A global operation spanning 17 countries, including Spain, led by the United States and the Netherlands, resulted in the arrest of no fewer than 100 individuals as authorities shut down one of the most notorious marketplaces for stolen account credentials. The platform, Genesis Market, played a central role in the cybercrime ecosystem by supplying access to compromised accounts to criminals worldwide.
Europol and Eurojust announced on Wednesday that the operation was unprecedented in scale. Their description of the effort as “incomparable” reflected the coordinated seizure of Genesis Market, the shutdown of its underlying infrastructure, and the removal of a key pillar in cybercriminal operations. The takedown disrupted a service that profitably packaged and resold digital identities, including credentials for email, banking, and social networks, to operators who relied on botnets and automated tools to harvest data.
The operation exposed a massive network of criminals who used Genesis Market as a bridge to exploit victims around the world. In this international crackdown, more than 1.5 million identities were identified as part of the response, highlighting the vast reach of the platform and the severity of the threat it posed to individuals and organizations alike. Raids occurred in multiple locations simultaneously, with 119 arrests and 208 property searches across 13 countries. The strategic command post for the operation was established at the General Staff, with Europol coordinating from The Hague.
Edvardas Şileris, head of Europol’s European Cybercrime Centre, lauded the authorities for their efforts. He said the action had seriously disrupted the criminal cyber ecosystem by eliminating a significant operational hub. He noted that the victims spanned every region of the world and emphasized that strong cooperation with Europol and Eurojust, along with international partners, was essential to the case’s success. This case underscored the importance of multinational collaboration in dismantling transnational cybercrime networks.
The list of participating countries was extensive and reflected the global nature of the threat. Among them were Australia, Canada, Denmark, Estonia, Finland, France, Germany, Italy, the Netherlands, New Zealand, Poland, Romania, Spain, Switzerland, Sweden, the United Kingdom, and the United States. The scale of engagement demonstrated how shared intelligence, coordinated enforcement, and harmonized legal frameworks can collectively curb illicit markets that rely on cross-border access to stolen data.
Genesis Market’s core offering was digital identities, often referred to as “bots” in the law enforcement community. These were essentially bundles of stolen credentials harvested through malware infections or account hijacking across machines worldwide. Buyers gained a foothold into a range of accounts by purchasing these credential packages, which could then be exploited to access sensitive services and financial resources.
The distribution model allowed criminals to acquire a full spectrum of data from compromised devices. Buyers could retrieve real-time data harvested by the bot, including fingerprints, cookie histories, saved login details, and autofill form data. This meant that if a password or security setting changed, the information could reflect updates promptly, enabling continued unauthorized access and complicating defense efforts.
At the time of the takedown, Genesis Market was advertising roughly 460,000 infected computing devices and claimed reach across almost every country. The cost of access to these bots varied, with prices starting as low as about 0.70 USD (0.64 EUR) and climbing to hundreds of dollars depending on the value and sensitivity of the stolen data involved. The pricing structure likely reflected the quality of the data, the size of the credential bundle, and the potential risk associated with exploitation.
Distinct from some other criminal marketplaces, Genesis Market operated on the open web but required an invitation to join. This model meant buyers could discover and purchase bots with relative ease, yet access remained controlled to those who were admitted. The platform also afforded criminals the ability to impersonate victims in real time, even within secure or private browsing environments, demonstrating the breadth of risk and the sophistication of the tools offered by Genesis Market.
Genesis Market had been established in 2018, a period when cybercriminals sought low barriers to entry and broad access to compromised data. Over time, the service became a popular resource among hackers due to its perceived affordability and the apparent ease of monetizing stolen credentials. The takedown marks a significant shift, signaling that enforcement agencies are intensifying their focus on such marketplaces and the infrastructure that supports them, from data aggregation to distribution and monetization.