FBI Director Christopher Wray
FBI Director Christopher Wray. Image: FBI / Flickr

FBI accessed Genesis Market's backend servers as part of takedown

Senior officials at the FBI and Department of Justice said on Wednesday that investigators were able to take down the cybercrime platform Genesis Market after identifying and locating its backend servers.

Globally, almost 120 people have been arrested just 24 hours on from the takedown on Tuesday of one of the world’s largest facilitators of online fraud.

The login pages of all three of Genesis Market’s clear web domains were replaced by a splash page on Tuesday informing users that the domain was now in the control of the FBI.

These three domains were included on the U.S. Treasury’s sanctions list — which identified Genesis Market as being based in Russia — alongside a dark web .onion site that the criminal platform also used.

The law enforcement action was described as “an unprecedented takedown of a major criminal marketplace that enabled cybercriminals to victimize individuals, businesses, and governments around the world,” by the U.S. Attorney General Merrick Garland. Officials said the investigation was ongoing.

Genesis Market functioned as a one-stop shop for criminals by selling both stolen credentials and the tools to weaponize that data. Law enforcement officials believe its administrators made more than $8.7 million since founding the site in 2018.

It was unique in providing a web browser that criminals could use to import stolen credentials so they could impersonate victims — including IP addresses, session cookies, operating system information and plugins.

The FBI’s Milwaukee Field Office investigated the case, with assistance from 44 other field offices and international law enforcement partners. The servers were seized pursuant to a warrant authorized by the U.S. District Court for the Eastern District of Wisconsin, officials said.

Read more: How did Genesis Market work?

Despite the announcements, the login page for the dark web site has not yet been replaced by an FBI splash image, prompting questions from cybersecurity researchers about the nature of the law enforcement operation and whether Genesis Market’s backend was still operational.

Also driving speculation have been accounts apparently belonging to the Genesis administrators that have posted to several independent crime forums to indicate they were still active and promising that new domains would be available soon.

In a briefing with journalists on Wednesday, officials from the FBI and Department of Justice declined to say whether they were concerned about Genesis Market continuing to operate in one form or another.

“The actions we’ve taken have allowed us to disrupt Genesis in ways that may not necessarily be seen or apparent to others,” responded an official to The Record’s question.

They said despite the platform’s administrators having worked hard “to conceal details about their operations and their hosting infrastructure,” affidavits allowed the FBI to locate and identify the backend servers Genesis Market was using. The contents of those affidavits could be discussed because they have now been unsealed, the officials said.

They “contained data about the marketplace, including information about the users and about stolen victim credentials. …The FBI was able to obtain copies of those servers [which] included information about approximately 59,000 individual user accounts,” officials said.

This information included “usernames, passwords, email accounts, secure messenger accounts, user history of the users of the market, and those records helped law enforcement uncover the true identities of many of the users.”

Later on Wednesday, the Eastern District of Wisconsin released an affidavit to reporters that said the FBI made undercover purchases of 115 “bots” or information packages from Genesis Market beginning in September 2018. The market worked “as advertised,” the affidavit said. Genesis was, “in fact, collecting and selling victims' personal identifying information around the world.”

After the web domain seizures, investigators found that one server showed Genesis advertising approximately 1.5 million individual packages for sale.

Overall, there were “approximately 80 million account access credentials made available for sale,” the affidavit said, including more than 200,000 “associated with federal, state, and local government accounts.”

Genesis Market affidavit on Scribd

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.