Genesis Market sold login details, IP addresses and other data that made up victims’ “digital fingerprints”.
Often costing less than $1, the personal information let fraudsters log into bank and shopping accounts.
Law enforcement agencies around the world were part of the co-ordinated raids, including the UK.
During a series of raids, the UK’s National Crime Agency (NCA) arrested 24 people who are suspected users of the site. They include two men aged 34 and 36 in Grimsby, Lincolnshire, who are being held on suspicion of fraud and computer misuse.
Law enforcement agencies from 17 countries were involved in the raids, which began at dawn on Tuesday. The operation was led by the FBI in the US and the Dutch National Police, working alongside the NCA in the UK, the Australian Federal Police, and countries across Europe.
On Wednesday, anyone logging onto the Genesis website saw a message which read: “Operation Cookie Monster. This website has been seized.”
Genesis Market had 80 million sets of credentials and digital fingerprints up for sale, with the NCA calling it “an enormous enabler of fraud”.
“For too long criminals have stolen credentials from innocent members of the public,” Robert Jones, director general of the National Economic Crime Centre at the NCA, said.
“We now want criminals to be afraid that we have their credentials, and they should be,” he added.
Dutch police have launched a portal on their website, where the public can check whether their data has been compromised.
Genesis Market operated on the open web, not just the dark web.
Set up in 2017, it was notable for its user-friendly, English-language interface.
It was a one-stop shop for login data that enabled online fraud. Users could buy login information, including passwords, and other pieces of a victim’s “digital fingerprint”, such as their browser history, cookies, autofill form data, IP address and location.
This allowed fraudsters to log in to bank, email and shopping accounts, re-direct deliveries and even change passwords without raising suspicion.
Login information on sale included passwords for Facebook, PayPal, Netflix, Amazon, eBay, Uber and Airbnb accounts. Criminals buying the information were even notified by Genesis if the passwords changed.
Genesis provided its customers with a purpose-built browser which would use the stolen data to mimic the victim’s computer so it looked as if they were accessing their account using their usual device in their usual location. So the access did not trigger any security alerts.
“It was a very sophisticated website, very easy to use, with a wiki [website that can be modified or contributed to by users] telling you how to use it, and accessible on the open web and the dark web,” Mr Jones said.
“So you didn’t need to be a sophisticated cyber actor to get into this. You just needed to be able to use a search engine, and then you could start committing crime.”
Depending on how much data was available, a victim’s information would sell for less than $1, or for hundreds of dollars.
While Genesis users were mostly accessing it for fraud, the data on sale could also be used for ransomware attacks – where hackers block access to data and demand payment to release it.
The individual’s data that led to the 2021 hack of gaming giant Electronic Arts (EA) sold for just $10.
Businesses also had their information sold on the website, which facilitated fraud, mobile phone number hacking and ransomware attacks.
Will Lyne, head of cyber intelligence at the NCA, said Genesis was “an enormous enabler of fraud” and one of the most significant marketplaces for buying login information.
The NCA believes there were about two million victims worldwide with tens of thousands of them in the UK.
Many victims would first know something was wrong when they saw fraudulent transactions on their account, or if they were lucky, they got a message saying someone had logged in as them.
Tens of thousands of criminals are thought to have been using Genesis, with several hundred users in the UK.
They could search for potential victims by country, and see what data was available before they made their purchase.
Internet users who want to avoid fraud are advised to keep their computer and phone operating systems up-to-date, to use two-factor authentication (2FA) and strong passwords such as ones involving three random words.
They are also being urged to consider using a password manager.
Additional reporting by Andre Rhoden-Paul