One of the world’s biggest criminal marketplaces used by online fraudsters to buy passwords has been closed down in a global law enforcement crackdown.
Genesis Market sold login details, IP addresses and other data that made up victims’ “digital fingerprints”.
Often costing less than $1, the personal information let fraudsters log into bank and shopping accounts.
Law enforcement agencies around the world were part of the co-ordinated raids, including the UK.
During a series of raids, the UK’s National Crime Agency (NCA) arrested 24 people who are suspected users of the site. They include two men aged 34 and 36 in Grimsby, Lincolnshire, who are being held on suspicion of fraud and computer misuse.
Law enforcement agencies from 17 countries were involved in the raids, which began at dawn on Tuesday. The operation was led by the FBI in the US and the Dutch National Police, working alongside the NCA in the UK, the Australian Federal Police, and countries across Europe.
On Wednesday, anyone logging onto the Genesis website saw a message which read: “Operation Cookie Monster. This website has been seized.”
Genesis Market had 80 million sets of credentials and digital fingerprints up for sale, with the NCA calling it “an enormous enabler of fraud”.
“For too long criminals have stolen credentials from innocent members of the public,” Robert Jones, director general of the National Economic Crime Centre at the NCA, said.
“We now want criminals to be afraid that we have their credentials, and they should be,” he added.
Dutch police have launched a portal on their website, where the public can check whether their data has been compromised.
It was a one-stop shop for login data that enabled online fraud. Users could buy login information, including passwords, and other pieces of a victim’s “digital fingerprint”, such as their browser history, cookies, autofill form data, IP address and location.
This allowed fraudsters to log in to bank, email and shopping accounts, re-direct deliveries and even change passwords without raising suspicion.
Login information on sale included passwords for Facebook, PayPal, Netflix, Amazon, eBay, Uber and Airbnb accounts. Criminals buying the information were even notified by Genesis if the passwords changed.
Genesis provided its customers with a purpose-built browser which would use the stolen data to mimic the victim’s computer so it looked as if they were accessing their account using their usual device in their usual location. So the access did not trigger any security alerts.
“It was a very sophisticated website, very easy to use, with a wiki [website that can be modified or contributed to by users] telling you how to use it, and accessible on the open web and the dark web,” Mr Jones said.
“So you didn’t need to be a sophisticated cyber actor to get into this. You just needed to be able to use a search engine, and then you could start committing crime.”
Depending on how much data was available, a victim’s information would sell for less than $1, or for hundreds of…