An international operation involving the National Crime Agency has taken down one of the biggest online marketplaces selling stolen credentials to criminals worldwide.
The activity, which involved 17 countries and was led by the FBI and Dutch National Police, saw Genesis Market taken offline yesterday, 4 April.
Genesis Market was a go-to service for criminals seeking to defraud victims, having hosted approximately 80 million credentials and digital fingerprints stolen from over two million people.
As part of the investigation, the NCA identified hundreds of UK-based users of the platform and information was passed to policing partners across the country. This resulted in 47 warrants being executed yesterday and this morning in coordinated raids by the NCA, Regional Cyber Crime Units and police forces.
19 people were arrested in the UK, including two men, aged 34 and 36, who were detained by the NCA in Grimsby on suspicion of Computer Misuse Act and fraud offences.
UK activity will continue in the form of arrests and preventative action, where many users will be contacted by law enforcement and warned about their potentially criminal activity.
In total, there were around 120 arrests, over 200 searches and close 100 pieces of preventative activity carried out across the globe.
Rob Jones, NCA Director General NECC and Threat Leadership, said: “Behind every cyber criminal or fraudster is the technical infrastructure that provides them with the tools to execute their attacks and the means to benefit financially from their offending.
“Genesis Market was a prime example of such a service and was one of the most significant platforms on the criminal market. Its removal will be a huge blow to criminals across the globe.
“Targeting this infrastructure is at the core of the NCA’s efforts to disrupt the highest harm offenders and protect the public from those seeking to infiltrate their lives, stealing their identities and their money.
Genesis Market traded in digital identities, selling ‘bots’ that contained information harvested from victim devices, which had been infected using malicious attacks.
These indiscriminate attacks were conducted against both members of the public and companies operating in a variety of sectors.
The bots would give criminals access to all the data pertaining to an individual identity, such as cookies, saved logins and autofill form data. This information was collected in real time, meaning the buyers would be notified of any change of passwords etc.
The price per bot would range from as little as $0.70 up to several hundreds of dollars depending on the amount and nature of the stolen data. The most expensive bots would contain financial information, which would allow access to online banking accounts.
Criminals could use this access to steal from victims, either by directly moving money out of an account, or using the credentials to pay for goods and services for their own benefit.
They may also have used the victim account in the process of laundering the profits of other criminal activity – also known as money muling.
Genesis Market was unique in that it provided users with a custom browser, which would mimic that of their victim. This allowed the criminals to essentially masquerade as the victim, making it look like they were accessing their accounts from the usual location and operating system, thus not triggering security measures.
It’s likely that criminals would use information about a victim they had obtained from their various accounts, such as interests, names of friends and family, and personal circumstance, to socially engineer them for further offences.
This process sees a fraudster using the information to build trust with a victim, then manipulating them into handing over money voluntarily, e.g. via romance or investment frauds.
Members of the public can check whether their data has been compromised and accessed by criminals on Genesis Market by visiting ttps://www.politie.nl/checkyourhack and inputting their email address.
Those who have been affected are encouraged to report this, either to Action Fraud via their online portal, or Police Scotland by calling 101 if you live in Scotland.
The NCA has also collaborated with the National Cyber Security Centre and City of London Police to devise five steps for members of the public to follow in order to protect their devices and online accounts. This can be accessed on the NCA website: https://bit.ly/GenesisMarket or found below.
Step 1: Identify whether your data has be compromised and accessed by criminals on Genesis Market:
Visit https://www.politie.nl/checkyourhack and input your email address to find out if your data has been compromised and from which platform(s). You will then receive an email
Check Your Hack is a certified website run by the Dutch National Police (Politie) who were key partners in the Genesis Market investigation.
If your data has not been compromised, go straight to step 3 for advice on how to protect your devices and accounts.
Step 2: Check if your device and/or online accounts have been compromised and recover:
Check for and recover an infected device:
If you suspect your PC, tablet or phone has been infected with a virus or malware, follow the NCSC guidance to remove the infection and restore your device. How to recover an infected device - NCSC.GOV.UK
Signs of infection can include a slow running device that is rebooting by itself or pop-up boxes from programs you don’t recognise that may ask you to do unexpected things.
Check for and recover a hacked account:
Check your online accounts to see if there has been any unauthorised activity, such as attempted log ins from strange locations, messages sent from your account or money transfers you don’t recognise.
If your online accounts have been compromised, the following NCSC guidance explains what you can do and how you can regain access to your accounts. Recovering a hacked account - NCSC.GOV.UK
If your data or accounts have been compromised, follow the guidance in step 5 to report the crime.
Step 3: Secure your devices against cyber attacks - this applies to EVERYONE:
Ensure your computer and mobile devices always have the latest security updates installed where possible.
Apply updates as soon as they are available, do not ignore these prompts. Turn on ‘automatic updates’ in your device’s settings, if available.
Step 4: Protect your online accounts from future compromise by criminals. Again, this applies to everyone:
Use 3 random words to create a strong password for each of your online accounts that’s different to all your other passwords, to prevent criminals accessing your personal information.
Why? Your online accounts, such as your email, contain a lot of information about you that criminals can use to scam you or people you know. This includes personal, but not sensitive, information that can be used to build trust, like the names of family or friends, who you bank with, and where you tend to shop online.
Always use 2-step verification where possible to protect your most important online accounts.
Why? It helps to keep criminals out of your online accounts, even if they know your passwords.
How? If 2SV is available for your account, you’re usually prompted to set it up. Alternatively, the option to switch it on is usually found in security settings.
Use your browser’s password manager to safely store passwords.
Why? Password managers are easy to use, hard to crack and will save you from having to memorise your passwords.
How? Web browsers will offer you the opportunity to save your password when you log into an account. Always do this.
More advice and guidance on how to protect your accounts and secure specific devices can be found at www.ncsc.gov.uk/cyberaware
Step 5: Report
If your data has been comprised or accessed by criminals on Genesis or if you have fallen victim to fraud or cyber crime more generally, report it any time at https://reporting.actionfraud.police.uk/login.
In Scotland, report it to Police Scotland by calling 101. If you are a victim of fraud, you should also report it to your bank.
If you are reporting as a victim of Genesis, quote the word ‘Genesis’ in the ‘Additional information’ box on the Action Fraud site, or when peaking to the Police.
If a law enforcement officer contacts you in relation to a suspected fraud, you can verify their identity by calling the police on 101 or the NCA Control Centre on 0370 496 7622.
If you’ve received a suspicious email, forward it to email@example.com to help stop criminal activity and prevent others falling victim to scams.
Rob Jones added: “Cyber crime is a key enabler of the vast majority of fraud, which is now the single largest crime type in the UK, affecting more people than any other.
“It’s therefore extremely important that our response to these two threats is a collaborative effort at both an international and national level. Support from ROCUs and forces in this case was key to delivering this collaborative response in the UK and has resulted in us disrupting a significant number of offenders.
“The NCA is attacking criminal infrastructure from all angles and those seeking to use such services should be aware that we are coming after them.”