SOCRadar® Cyber Intelligence Inc. | What’s Next for Cybercrime Ecosystem After Genesis Market Takedown?


Apr 11, 2023
8 Mins Read

What’s Next for Cybercrime Ecosystem After Genesis Market Takedown?

One can desire the forbidden, as is the narrative in the Genesis chapter of the Old Testament. In today’s digital world, the means of approaching the forbidden are underground markets. One of the most important of these was the Genesis Market, which perhaps takes its name from the chapter, story of the unstoppable craving in human beings, has been taken down by law enforcement. The year 2022 and so far 2023 are one of the most intense times of this conflict and dark web dynamics, but how did this cycle come about?

After the Medibank leak in November 2022, Australia’s Cyber Security Minister Clare O’Neil said they considered paying ransom illegal. In the sequel, she also added that a new task force would be established, which combines the expertise of the Australian Federal Police and the cyber spy agency of Australia, adding that the “hack the hackers” operation will begin against the cybercriminals targeting Australia. In this way, the Australian task force acted as the first of its kind and launched a multi-layered counter-offensive.

Clare O'Neil's tweet on November 13. Australian Federal Police (AFP) and State and Territory Police Forces have participated in Genesis Market's shutdown.
Clare O’Neil’s tweet on November 13. Australian Federal Police (AFP) and State and Territory Police Forces have participated in Genesis Market’s shutdown.

Although it is not known where Australia’s proactive new cybersecurity understanding will evolve in the coming years, 2023 continues as a year in which many cybercrime operations were interrupted by International Law Enforcement. Although there was no report of a successful major operation from Oceania, reports of successful seizures frequently came from the FBI, Europol, and various other agencies. Even though such operational activities are expected to increase against cybercrime activities that are growing exponentially daily, what results will these -operations try to cut one of Hydra’s heads- have?

Rundown of the Recent Operations

The increasing counter-offense activities against cybercriminals in the past year have affected a lot of dynamism on the dark web. In addition to many dark web markets, hacking forums with similar activities and even criminal organizations that turned attack tools into products also got their share of justice. While many operations have occurred since then, the events that most affected the dark web were as follows.

Hydra Market Shutdown

Hydra Dark Web Market was a huge market that hosted 80% of dark web activity when it was active. With the joint work of German and US law enforcement, its servers were taken down in April 2022. At the time of its shutdown, there were tens of thousands of merchant accounts and tens of millions of customer accounts on sale. However, although it created an atmosphere of panic for cybercriminals for a short time, its lasting effects were not as expected. Although the dark web revenues dropped for a time, old and newly emerging markets quickly filled the resulting power vacuum.

RaidForums Seized

Again in April 2022, an infamous dark web forum was closed as part of Operation TOURNIQUET, with the cooperation of US law enforcement and Europol. RaidForums was a serious cyber threat hotspot, often selling stolen databases and credentials. According to Europol’s statement, RaidForums was one of the largest hacking forums, with more than half a million members. However, new forums quickly filled its place.

WT1SHOP’s Seizure

Although not as big as Hydra, another market that is important in its field was taken down. WT1Shop, where stolen credentials are sold as the main focus, was also closed by law enforcement authorities as of September 2022. As long as it was active, the market, which included about 6 million credentials such as passwords, accesses, and credit card information, also used a dedicated Telegram channel.

Hive Ransomware Busted

While ransomware attacks are increasing yearly as a severe cyber security threat, Ransomware groups working with the Ransomware-as-a-Service (RaaS) model have spread the danger to a broader surface. One of last year’s most active ransomware groups was working with the RaaS model. The Hive Ransomware managed to become one of the five most active groups of 2022, according to SOCRadar data, and they made a market out of their ransomware. This criminal organization was terminated at the end of January 2023 with the cooperation of the US Department of Justice, the FBI, the Secret Service, Europol, and other European countries.

