WASHINGTON (AP) — Law enforcement agencies in the United States and Europe said Wednesday that they have taken down a major online marketplace for stolen login credentials that had given cybercriminals access to millions of compromised accounts since its 2018 launch.

Officials seized 11 domain names tied to the Genesis Market and arrested about 120 users across the world, including some in the U.S., according to the FBI and Justice Department, which participated in the operation.

The market “falsely promised a new age of anonymity and impunity, but in the end only provided a new way for the Department to identify, locate, and arrest on-line criminals,” Deputy Attorney General Lisa Monaco said in a statement.

Genesis Market had provided users with access to data taken from more than 1.5 million computers infected with malicious software, with over 80 million account access credentials, the Justice Department said.

“Operation Cookie Monster,” the effort by law enforcement agencies in 17 countries, disrupted the largest marketplace of its kind, officials said.

“Cookie” refers to the web browser cookies that let people log onto websites without the need for multifactor authentication. Criminal users of Genesis Market could purchase software scripts from it, including browser cookies and fingerprints that track a user’s online activity.

The market, a “one-stop shop for account takeovers,” was advertised on several predominantly Russian-speaking underground forums, the cybersecurity firm Trellix, which assisted in the investigation, said in a research report.

“While underground marketplaces that sell stolen credentials aren’t a new thing, Genesis Market was one of the first that focused on fingerprints and browser cookies to enable account takeovers despite growing MFA adoption,” the Trellix researchers said. A specialized browser it offered customers made “account takeover child’s play for criminals,” their report says.

Trellix said it observed more than 450,000 infected machines in examining the marketplace.

Trellix’s threat intelligence lead, John Fokker, said the takedown would “have a notable impact on the activities of cybercriminals focused on stolen credential usage for the rest of the year. “

He said in an online chat that he did not believe the people who ran the site would be arrested because they are in Russia.

Typically after such takedowns, the criminals regroup at other sites.

Dutch police put up a webpage to allow members of the public to enter their email address to determine whether their data was for sale on Genesis Market. The Justice Department said it had provided victim information for a website so that people could check if their accounts had been compromised.


Bajak reported from Boston.