Yesterday I posted about the seizure and take down of the Genesis Market website.
As this was quite early in the day when I uploaded my post, a number of reports surfaced throughout the day, which I’m going to post here as way of an update to yesterdays post.
Dawn raids
Firstly, as I briefly mentioned towards the end of my post yesterday – as well as the seizure of the domain, a large number of coordinated raids were conducted on the 4th & 5th April in various US states, and multiple countries around the globe.
Law enforcement agencies from 17 countries were involved in the dawn raids. The operation was led by the FBI in the US and the Dutch National Police, working alongside the NCA in the UK, the Australian Federal Police, and countries across Europe.
Globally, 200 searches were carried out and 120 people were arrested.
In the UK, the NCA (National Crime agency) conducted a series of raids and arrested 24 people who are suspected users of the site. They include two men aged 34 and 36 in Grimsby, who are being held on suspicion of fraud and computer misuse.
In the US, a raid was conducted in the New York state of Buffalo, where FBI agents removed document and computer equipment related the the Website.
In Australia, The Australian Federal Police (AFP) alongside NSW, Queensland, Victoria and WA police arrested ten suspects and seized computer equipment, drugs, gold bars, cash and equipment to make fake IDs as part of Operation Zinger.
As well as charging the suspects with fraud offences, police will allege they were involved in drug trafficking and dealing in the proceeds of crime.
Investigators identified 36,000 Australian devices for sale on Genesis Market, which had the potential to cause $46m worth of financial harm to the community.
In the US, the FBI affidavit has been published, which gives a slightly bigger view of the operation.
Forensic examination of stolen data
From the affidavit, we can see that the investigation into Genesis Market began way back in 2018 and in September of that year, started to purchase packages from the marketplace for forensic examination.
The examination of the packages revealed the idnetities of a number of people in the US state of Wisconsin. The FBI contacted the victims to confirm that the data was legitimate, and that it had been stolen from those said victims.
Domain registration data
In 2019, further investigations into the use of Bitcoin transactions uncovered the details of the hosting provider where the Genesis Market was being hosted. A court warrant allowed the FBI to retrieve the data associated with the entity that paid for the service.
This entity was actually another hosting service acting as a VPS (Virtual Private server) for Genesis Market – Criminals often use multiple “proxy” services to act as obfuscation of the real back-end infrastructure.
Regardless of the criminals attempts to hide, the FBI traced the ownership of this second domain service to an individual in Tempe, Arizona.
Server backup image
Armed with this information, the FBI obtained a copy of the hard-discs from the server suspected of being used as the Genesis Market back-end database.
Analysis of this server data revealed voluminous records of users of the service, including:
- usernames
- email accounts
- Jabber accounts
- Genesis Market packages for sale
- Transaction details
- Bitcoin addresses
- User search history
- User purchase history
- user support tickets
It is the analysis of this data which has led to many of the raids on users of the market. I suspect over the coming days and weeks, more raids and arrests will be made,
Vast amount of stolen data
In their analysis of the data from the servers, the FBI identified that in 2020, there were approximately 33,000 users of Genesis Market, and over 900,000 individual packages (bots) available for purchase – placing Genesis Market as one of the biggest Stolen Data websites on the Internet.
The FBI also identified that more that USD $4,000,000 of virtual currency had been deposited in Genesis Market accounts.
New Infrastructure
Shortly after the FBI had obtained the backup discs of the Genesis Market servers, the website temporarily went offline.
Investigations discovered that the site admins had moved the server to new infrastructure, this time located outside the US.
In may 2022, the FBI, in cooperation with International partners obtained a new forensic image of the re-launched webserver.
Analysis of this data revealed the same data as before, but some new user data. this new data showed:
- approx 59,000 user accounts
- 1.5 million bots for sale
- 80 million account credentials for sale
- 200,000 user account access credentials associated with federal, state and local government accounts
- deposits of over USD$8,000,000 of virtual currency
A web of deception
The analysis into the new infrastructure showed that the administrators behind the Genesis Market had made attempts to hide the real infrastructure behind at least 6 other domains.
DNS queries, WHOIS searches and other techniques led the FBI to be able to identify the true IP addresses of the domains behind Genesis Market.
An IP address (176.124.192.48) was identified as being responsible for hosting 5 of the 6 domains.
Another IP address (109.123.95.168) was identified as being associated with the domain gen2dev.net – this domain was associated with the email address client@gen2dev.net which, in turn was found to be associated with the domain g3n3sis.net
g3n3sis.net was deleted from the Russian domain registrar reg.ru in July 2022 indicating that the domain admins no longer owned those domains. Historic DNS record analysis discovered that the domain was originally registered in 2016, but the registrant had paid for “Privacy Protection” which stopped the identity of the registrant from being recovered.
In a stroke of luck, the FBI discovered that at one point, the privacy protection was not paid, and as such a record was discovered which identified the registrant email address as being mezina.svet@yandex.ru – This email address was also the one used to register gen2dev.net
In 2020 / 2021, the FBI identified two new domains associated with Genesis Market – These were genesis-security.net & genesis-update.net. Both domains at some point resolved to the IP address 89.42.212.194, which was a known Genesis Market IP address.
The investigators also identified 2 email addresses (silverXXX@XXX.de & seaXXX.XXX.ch) which had already been associated with Genesis Market through Bitcoin transactions used to register other Genesis Market domains & proxies.
Warrant request
Based on the evidence in the affidavit, the FBI obtained a warrant to seize a number of domains related to Genesis Market:
- gsconnects.com
- approveconnects.com
- g3n3sis.net
- g3n3sis.pro
- g3n3sis.org
- genesis-update.net
- genesis-security.net
- gen2dev.net
- tracecontrol.net
- genesis.market
All the above domains currently show the FBI seizure page
Final thoughts
The sheer scale of OP Cookie Monster just goes to show how much work and effort has to be put into cyber crime investigations.
For the Internet to become a safer place for normal people to live, work, and play, we need more people prepared to fight against cyber criminals like those behind sites like Genesis Market.
One of the reasons for me producing these blogs is to try to inform people who wouldn’t typically be aware of the true scale of cyber crimes, and maybe get some people to think about a career in cyber security.
At the very least, I hope my posts encourage people to be more “cyber aware” in their everyday online lives.