US and international law enforcement authorities have taken action against the Hive ransomware group, including the seizure of at least two leak sites.

Pompompurin’s Arrest and Breached Forum

The threat actor codenamed “pompompurin,” an active and respected member of RaidForums, founded “Breached,” the most popular hacking forum of the last year, a few weeks after the RaidForums was shut down. Thus, in March 2023, pompompurin was arrested in New York in an FBI operation. Although Baphomet, another forum administrator, announced that they would first migrate the forum to an untraceable infrastructure, they canceled this plan due to the fear of compromise, and the forum was taken down on March 21, 2023.

breached market
Baphomet’s post on pompompurin’s arrest.

And the Genesis Market

Lastly, by the dawn of April 2023, The United States Department of Justice announced the successful seizure of the domain name of Genesis Market, one of the world’s largest underground marketplaces for stolen credentials and other cybercrime tools. Dubbed “Operation Cookie Monster,” the US Department of Justice collaborated with the FBI, Europol, and other international partners. The shutdown of Genesis Market led to numerous arrests all over the world. It will take a while for the aftershocks of the operation, the FBI, and Europol to seize computer servers and identify the business at risk of hijacking. 

genesis market
Europol: “Simultaneous actions were also carried out across the globe against the users of this platform, resulting in 119 arrests, 208 property searches, and 97 knock-and-talk measures.” 

How These Operations Impacted the Dark Web?

Silk Road was the first modern dark web market established in 2011 and was taken down in 2013 by the FBI operation. In the last decade, every dark web market and forum that was closed was replaced by more than one formation, and criminal activities continued to increase. Although these counter-offensive actions are not a permanent solution, they certainly disrupt criminal activities and reduce transaction volume but not to the extent of a real blow.

pwnedforums market
A new hacking forum emerged with the shutdown of breached[.]co: pwnedforums[.]com

Another output of these operations is observed by SOCRadar analysts as a migration from the onion-based web system to Telegram. Although Telegram is a legal chat program, its anonymity and data security claim can also be helpful to malicious actors. Telegram seems to be a suitable channel for escaping from authorities disrupting threat actors such as the seizure of domains, detection, and shutdown of physical servers, as in the process of shutting down Genesis Market. For this reason, the dark web definition we know is evolving into a concept that can be extended to platforms like Telegram.

This phenomenon also attracted the attention of many authorities, and issues such as the ban of Telegram across Europe were discussed throughout 2022. However, although there was such action in Russia at the time, the ban could not be maintained, and it was lifted down the road.

What is to Come

The operations disrupt the dark web activities and provide a field for new crime formations. Various geopolitical events, such as the Ukraine-Russia war, also shape dark web formations; while new tactics and crime vectors are surfacing, cyberspace is perhaps more dynamic than ever. Constantly changing TTPs of threat actors, developing technologies, and new criminalized platforms continue to appear. Telegram channels are emerging as new gathering places for threat actors as an alternative to the dark web; the “as a service” cybercrime model continues to grow with various branches, and the closed forums and markets are replaced by new ones in a brief span.

Styx Dark Web Market’s home page (Source: Resecurity) A new market that can be tracked until 2022 appeared with the closure of Genesis. It was once again an example of how quickly severed heads reappear in a different shape.

As one of the most accurate concepts to describe cyberspace is ever-changing, every institution and organization is needed to be competent with this flow. To attain this objective, an additional layer of security measures can be implemented, prioritizing proactive security configuration. In this context, CTI solutions can allow you to prepare in advance, help you identify weak points in your security, and allow you to monitor this varying space.

SOCRadar Dark Web monitoring can scan the entire dark web and equivalent platforms, alerting you for any information relevant to your organization.

With SOCRadar, you can follow current events and be alerted in case of information or leak concerning your organization. SOCRadar Dark Web Team monitors the marketplaces, Telegram channels, and various hacker forums so that you may keep an eye on these cybercrime zones.