British authorities have shut down one of the world's largest criminal online marketplaces that fraudsters use to buy passwords in a global law enforcement crackdown, the BBC reported.
It added that the online platform, known as Genesis Market, was selling registration details on websites, IP addresses and other data that constitute the "digital fingerprint" of the victims.
Personal information, often sold for less than a dollar, gives fraudsters access to bank and shopping accounts.
Law enforcement agencies from many countries around the world took part in the coordinated raids, including the United Kingdom.
During a series of raids, the UK's National Crime Agency arrested 24 people accused of using the site. The list includes two men, aged 34 and 36, in Grimsby, Lincolnshire, who have been detained on suspicion of fraud and computer misuse.
Law enforcement agencies from 17 countries took part in the raids, which began at dawn on Tuesday. The operation was led by the US Federal Bureau of Investigation and the Dutch National Police, working with the UK's National Crime Agency, the Australian Federal Police and other countries across Europe.
At the global level, 200 searches were carried out and 120 people were arrested.
She said that anyone who logged into the Genesis website on Wednesday saw a message saying: “Operation Cookie Monster. This site has been taken over.
The Genesis marketplace has 80 million sets of credentials and digital fingerprints for sale, which UK Crime Agency describes as a "massive enabler of fraud".
"For too long, criminals have been stealing credentials from innocent individuals," said Robert Jones, director general of the National Economic Crime Center at Britain's National Crime Agency.
The Genesis market was operating on the open web of the Internet, and not only on what is known as the dark web.
The marketplace, which was established in 2017, was known for its user-friendly English-language user interface and one-stop shopping for login credentials that enabled online scams.
Site users were able to purchase login information, including passwords, and other pieces of a victim's "digital footprint" such as their browsing history, cookies, auto-fill form data, IP addresses, and location.
This allowed fraudsters to log into bank accounts, e-mail and shopping accounts, forward packages and even change passwords without arousing suspicion.
The login information offered for sale includes passwords for accounts on Facebook, PayPal, Netflix, Amazon, eBay, Uber and Airbnb. Even criminals who purchase the information are notified by Genesis if passwords have been changed.
Genesys has provided its customers with a purpose-built browser that uses the stolen data to simulate a victim's computer to make it appear that they are logging into their account using their usual device and in their usual location. Thus, the login process does not raise any security alarm.
"The site was very sophisticated, very easy to use, with a wiki feature that tells you how to use the site, and it's available on the open web and on the dark web," Jones said.
“So you didn't need to be a sophisticated cyber actor to get into this. All you need is to be able to use a search engine, and then you can start committing crime.”
Depending on the amount of data available, victim information sells for as little as a dollar or hundreds of dollars.
While most Genesis users accessed it for fraud, data offered for sale can also be used to launch ransomware attacks, as hackers block access to data and demand payment for its release.
The individual data that led to the hack of the gaming giant, Electronic Arts, in 2021 was sold for just $10.
Business information was also for sale on the site, which facilitated fraud, mobile number hacking and ransomware attacks.
Will Lane, head of the cyber intelligence unit at Britain's National Crime Agency, said Genesis was "a huge enabler of fraud" and one of the most important markets for buying login information.
The National Crime Agency believes there have been around two million victims worldwide, including tens of thousands in the UK.
Many victims don't know something is wrong until they see scams on their accounts, or if they're lucky, they receive a message saying someone logged in as them.
Tens of thousands of criminals are believed to have been using Genesis, with a few hundred in the UK.
They could search for potential victims across the country, and see what data was available before they made a purchase.
Internet users who want to avoid becoming a victim of fraud are advised to keep their computer or phone operating systems updated and to use two-factor authentication and strong passwords such as those containing three random words.
They are also encouraged to consider using a password precaution.
Okaz (London)