Hacker News new | past | comments | ask | show | jobs | submit login
FBI seizes bot shop ‘Genesis Market’ amid arrests targeting operators, suppliers (krebsonsecurity.com)
239 points by todsacerdoti 11 months ago | hide | past | favorite | 121 comments

I love these silly FBI "teenage boy badass" images they put up after they seize a website:


The FBI agent in a hoodie, eating a cookie while hacking into the Matrix is just too good.

It reminds me of the Phineas Fisher quote:

"...Hacker culture was born in the US as a counterculture, but that origin only remains in its aesthetics — the rest has been assimilated. At least they can wear a t-shirt, dye their hair blue, use their hacker names, and feel like rebels while they work for the Man."

I dunno. I like being able to go to work in a t-shirt and shorts, make really good money, and not look over my shoulder wondering if today is the day one of my co-workers fucks up their opsec and gets me caught up.

Phineas Fisher can look down their nose at me, but I got clean money and avoided the drugs and gang culture that took out so many of the associates I had growing up. If working for the man is losing, give me another L.

>and feel like rebels while they work for the Man."

it is significantly more subversive to slowly, dilligently and without much attention change existing institutions rather than 'sticking it to the man'. That's the difference between teenager hacktivism and effectively pursuing change. The boring, blue haired kids at gov. institutions are going to run them in 20-30 years.

Obnoxious, loud, visible activism or counter-culture usually just exists to draw attention to itself while generally getting nothing done, and even taking pride in that fact.

The two types of activism are symbiotic. The obnoxious, loud, and visible activism takes the attention (and resources) while test ballooning the expanding or moving of the Overton Window. Changing institutions without drawing attention is way easier when someone else is drawing the attention, and louder activists are also a great 'stick' for convincing others to do things your way: "Well, if we don't do this, those people might be the ones making these decisions...'

And from a loud activist point of view, the slow and steady/sneaky workers are the ones who can do things like bail people out of jail, funnel money and information, etc.

This was a tactic used by the german far left around rudi dutschke and to some extend the RAF. https://en.wikipedia.org/wiki/Long_march_through_the_institu... imho it didn't go very well, they all got assimilated in the end. ( for germans see Joschka Fischer ).

Yep, there are no longer individual vigilante hackers, they are all working for corporations or governments now.

Last year there was a meme going around in the German hacking scene when Google received Pwnie’s “lamest vendor award” for closing 11 zero-days. The reason for that award is that western intelligence agencies abused these exploits for “counterterrorism operations”, so Google essentially shut down a whole spying op.

The joke about it was that closing security holes is never “lame”, and that the American hacking scene consists to a large extent of FBI, NSA or CIA, which explains the award.

To quote Felix von Leitner [1]: “They can say “Ex-“ a hundred times, but you won't get rid of the stench by declaring the termination of your employment.”

[1] http://blog.fefe.de/?ts=9c0bef46

The quote you're replying to is from one (admittedly, from several years ago). It does seem to be getting rarer, but consider that the ones still active might not want to make themselves publicly known.

Don't some people make a living solely off bounty hunting..? Please don't shatter my reality like that

Yes, I have a friend who does this for a living. The trick is apparently to get a high enough rating that companies give you software pre-release, and you can vacuum up the low hanging fruit before everyone else.

He claims legacy car companies are bad at security and pay a lot.

Some people make a living off of competitive tennis, or golf, or even bowling.

But 99% of tennis courts aren't being used for by or for serious tennis-pros.


I dunno, doesn't Crimew fit the bill?

There definitely still is... But I think after circa 2012 when people found out the Anonymous movement was just a cia/fbi Honeypot, no grass roots hacker groups publicly advertise.

What, it was? I went to an anon anti Scientology protest once. Was I just being used?

Due to the nature of it being a label anyone can take on it can be used by anyone, including state actors, just to rack on a layer of extra plausible deniably when wanted. That doesn't mean the organization itself was ever or always compromised, just that the label could be used by pretty much anyone.

To be honest this sounds like something the screenwriters might have given as a line for "the plague" in Hackers (1995), the movie.

Agree. It's cringe and yikes.

The essence of hacking culture remains with Hacktivism, hacking "for the Man," and everything in-between as it is all still...hacking. The profession attracts a very specific type of person and greatly rewards those who excel. Why is the culture considered lost if state-sactioned? In my opinion, that would be some of the most exciting exposure, with an added benefit of zero legal woes.

Because you can’t be punk if the government is writing your checks. You are the beast, not the scrappy underdog.

Throw in some geopolitics then. Hack Russia for Ukraine if you have to feel like the scrappy underdog while working for "the man".

In my opinion this genuinely only works if you are doing this separate from The State. Like I always told myself if the PRC actually invades Taiwan, I'll drop everything and dedicate my life to solo / group finding ways to harm the PRC digitally. I bet there are agencies in the USA where I could get paid to do the same, but then I'm working for the USA government, who is also the enemy of my values, maybe not as much as the PRC but still.

