Hacker marketplace still active despite police 'takedown' claim
- Published
A hacker marketplace used to steal accounts for Netflix, Amazon and other services is still active, despite police saying it had been taken down.
Last month, an international police operation announced that Genesis Market had been seized and deleted from the mainstream internet.
But the identical version of the market hosted on the darknet remains online.
On Monday, a post on the unaffected version of the market was said it was "fully functional".
Genesis Market is described by police as a "dangerous" website specialising in selling login details, IP addresses and browsing cookie data that make up victims' "digital fingerprints".
The service was considered one of the biggest criminal facilitators, with more than two million stolen online identities for sale at the time of the police action.
Operation Cookie Monster was led by the FBI and Dutch police and announced on 5 April.
Several agencies around the world celebrated the website "takedown", announcing that 119 people had been arrested and describing the criminal service as "dismantled".
But researchers at cyber-security company Netacea have been monitoring the darknet version of the market, and say the website was only disrupted for about two weeks.
"Taking down cyber-crime operations is a lot like dealing with weeds. If you leave any roots, they will resurface," says Cyril Noel-Tagoe, Netacea's principal security researcher.
Mr Noel-Tagoe praised police for seizing the mainstream internet version of the market, but says the operation was more of a disruption than a takedown.
"The roots of Genesis Market's operation, namely the administrators, darknet website and malicious software infrastructure, have survived," he said.
Criminal administrators have since posted an update to the marketplace saying that they have released a new version of their specialist hacking browser, resumed collecting data from hacked devices and added more than 2,000 new victim devices to the market.
Experts at cyber-security company Trellix, who helped police disrupt some of the hacking tools sold on Genesis Market, agreed that the leaders of the website were still at large.
"It is true that the Genesis administrators quickly responded on Exploit [hacker] forums stating that they would be back online shortly with improvements," said John Fokker, head of threat intelligence at Trellix, adding that the darknet site was still accessible.
Police did not comment on the darknet site remaining online at the time of the "takedown".
An FBI spokesperson has since told the BBC that work is continuing to "make sure that users who leverage a service like Genesis Marketplace face justice".
The UK's National Crime Agency insists that the operation has dealt a "huge blow" to cyber-criminals.
"Although a dark web version of the site remains active, the volume of stolen data and users has been significantly reduced. I have no doubt that the operation damaged criminal trust in Genesis Market," Paul Foster, deputy director of the NCA's National Cyber Crime Unit, told the BBC.
As well as reducing the visibility of the marketplace by taking it off the mainstream internet, police and many experts agree that the high number of arrests of users will have a chilling effect on hackers considering using the site.
However, it's not clear how many of those arrested will face prosecution. The NCA says only one of the 30 people arrested in the UK has so far been charged with any offences.
Research of hacker forums from Trellix and Netacea does suggest an unease about the marketplace since the operation, but it is hard to know if cyber-criminals have been put off in the short term or permanently.
User comments are still being posted on the marketplace's news page, but in small numbers.
Taking down criminal websites hosted on the darknet is notoriously difficult as the location of their servers are often hard to find or in jurisdictions that do not respond to Western law enforcement requests, like Russia.
The US Treasury, which has sanctioned Genesis Market, believes the site is run from Russia., external It is not known for sure, but the site offers Russian and English translations.
In the last year, police have had success in fully removing some darknet markets like the drugs sites Monopoly and Hydra.
Russian-language site Hydra was the highest-grossing dark web market in the world and was thought to be based in Russia but was actually hosted in Germany, which allowed German law enforcement to shut it down.
Related topics
- Published11 January 2022