[Developing] Despite FBI Takedown, Genesis Market Persists on the Darknet

Last Updated 10 April 2023 – 15:52 UTC
10 April 2023 – 15:52 UTC

Update: The Genesis Market Onion site is still online, however there has been no new listings or activity since early Friday the 7th.

April 06, 2023

In the last 36 hours, the United States Federal bureau of Investigations has announced the seizure of the criminal forum Genesis Market in an internationally coordinated effort dubbed “Operation Cookie Monster.” Our analysts detected the disruption in Genesis Market at early afternoon Tuesday April 4th, which is consistent with other accounts who also saw the popular marketplace replaced with the law enforcement landing page at that time.

Figure 1: Screenshot of the landing page of Genesis Market on the Surface Web after its seizure on April 4th taken at 12:30pm MST (Source, Genesis Market Surface Web)

Much reporting has focused on the arrest of at least 100 known users of Genesis Market on the surface web (or “clearnet”), and few outlets have discussed the fact that darknet mirrors of Genesis Market are still online. 

Figure 2: Login portal to Genesis Market on Tor, which is still live at time of publication (Source, Tor – Genesis Market)

DarkOwl Vision analysts detected the seizure notification of Genesis surface web domains just after noon MST on April 4th, though it is possible the seizure took place in the hours preceding. As pictured above, the message displayed a large banner and included the logos of the various international organizations they coordinated with to execute this operation.

The declaration from the FBI states that the marketplace’s domains have been compromised in part due to a warrant administered by the United States District Court for the Eastern District of Wisconsin.

Interestingly, they end their message with a solicitation to readers of the notice to contact them if they themselves have ever been active on the illicit marketplace. The language and nature of the message suggests the FBI are still actively pursuing evidence to further their case in taking down the entirety of Genesis Market – including its darknet mirrors.

Figure 3: Closing message of the FBI’s statement posted on Genesis Market and to the DOJ press office (Source, Genesis Market Surface Web)

On Telegram, Arvin Club specifically mention that it was only the clearnet domains of Genesis Market that had been taken down (pictured below).

Figure 4: Arvin Club post specifying that all official clearnet domains of Genesis Market had been taken down (Source, DarkOwl Vision)

Quick Background on Genesis Market

Genesis Market is a well known darknet exchange that specializes in the sale of identity and account-takeover tools – which, in the case of this forum, primarily means the sale of compromised personal devices via the use of malware. When a buyer obtains a “bot” from Genesis Market, they are actually purchasing persistent remote access to an unsuspecting victims computer.

Figure 5: Screenshot of a dashboard from Genesis Market on Tor, which is still live at time of publication (Source, Tor – Genesis Market)

The goods described as “bots” on Genesis’ site frequently include cookies and related user logs, which in part explains the name “Operation Cookie Monster.” On a typical day, upon logging in, a user’s dashboard would look something like the above example. These advertised bots are tied to an actual human’s unique personal device.

Is it common for surface web domains to be seized, but not the onion mirror?

We asked our analysts about this potential scenario and they indicated that yes, this could be possible in a number of scenarios, including:

A) The onion mirrors are hosted on a different server that’s not subject to the warrant

B) Law Enforcement might want to run the onion service as a honeypot for a bit to catch those with higher OpSec

C) This is all an elaborate ruse

Given the official statements that have been subsequently released by law enforcement, it is unlikely that this is anything less than an official operation – making option C a very unlikely scenario. In any case, chatter on telegram posed a number of opinions reflecting that of our analysts above. This includes speculation about the seizure’s legitimacy, and the possibility of exit scams.

The screenshots below demonstrate the variety of reactions users had – including instructions and warnings urging others to take the situation seriously:

Figure 6: Users on Telegram discuss the legitimacy of the FB takeover by pointing out technical flaws such at mobile-friendliness of their seizure posting (Source, DarkOwl Vision)
Figure 7: Users on Telegram speculate that the FBI seizure is a rouse and/or an exit scam (Source, DarkOwl Vision)
Figure 8: Users on Telegram continue to express confusion on the situation, and offer advise on how to minimize financial osses from potential exit scams (Source, DarkOwl Vision)

Recent Activity Suggest Business Is Continuing as Usual On Genesis Market on the Darknet

Figure 9: Screenshot of Genesis Market Listings at 1:45 PM MST on April 5, 2023 (Source, Tor – Genesis Market)

At 1:45 MST on Wednesday the 5th, it appeared that activity had come to a halt on Genesis Market – with only one new bot being added in the last 24 hour period when the screenshot was taken. However, only a few hours later at around 4pm MST, this number rose back to 241 new bots offered for sale.

Figure 10: Screenshot of Genesis Market Listings at 4:00 PM MST on April 5, 2023 (Source, Tor – Genesis Market)

According to our analysts, Genesis does tend to go for periods of time without adding or updating content under regular circumstances. And, from our observations, there is often little to no activity over the weekends – so a 24 hour period with no new bots isn’t unheard of.

Based on new bot advertisements alone, one could claim it is business as usual for Genesis Market users on the darknet. However, given all of the press surrounding this matter, we speculate that the number of people actually buying from Genesis has dropped.

Future of Genesis Market

Regardless of when the dark web domains for Genesis Market inevitably come offline, the fact remains that users on the dark web will only relocate to buy or swap liminal assets such as the digital fingerprints Genesis was known for. Some chatter in private dark web sources indicate that the FBI seized the surface web domain name registrars & servers but did not actually get the web host which is why it’s still online on tor. Others are sure the persistence of the dark web criminal forum can only be explained by it being an exit scheme or a Law Enforcement honeypot.

As to what comes next, chatter suggests users of the popular marketplace may relocate to 2easy or Russianmarket.

Figure 11: Users on Telegram discuss potential relocation options should Genes Market be truly compromised (Source, DarkOwl Vision)

Stay tuned for more developments as our analysts consider to monitor this matter.

Contact us to see if your company’s name or credentials have been mentioned in high-risk places such as forums or marketplaces on the dark web.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.