Login
Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. The domain seizures coincided with more than a hundred arrests in the United States and abroad targeting those who allegedly operated the service, as well as suppliers who continuously fed Genesis Market with freshly-stolen data.
Several websites tied to the cybercrime store Genesis Market had their homepages changed today to this seizure notice.
Active since 2018, Genesis Market’s slogan was, “Our store sells bots with logs, cookies, and their real fingerprints.” Customers could search for infected systems with a variety of options, including by Internet address or by specific domain names associated with stolen credentials.
But earlier today, multiple domains associated with Genesis had their homepages replaced with a seizure notice from the FBI, which said the domains were seized pursuant to a warrant issued by the U.S. District Court for the Eastern District of Wisconsin.
The U.S. Attorney’s Office for the Eastern District of Wisconsin did not respond to requests for comment. The FBI declined to comment.
Update, April 5, 11:40 a.m. ET: The U.S. Department of Justice just released a statement on its investigation into Genesis Market. In a press briefing this morning, FBI and DOJ officials said the international law enforcement investigation involved 14 countries and resulted in 400 law enforcement actions, including 119 arrests and 208 searches and interviews worldwide. The FBI confirmed that some American suspects are among those arrested, although officials declined to share more details on the arrests.
The DOJ said investigators were able to access the user database for Genesis Market, and found the invite-only service had more than 59,000 registered users. The database contained the purchase and activity history on all users, which the feds say helped them uncover the true identities of many users.
Original story: But sources close to the investigation tell KrebsOnSecurity that law enforcement agencies in the United States, Canada and across Europe are currently serving arrest warrants on dozens of individuals thought to support Genesis, either by maintaining the site or selling the service bot logs from infected systems.
The seizure notice includes the seals of law enforcement entities from several countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the United Kingdom.
When Genesis customers purchase a bot, they’re purchasing the ability to have all of the victim’s authentication cookies loaded into their browser, so that online accounts belonging to that victim can be accessed without the need of a password, and in some cases without multi-factor authentication.
“You can buy a bot with a real fingerprint, access to e-mail, social networks, bank accounts, payment systems!,” a cybercrime forum ad for Genesis enthused. “You also get all previous digital life (history) of the bot – most services won’t even ask for login and password and identify you as their returning customer. Purchasing a bot kit with the fingerprint, cookies and accesses, you become the unique user of all his or her services and other web-sites. The other use of our kit of real fingerprints is to cover-up the traces of your real internet activity.”
The Genesis Store had more than 450,000 bots for sale as of Mar. 21, 2023. Image: KrebsOnSecurity.
The pricing for Genesis bots ranged quite a bit, but in general bots with large amounts of passwords and authentication cookies — or those with access to specific financial websites such as PayPal and Coinbase — tended to fetch far higher prices.
New York based cyber intelligence firm Flashpoint says that in addition to containing a large number of resources, the most expensive bots overwhelmingly seem to have access to accounts that are easy to monetize.
“The high incidence of Google and Facebook is expected, as they are such widely used platforms,” Flashpoint noted in an analysis of Genesis Market, observing that all ten of the ten most expensive bots at the time included Coinbase credentials.
Genesis Market has introduced a number of cybercriminal innovations throughout its existence. Probably the best example is Genesis Security, a custom Web browser plugin which can load a Genesis bot profile so that the browser mimics virtually every important aspect of the victim’s device, from screen size and refresh rate to the unique user agent string tied to the victim’s web browser.
Flashpoint said the administrators of Genesis Market claim they are a team of specialists with “extensive experience in the field of systems metrics.” They say they developed the Genesis Security software by analyzing the top forty-seven browser fingerprinting and tracking systems, as well as those utilized by 283 different banking and payment systems.
Cybersecurity experts say Genesis and a handful of other bot shops are also popular among cybercriminals who work to identify and purchase bots inside corporate networks, and then turn around and resell that access to ransomware gangs.
Michael Debolt, chief intelligence officer for Intel 471, said so-called “network access brokers” will scour automated bot shops for high value targets, and then resell them for a bigger profit.
