Wherever there is Internet, there are businesses looking to take advantage of the twenty-first century gold rush: data
collection. Cybercrime is no exception. Attackers focus on breaching applications to collect data on Internet users an
d then monetize that data in darknetAn encrypted network that runs on the Internet, enables users to remain anonym
ous, and requires special software to access it. Tor and Freenet are examples of darknets. markets. The dark webInter
net content that exists on darknets and is not accessible via search engines. Special software is required to access it. e
conomy is growing, and its users have a specific penchant for dealing in digital identities and credentials. Every year
billions of credentials are spilled powering credential stuffing and stocking the shelves of darknet markets selling st
olen data. Shape Security and F5 Labs are tracking credential spills for our 2021 Credential Stuffing Report (due out
in January 2021). To date in 2020, a period plagued with the COVID-19 pandemic driving increased remote access
and decreased visibility, we have tracked over 1.5 billion exposed credentials in breaches.
To protect the anonymity of users, darknet markets only transact in cryptocurrency. Research by Chainanalysis1 sho
ws that bitcoin transactions grew from $250 million in 2012 to $872 million in 2018. They estimate bitcoin transacti
ons for 2019 reached $1 billion. Some darknet markets have generated huge amounts of sales, for example Silk Roa
d 2.0 generated more than $9.5 million in bitcoin prior to its shutdown in 2014.2 According to Juniper Research, it is
estimated that all online fraud losses will reach $48 billion by 2023.3
With the growing sophistication of defense mechanisms, cyber attackers are interested in more than simple username
and password pairs to various online sites and services. In late 2018, a new darknet marketplace, Genesis Store, eme
rged offering a unique product: the option to generate unique or random device fingerprints. Hackers can purchase st
olen device fingerprints through the purchase of bots controlling infected machines on Genesis. Device fingerprints i
nclude information about a user’s account, including passwords and usernames, but also detailed identifiers such as
browser cookies, IP addresses, user-agent strings, and other operating system details. Many anti-fraud solutions still
consider device fingerprints to be a unique identifier, so mimicking this to bypass anti-fraud solutions is very attracti
ve to attackers.
Genesis Marketplace at a Glance
The Genesis Marketplace, available both on the dark web and the public internet provides an avenue for attackers to
buy digital fingerprints. As shown in Figure 1, the site features a wiki, a news page, a rolling ticker of how many bot
s are available for sale, and a ticketing system.
Genesis Marketplace menu showing wiki, bots, and news
Figure 1. Genesis marketplace menu showing wiki, bots, and news
Wiki Pages for Help
The wiki, as shown in Figure 2, includes a how-to guide with animated gifs teaching people how to use the platform.
Genesis Marketplace wiki with a table of contents
The Genesis Marketplace user experience is professional, much like what one would expect to see on any ecommerc
e site. The search feature, as shown in Figure 3, lets a user search for specific brands, credentials from a particular w
ebsite, or specific data types like a credit card.
Genesis marketplace brand search guide screen
Figure 3. Genesis Marketplace brand search guide (Source: Genesis Help page)
News and Updates Section
The News section provides blog-like updates on new site features, shown in Figure 4.
Genesis Marketplace new feature release section
Figure 4. Genesis Marketplace new feature release section
The site also keeps customers that have purchased bots updated with the blue “Updated” tags, as shown in Figure 5.
This feature acts as a real-time notifier to the illicit customer who purchased the bot. It highlights new data available
in their purchased bots, such as new cookies by browser, new credit cards, or new accounts to specific websites.
Genesis Marketplace updates on purchased bots
Figure 5. Genesis marketplace showing updates on purchased bots
Help Desk and Ticketing System
The Genesis Marketplace also has a full featured help desk with a ticketing system. The Tickets feature works like a
normal tech support portal where the marketplace operators are prompt in their replies, and answers are provided in
perfect English.
Bot Supply and Trade Economics
On October 20, 2020, the Genesis Digital Fingerprint Marketplace showed 323,000 bots available for sale, as depict
ed in Figure 6.
Bot count available on Genesis marketplace on October 20, 2020: 323,000
Figure 6. Bot count available on Genesis marketplace October of 2020: 323,000
Around October of 2019, there were 127,000 bots for sale, as shown in Figure 7. In just one year, the inventory of bo
ts in Genesis has shown a 153% growth.
Bots available for sale in Genesis Marketplace in October of 2019: 127,000
Much like a legitimate ecommerce website, operations are automated, and inventory is updated frequently. Figure 8 i
s a screen capture was taken on October 20, 2020 at 1:15 UTC. The date and time in the screen capture are roughly 5
hours earlier at 19:58:52 UTC on October 19, 2020.
Real-time updates to bot data on Genesis
Figure 8: Genesis bot data updated in real time
Genesis Marketplace Prices Vary by Country and Associated Accounts
Bots are available on Genesis Marketplace for many countries in all regions of the world including United States, Ca
nada, Singapore, France, United Kingdom, and Australia. Each bot has a multitude of accounts associated with a co
mpromised host. Figure 9, captured on 16 October 2020, shows prices ranging from $0.70 (for a bot in Great Britain
) to the most expensive at $176.00 (from Zambia).
Genesis marketplace prices vary based on region and accounts associated
Figure 9: Genesis marketplace prices vary based on region and associated accounts
Genesis Marketplace Showcase for Premium Branded Accounts
Everything from cloud and hosting company accounts, to email platforms, social media, and financial institutions are
available for sale in the Genesis Marketplace. The search functionality makes it easier for cybercriminals to target p
remium brands. They can purchase bots with accounts associated with their target and mimic a device that has been
associated with genesis market invite code prior transactions. Figure 10 shows a simple search for Amazon that yielded 52,000 results—nearly
16% of the 327,000 available bots.
Genesis marketplace search for amazon.com yields 52K hits
Figure 10: Genesis marketplace search for amazon.com yields 52K hits
Genesis Marketplace Provides Plugins for Easy Impersonation
Once a customer purchases a bot, Genesis Marketplace also makes it easy for them to use those stolen profiles. It off
ers a unique browser plugin (.crx file), downloadable from the website, which can install a stolen profile. Afterward,
attackers merely need to access the eservice from the victim’s location. This can be done by using a proxy server or
VPN service procured on the web, thereby bypassing simple anti-bot and anti-fraud defenses and appearing as a legit
imate user.
Conclusion
With increased sophistication of anti-fraud systems, marketplaces like Genesis will see a boom. Genesis is currently
a by-invitation marketplace, and the user experience on the platform is quite smooth. With a significant growth in th
e number of bots, as well as the range of accounts that a hackers can target, the popularity of Genesis is bound to gro
w. It is imperative for cyber defense teams to understand the looming threat of stolen fingerprints.
Recommended Security Controls
Illicit marketplaces like Genesis empower fraudsters to trick many security controls. Therefore, a comprehensive and
intelligent defense is required on both the user and enterprise fronts. Users need to understand threats to their digital
identity and mechanisms to safeguard it. Enterprises need to have greater visibility to detect this evolving threat.