The perpetrators responsible for the cyber fraud platform known as Genesis Darknet Market are currently trying to sell enterprise, despite the fact that it has been almost three months since an operation led by the Federal Bureau of Investigation (FBI) confiscated their clear web domains and included the platform on the U.S. Treasury's list of sanctions.
A purportedly affiliated account of the operators of Genesis Market has disseminated multiple advertisements for the sale on various darknet hacking forums. These posts, dated June 28, have not been previously disclosed.
The initial discovery of a post promoting the CrdClub platform was made by Michele Campobasso, a researcher at Eindhoven University of Technology who has been studying Genesis Market since 2020. A subsequent post with identical content was also identified on Exploit Forum by Recorded Future News.
In April, shortly after the clear web domains of the platform were replaced by police splash pages, law enforcement agencies across the globe announced the apprehension of nearly 120 individuals who had been utilizing the platform to perpetrate fraudulent activities.
Of greater significance to the platform's criminal users, high-ranking officials at the FBI disclosed that they had successfully located and identified Genesis Market's backend servers, thereby obtaining access to "information about approximately 59,000 individual user accounts" that may be subject to future investigation.
According to the National Crime Agency of the United Kingdom, the dark web mirror of the platform continued to operate due to its "hosting in an inaccessible jurisdiction". However, the international operation had a discernible impact on the operations of Genesis Market's remaining .onion site, as well as its primary alternatives, namely Russian Market and 2easy Shop.
What set Genesis Market apart from competitors
In contrast to its competitors, Genesis Market not only engaged in the sale of stolen data and credentials, but also provided a platform for criminals to weaponize such data through a customized browser extension that enabled the impersonation of victims. This offering has been identified as an entirely new threat model, referred to as impersonation-as-a-service (IMPaaS), by Campobasso, a PhD candidate from Eindhoven’s faculty of mathematics and computer science. Campobasso has been closely monitoring Genesis Market since February 2020, and his findings are set to be presented at the 32nd USENIX Security Symposium next month. He has described the platform as an example of innovation in the cybercriminal ecosystem, and a testament to the presence of expert and tech-savvy threat actors who understand market needs and deliver credible attacker technology.
Following the takedown of Genesis Market, an account with the same username as that advertising the sale posted to the same criminal forums, claiming that the FBI had only seized the platform’s open web domains and that its darknet platform remained safe to use. However, criminal forums banned the account, which is a standard move in the underworld where there is little trust for operators who have been successfully targeted by law enforcement. The advertisements on criminal forums indicate that the sale includes all developments, including a complete database, source codes, scripts, and server infrastructure, with the exception of some details of the client base, subject to a certain agreement.
Campobasso has speculated that the reason for the sale may be partially due to the level of attention market operators have received from law enforcement. It is unclear whether any purchasers would seek to retain the Genesis Market brand or use the purchase to develop their own IMPaaS platform. However, Campobasso has suggested that similar IMPaaS platforms are likely to follow in the future, as the service model offers a cheap, outsourced, and convenient solution to perform targeted attacks against companies.