“From ‘used’ or ‘processed’ logs — it is actually quite common for the same log to be used by multiple different actors who are all using it for different purposes – for instance, some actors are only interested in crypto wallet or banking credentials so they bypass credentials that network access brokers are interested in,” Debolt said. “These network access brokers buy these ‘used’ logs for very cheap (or sometimes for free) and search for big fish targets from there.”
In June 2021, hackers who broke into and stole a wealth of source code and game data from the computer gaming giant EA told Motherboard they gained access by purchasing a $10 bot from Genesis Market that let them log into a company Slack account.
One feature of Genesis that sets it apart from other bot shops is that customers can retain access to infected systems in real-time, so that if the rightful owner of an infected system creates a new account online, those new credentials will get stolen and displayed in the web-based panel of the Genesis customer who purchased that bot.
“While some infostealers are designed to remove themselves after execution, others create persistent access,” reads a March 2023 report from cybersecurity firm SpyCloud. “That means bad actors have access to the current data for as long as the device remains infected, even if the user changes passwords.”
SpyCloud says Genesis even advertises its commitment to keep the stolen data and the compromised systems’ fingerprints up to date.
“According to our research, Genesis Market had more than 430,000 stolen identities for sale as of early last year – and there are many other marketplaces like this one,” the SpyCloud report concludes.
It appears this week’s action targeted only the clear web versions of Genesis Market, and that the store is still operating on a dark web address that is only reachable through the Tor network. In today’s press briefing, DOJ officials said their investigation is ongoing, and that actions taken already have allowed them to disrupt Genesis in a way that may not be readily apparent.
In a blog post today, security firm Trellix said it was approached by the Dutch Police, who were seeking assistance with the analysis and detection of the malicious files linked to Genesis Market.
“The primary goal was to render the market’s scripts and binaries useless,” Trellix researchers wrote.
As described in the Trellix blog, a major part of this effort against Genesis Market involves targeting its suppliers, or cybercriminals who are constantly feeding the market with freshly-stolen bot data. The company says Genesis partnered with multiple cybercriminals responsible for selling, distributing and maintaining different strains of infostealer malware, including malware families such as Raccoon Stealer.
“Over the years, Genesis Market has worked with a large variety of malware families to infect victims, where their info stealing scripts were used to steal information, which was used to populate the Genesis Market store,” the Trellix researchers continued. “It comes as no surprise that the malware families linked to Genesis Market belong to the usual suspects of common info-stealers, like AZORult, Raccoon, Redline and DanaBot. In February 2023, Genesis Market started to actively recruit sellers. We believe with a moderate level of confidence that this was done to keep up with the growing demand of their users.”
How does one’s computer become a bot in one of these fraud networks? Infostealers are continuously mass-deployed via several methods, including malicious attachments in email; manipulating search engine results for popular software titles; and malware that is secretly attached to legitimate software made available for download via software crack websites and file-sharing networks.
John Fokker, head of threat intelligence at Trellix, told KrebsOnSecurity that the Dutch Police tracked down several people whose data was for sale on Genesis Market, and discovered that the victims had installed infostealer malware that was bundled with pirated software.
The Dutch Police have stood up a website that lets visitors check whether their information was part of the stolen data for sale on Genesis. Troy Hunt‘s Have I Been Pwned website is also offering a lookup service based on data seized by the FBI.
Ruben van Well, team leader of the Dutch police cybercrime unit in Rotterdam, said more than 800,000 visitors have already checked their website, and that more than 2,000 of those visitors were alerted to active infostealer malware infections.
Van Well said Dutch authorities executed at least 17 arrests in connection with the investigation so far. He added that while the cybercriminals running Genesis Market promised their customers that user account security was a high priority, the service stored all of its data in plain text.
“If users would say can you please delete my account, they’d do it, but we can still see in the logs that they asked for that,” van Well said. “Genesis Market was not very good at protecting the security of its users, which made a mess for them but it’s been great for law enforcement.”
According to the Dutch Police, Microsoft this morning shipped an update to supported Windows computers that can remove infections from infostealer malware families associated with Genesis Market.
The Dutch computer security firm Computest worked with Trellix and the Dutch Police to analyze the Genesis Market malware. Their highly technical deep-dive is available here.
