was a fraud shop catering to users around the world. Its online marketplace allowed for the sale of several different forms of stolen PII such as credentials for email addresses, social media accounts, bank accounts, and cryptocurrency service accounts, all available to be perused in a searchable database. In many cases, Genesis could provide active session cookies for these accounts that allowed buyers to bypass multi-factor authentication. The screenshot below shows a typical listing on Genesis.
The listing is for a single, compromised victim device, and shows the services that the device accessed and for which the seller has user credentials. Those services include three cryptocurrency exchanges (whose names we’ve blurred out) meaning a buyer of this user’s data could potentially steal any funds the victim holds in those accounts. Victims like the one shown above typically have had their machines compromised by information stealing malware, which can access credentials stored in web browsers like Chrome and Firefox. In addition to individual users’ PII, Genesis also offered compromised remote access credentials that could allow cybercriminals like ransomware gangs to break into organizations’ computer networks.
Genesis Market’s on-chain activity
Genesis Market has received tens of millions of dollars worth of cryptocurrency during its lifetime, primarily in Bitcoin. Most of its incoming funds since May came from mainstream exchanges, with crypto ATMs also contributing a significant amount.
We also see a few spikes in value received from services we’ve labeled risky, most of which are exchanges with low or no KYC. The Chainalysis Reactor graph below shows a number of actors sending funds to Genesis, including ransomware attackers, underground money laundering services, and other cybercriminals.
Note the relatively low amounts sent from each of these clusters. Credentials purchased on Genesis could cost as little as $1 or less, so while $15 sent from a credit card broker may not seem like a huge deal, it could represent serious financial losses for 15 individuals.
The Genesis Market shutdown makes the internet safer for all users
Data sellers like Genesis aren’t necessarily the first thing you think of when it comes to cybercrime, but these sorts of ancillary service providers are crucial to enabling scamming, hacking, and ransomware attacks. For that reason, we commend all of the agencies around the world who contributed to the takedown of Genesis.
While Genesis’ OFAC designation doesn’t list any of the service’s cryptocurrency addresses, Chainalysis has identified hundreds of thousands of Genesis addresses, with more likely to come as our data improves over time. We’ve already labeled these addresses as belonging to a sanctioned entity in all of our products, and any Chainalysis KYT users with exposure prior to designation would have received alerts for its previous category — fraud shop — per their alert preferences. We will share any other relevant updates on this case as is possible.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.