Genesis Market: Understanding Law Enforcement's Recent Actions

On April 5, 2023, the U.S. Department of Justice (DOJ) announced a “coordinated international operation against Genesis Market, a criminal online marketplace that advertised and sold packages of stolen account access credentials.” According to DOJ, these packages included assets such as usernames and passwords for email, bank accounts, and social media which had been stolen from over 1.5 million malware-infected computers around the world.

That same day, Europol announced that “an unprecedented law enforcement operation involving 17 countries has resulted in the takedown of Genesis Market, one of the most dangerous marketplaces selling stolen account credentials to hackers worldwide.” According to Europol, actions were also carried out across the globe against the users of this platform, resulting in 119 arrests.

Does this mean that Genesis has gone completely dark? 

While it is clear that Genesis has been severely disrupted and its users are on the run, darknet forums suggest that some servers remain functional and its administrators may still be at large. In fact, as recently as June 28, 2023, these Genesis admins claim to have found a “buyer” for the marketplace, to which ownership will be transferred next month. 

As we better understand Genesis’ operations pre- and post-disruption through on-chain analysis, a clearer picture begins to emerge of the complexities involved in the takedown effort, and what we can expect from the wider market in the wake of this prominent player’s impending demise.

What was Genesis’ place in the illicit marketplace ecosystem?

Whereas darknet marketplaces (DNMs) are online multi-vendor platforms that primarily specialize in the commerce in illicit drugs via anonymizing networks, cybercrime outlets like 'Genesis Market' mainly provide digital items - such as fingerprints - have distinct operational practices, an altogether different target audience and community surrounding them, and employ different tradecraft than darknet marketplaces.

TRM analysis shows that Genesis amassed almost USD 8 million in revenue between February 2018 and May 2022. Genesis received the biggest share of those funds from payment services, crypto exchanges and P2P crypto marketplaces where users can buy, sell, and/or trade digital assets in exchange for fiat currency. 

Between April 9, 2021 and May 18th, 2022 – the period for which both Genesis and top competitor Russian Market were both operating – a comparison of the earnings between the two markets reveals that both marketplaces had similar earnings (of over $2 million) during that time.

How did it operate? 

On-chain analysis shows that Genesis’ operations relied on the architecture of a third party payment processor to collect deposits from its customers. Payment processors often charge a service fee of around 5% of transacted funds. Under this setup, Genesis, which took in close to USD 8 million from 2018 to 2022, would have paid significant fees to the payment processor. In addition to supporting Genesis, TRM also found that the payment processor, which is known for servicing cybercriminal groups, processed transactions for multiple “carding shops” – marketplaces that sell stolen credit card information.

In the case of Genesis, the use of the payment processor likely posed a significant challenge to the takedown effort. Because customer payments were being processed, or collected, by a different entity operating on a different server than Genesis, seizure of funds would have been more difficult than in situations where payments are being processed directly by the darknet marketplace itself , as was the case with AlphaBay and others. 

The payment processor in this instance was not only providing critical infrastructure to enable Genesis’ operations, but was likely also used to obfuscate transactions and separate payment data from the Genesis server.

‍

What can we expect based on these actions?

The disruption of Genesis Market leaves a number of questions and additional targets for authorities. First, we will likely see law enforcement continue to focus on the broader ecosystem, possibly of payment processors who play key facilitation roles. For example, in the case of AlphaBay we saw authorities target crypto mixing services Helix and Bitcoin Fog, which conspired with the darknet market to launder the proceeds of illicit activity. In the takedown of Hydra we saw authorities also target non-compliant Hong Kong-registered cryptocurrency exchange Bitzlato through which Hydra users exchanged more than $700 million in cryptocurrency. 

Second, it’s possible that the disruption of Genesis could trigger the emergence of new illegal online marketplaces or the growth of existing ones – following the observed “Hydra effect,” which refers to the proliferation of new Russian-language darknet markets in the wake of the Hydra takedown. 

Since the demise of Genesis, Russian Market has witnessed a surge in mentions on cybercrime forums. Additionally, there has been an increase in dedicated Telegram channels that facilitate the sale of similar products as Genesis sold. However, the chatter in forums has yet to translate to observable increases in sales volumes on-chain. 

TRM Labs continues to monitor online illicit marketplaces and track the on-chain activity of actors who come into contact with such entities. Organizations who use TRM tools for investigations and transaction monitoring will be able to detect exposure to Genesis Market and related entities, including the payment processor and other affiliates.

‍