This is a developing story. Any updates will be added with notice and timestamp here.
Apr. 5, 11:00 am ET: Added statement from Justice Department, and background from a press briefing this morning.
Apr. 5, 12:24 pm ET: Added perspective from Trellix, and context from DOJ officials.
Apr. 5, 1:27 pm ET: Added links to lookup services by the Dutch Police and Troy Hunt.
U.S. state and federal investigators are being inundated with reports from people who’ve lost hundreds of thousands or millions of dollars in connection with a complex investment scam known as “pig butchering,” wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.
The term “pig butchering” refers to a time-tested, heavily scripted, and human-intensive process of using fake profiles on dating apps and social media to lure people into investing in elaborate scams. In a more visceral sense, pig butchering means fattening up a prey before the slaughter.
“The fraud is named for the way scammers feed their victims with promises of romance and riches before cutting them off and taking all their money,” the Federal Bureau of Investigation (FBI) warned in April 2022. “It’s run by a fraud ring of cryptocurrency scammers who mine dating apps and other social media for victims and the scam is becoming alarmingly popular.”
As documented in a series of investigative reports published over the past year across Asia, the people creating these phony profiles are largely men and women from China and neighboring countries who have been kidnapped and trafficked to places like Cambodia, where they are forced to scam complete strangers over the Internet — day after day.
The most prevalent pig butchering scam today involves sophisticated cryptocurrency investment platforms, where investors invariably see fantastic returns on their deposits — until they try to withdraw the funds. At that point, investors are told they owe huge tax bills. But even those who pay the phony levies never see their money again.
The come-ons for these scams are prevalent on dating sites and apps, but they also frequently start with what appears to be a wayward SMS — such as an instant message about an Uber ride that never showed. Or a reminder from a complete stranger about a planned meetup for coffee. In many ways, the content of the message is irrelevant; the initial goal to simply to get the recipient curious enough to respond in some way.
Those who respond are asked to continue the conversation via WhatsApp, where an attractive, friendly profile of the opposite gender will work through a pre-set script that is tailored to their prey’s apparent socioeconomic situation. For example, a divorced, professional female who responds to these scams will be handled with one profile type and script, while other scripts are available to groom a widower, a young professional, or a single mom.
That’s according to Erin West, deputy district attorney for Santa Clara County in Northern California. West said her office has been fielding a large number of pig butchering inquiries from her state, but also from law enforcement entities around the country that are ill-equipped to investigate such fraud.
“The people forced to perpetrate these scams have a guide and a script, where if your victim is divorced say this, or a single mom say this,” West said. “The scale of this is so massive. It’s a major problem with no easy answers, but also with victim volumes I’ve never seen before. With victims who are really losing their minds and in some cases are suicidal.”
West is a key member of REACT, a task force set up to tackle especially complex forms of cyber theft involving virtual currencies. West said the initial complaints from pig butchering victims came early this year.
“I first thought they were one-off cases, and then I realized we were getting these daily,” West said. “A lot of them are being reported to local agencies that don’t know what to do with them, so the cases languish.”
West said pig butchering victims are often quite sophisticated and educated people.
“One woman was a university professor who lost her husband to COVID, got lonely and was chatting online, and eventually ended up giving away her retirement,” West recalled of a recent case. “There are just horrifying stories that run the gamut in terms of victims, from young women early in their careers, to senior citizens and even to people working in the financial services industry.”
In some cases reported to REACT, the victims said they spent days or weeks corresponding with the phony WhatsApp persona before the conversation shifted to investing.
“They’ll say ‘Hey, this is the food I’m eating tonight’ and the picture they share will show a pretty setting with a glass of wine, where they’re showcasing an enviable lifestyle but not really mentioning anything about how they achieved that,” West said. “And then later, maybe a few hours or days into the conversation, they’ll say, ‘You know I made some money recently investing in crypto,’ kind of sliding into the topic as if this wasn’t what they were doing the whole time.”
Curious investors are directed toward elaborate and official-looking online crypto platforms that appear to have thousands of active investors. Many of these platforms include extensive study materials and tutorials on cryptocurrency investing. New users are strongly encouraged to team up with more seasoned investors on the platform, and to make only small investments that they can afford to lose.
The now-defunct homepage of xtb-market[.]com, a scam cryptocurrency platform tied to a pig butchering scheme.
“They’re able to see some value increase, and maybe even be allowed to take out that value increase so that they feel comfortable about the situation,” West said. Some investors then need little encouragement to deposit additional funds, which usually generate increasingly higher “returns.”
West said many crypto trading platforms associated with pig butchering scams appear to have been designed much like a video game, where investor hype is built around upcoming “trading opportunities” that hint at even more fantastic earnings.
“There are bonus levels and VIP levels, and they’ll build hype and a sense of frenzy into the trading,” West said. “There are definitely some psychological mechanisms at work to encourage people to invest more.”
“What’s so devastating about many of the victims is they lose that sense of who they are,” she continued. “They thought they were a savvy, sophisticated person, someone who’s sort of immune to scams. I think the large scale of the trickery and psychological manipulation being used here can’t be understated. It’s like nothing I’ve seen before.”
Courtney Nolan, a divorced mother of three daughters, says she lost more than $5 million to a pig butchering scam. Nolan lives in St. Louis and has a background in investment finance, but only started investing in cryptocurrencies in the past year.
Nolan’s case may be especially bad because she was already interested in crypto investing when the scammer reached out. At the time, Bitcoin was trading at or near all-time highs of nearly $68,000 per coin.
Nolan said her nightmare began in late 2021 with a Twitter direct message from someone who was following many of the same cryptocurrency influencers she followed. Her fellow crypto enthusiast then suggested they continue their discussion on WhatsApp. After much back and forth about his trading strategies, her new friend agreed to mentor her on how to make reliable profits using the crypto trading platform xtb.com.
“I had dabbled in leveraged trading before, but his mentor program gave me over 100 pages of study materials and agreed to walk me through their investment strategies over the course of a year,” Nolan told KrebsOnSecurity.
Nolan’s mentor had her create an account website xtb-market[.]com, which was made to be confusingly similar to XTB’s official platform. The site promoted several different investment packages, including a “starter plan” that involves a $5,250 up-front investment and promises more than 15 percent return across four separate trading bursts.
Platinum plans on xtb-market promised a whopping 45 percent ROI, with a minimum investment of $265,000. The site also offered a generous seven percent commission for referrals, which encouraged new investors to recruit others.
The now-defunct xtb-market[.]com.
While chatting via WhatsApp, Nolan and her mentor would trade side by side in xtb-market, initially with small investments ranging from $500 to $5,000. When those generated hefty returns, Nolan made bigger deposits. On several occasions she was able to withdraw amounts ranging from $10,000 to $30,000.
But after investing more than $4.5 million of her own money over nearly four months, Nolan found her account was suddenly frozen. She was then issued a tax statement saying she owed nearly $500,000 in taxes before she could reactivate her account or access her funds.
Nolan said it seems obvious in hindsight that she should never have paid the tax bill. Because xtb-market and her mentor cut all communications with her after that, and the entire website disappeared just a few weeks later.
Justin Maile, an investigation partner manager at Chainalysis, told Vice News that the tax portion of the pig butchering scam relies on the “sunk costs fallacy,” when people are reluctant to abandon a failing strategy or course of action because they have already invested heavily in it.
“Once the victim starts getting skeptical or tries to withdraw their funds, they are often told that they have to pay tax on the gains before funds can be unlocked,” Maile told Vice News. “The scammers will try to get any last payments out of the victims by exploiting the sunk cost fallacy and dangling huge profits in front of them.”
Vice recently published an in-depth report on pig butchering’s link to organized crime gangs in Asia that lure young job seekers with the promise of customer service jobs in call centers. Instead, those who show up at the appointed place and time are taken on long car rides and/or forced hikes across the borders into Cambodia, where they are pressed into indentured servitude.
Vice found many of the people forced to work in pig-butchering scams are being held in Chinese-owned casinos operating in Cambodia. Many of those casinos were newly built when the Covid pandemic hit. As the new casinos and hotels sat empty, organized crime groups saw an opportunity to use these facilities to generate huge income streams, and many foreign travelers stranded in neighboring countries were eventually trafficked to these scam centers.
Vice reports:
“While figures on the number of people in scam centers in Cambodia is unknown, best estimates pieced together from various sources point to the tens of thousands across scam centers in Sihanoukville, Phnom Penh, and sites in border regions Poipet and Bavet. In April, Thailand’s assistant national police commissioner said 800 Thai citizens had been rescued from scam centers in Cambodia in recent months, with a further 1,000 citizens still trapped across the country. One Vietnamese worker estimated 300 of his compatriots were held on just one floor in a tall office block hosting scam operations.”
“…within Victory Paradise Resort alone there were 7,000 people, the majority from mainland China, but also Indonesians, Singaporeans and Filipinos. According to the Khmer Times, one 10-building complex of high-rises in Sihanoukville, known as The China Project, holds between 8,000 to 10,000 people participating in various scams—a workforce that would generate profits around the $1 billion mark each year at $300 per worker per day.”
REACTs’ West said while there are a large number of pig butchering victims reporting their victimization to the FBI, very few are receiving anything more than instructions about filing a complaint with the FBI’s Internet Crime Complaint Center (IC3), which keeps track of cybercrime losses and victims.
“There’s a huge gap in victims that are seeing any kind of service at all, where they’re reporting to the FBI but not being able to talk to anyone,” she said. “They’re filling out the IC3 form and never hearing back. It sort of feels like the federal government is ignoring this, so people are going to local agencies, which are sending these victims our way.”
For many younger victims of pig butchering, even losses of a few thousand dollars can be financially devastating. KrebsOnSecurity recently heard from two different readers who said they were in their 20s and lost more than $40,000 each when the investment platforms they were trading on vanished with their money.
The FBI can often bundle numerous IC3 complaints involving the same assailants and victims into a single case for federal prosecutors to pursue the guilty, and/or try to recapture what was stolen. In general, however, victims of crypto crimes rarely see that money again, or if they do it can take many years.
“The next piece is what can we actually do with these cases,” West said. “We used to frame success as getting bad people behind bars, but these cases leave us as law enforcement with not a lot of opportunity there.”
West said the good news is U.S. authorities are seeing some success in freezing cryptocurrency wallets suspected of being tied to large-scale cybercriminal operations. Indeed, Nolan told KrebsOnSecurity that her losses were substantial enough to warrant an official investigation by the FBI, which she says has since taken steps to freeze at least some of the assets tied to xtb-market[.]com.
Likewise, West said she was recently able to freeze cryptocurrency funds stolen from some pig butchering victims, and now REACT is focusing on helping state and local authorities learn how to do the same.
“It’s important to be able to mobilize quickly and know how to freeze and seize crypto and get it back to its rightful owner,” West said. “We definitely have made seizures in cases involving pig butchering, but we haven’t gotten that back to the rightful owners yet.”
In April, the FBI warned Internet users to be on guard against pig butchering scams, which it said attracts victims with “promises of romance and riches” before duping them out of their money. The IC3 said it received more than 4,300 complaints related to crypto-romance scams, resulting in losses of more than $429 million.
Here are some common elements of a pig butchering scam:
–Dating apps: Pig-butchering attempts are common on dating apps, but they can begin with almost any type of communication, including SMS text messages.
–WhatsApp: In virtually all documented cases of pig butchering, the target is moved fairly quickly into chatting with the scammer via WhatsApp.
–No video: The scammers will come up with all kinds of excuses not to do a video call. But they will always refuse.
–Investment chit-chat: Your contact (eventually) claims to have inside knowledge about the cryptocurrency market and can help you make money.
The FBI’s tips on avoiding crypto scams:
-Never send money, trade, or invest based on the advice of someone you have only met online.
-Don’t talk about your current financial status to unknown and untrusted people.
-Don’t provide your banking information, Social Security Number, copies of your identification or passport, or any other sensitive information to anyone online or to a site you do not know is legitimate.
-If an online investment or trading site is promoting unbelievable profits, it is most likely that—unbelievable.
-Be cautious of individuals who claim to have exclusive investment opportunities and urge you to act fast.
FreshRSS 