It's a pretty common trope that a revolutionary (a cultural mindset I think hackers adopt) will sometimes / inevitably need to adopt the tactics of their enemy, but even if that's a truism, you certainly don't need to work for them. You can find your own way, especially in hacking.

Because when you go to the NSA to hack Russia, you have no guarantee you'll actually be assigned that task. They might ask you to first hack the leader of a "potential terrorist organization," then you do so and it turns out it was an activist leader in the Black Lives Matter movement. What are you gonna do, complain to your boss? And, now you're a Fed. Now you can't even turn around and be a whistleblower or whatever because the State knows EVERYTHING about you, background checked you, and can smack you with a legal baseball bat if you act against their interests, slapping you with charges like "sharing state secrets" or whatever else they can dream up about confidential State information and technology.

No thanks. Like others are say, you can't be punk and a fed.

Anyway we're drawing fake lines in the sand here. Even if the PRC and the USA are at war, they're probably doing so at the whims of the real "Man," that being capital interests, corporations and billionaires. By plugging into the USA "side" you're just working for corporate interests in the end.

But being the underdog is not necessarily the most exciting part. It's standing against a formidable adversary, autonomy, and mastering the technology so deeply as to use it well past its design limits what attracts many hacker types. It can be pretty compatible with being a secret agent at Her Majesty's service, for instance.

(These qualities are not entirely unlike the qualities that define e.g. an elite fighter jet pilot. But you can't realistically be an elite fighter jet pilot and an underground punk.)

That's just called being a boot. You don't have much choice in fighting off Putin or environmentalists in third world countries when ordered to, you're now Serving Your Country.

You can't fight for and against the man at the same time.

> hacking "for the Man," and everything in-between as it is all still...hacking.

I think it would be fair to distinguish between the activity of hacking and the spirit of hacking. The author of the quote is pointing out the cognitive dissonance in regards to the spirit.

to be fair it's like most counter-culture (there are always exceptions of course)

True. People either get old and less idealistic in the process or they just realise they don't have the power to change things and instead focus on other things which they do have power to change e.g. their position within society or the the amount of interaction they have with society.

Regardless of how good it feels to express discontent towards the status quo there is a cost to giving society the middle finger.

Looks great on mobile, too. https://ibb.co/hBG7sgL

Seemingly both their graphic designers and web developers (probably call them "webmasters") are stuck in the 90s judging by the source.

The content="text/html; charset=windows-1252" was interesting to me since I'm so used to seeing utf-8. Caring about charset seemingly makes little sense here, given everything is embedded into the image. I wonder if this page was created by a generator.

That is a really weird catch- actually now that I look at it, this looks like some sort of PowerPoint to HTML export.

I’d bet money that’s what it is now.

Put away your wallet. It has the stink of Microsoft FrontPage.

What sort of hacker uses mobile though? You're supposed to have like 8 CRT screens.

A mobile hacker uses mobile. It is rather hard to lug around those screens while war-cycling etc.

I love the random Canadian flag in there, because apparently every other country's police forces' crest should be recognizable to everyone on the internet, but the Canadians ones are just too obscure.

I suspect the block with the Canadian Flag, RCMP logo, and Sûreté de Québec logo were placed as a block at the request of the cooperating Canadian agencies together as their logo for Canada’s involvement, and that the Canadian flag is not placed there because the FBI is singling Canada out differently.

The RCMP and Quebec Provincial Police logos are also there to the left of the flag, just way smaller than they need to be.

Yeah, and it's not even in the correct proportions. It's like it was created with Word Art. Ugh.

Also I bet that the design guideline of most of these logos mandate a wide whitespace around them. These jokers even smushed the logos of the Finnish and the Netherlands police together. “Oh i see you let a bit of space in your logo empty. Mind if I push in an other logo there?”

I assume AFP is the Australian Federal Police?

At first glance, it looks like they have twenty sponsors donating for them to host some kind of public hackathon.

I find it so weird... It doesn't look like an official government notice, it looks like advertisement or spam from the early 2000s.

Complete with a non-proportional/stretched/distorted Canadian flag randomly thrown into the logo soup.[1]

[1] https://en.wikipedia.org/wiki/Flag_of_Canada

hard to say. what is the Canadian equivalent of the FBI?

(PS.: Can't edit my comment any longer, but the parent commenter completely altered their question sometime after I answered. Amusingly, the answer to the new question can also be found in my reply: the Canadian police is the "RCMP" in English, or "GRC" in French.)

There are literally two Canadian police logos directly next to the flag.

Reminds me of a great quote from John Waters about hacker aesthetics, specifically the hoodie. “Well, the Unabomber did that first. The Unabomber owns the hoodie, come on.” https://lavendermagazine.com/our-scene/the-wisdom-of-a-filth...

There must be a day when someone sits down and creates the art of the seized site.

Job Posting: Seize Art Designer UI/UX

This was a joke on some security podcast I listened to. More realistically, some nerd in the agency does it graphics on his/her free time and shows it to their boss.

"Let's roll with it!" the boss exclaims.

Or is just the newest, youngest recruit who has any type of experience with Photoshop (or mspaint even) that gets a list of images and has to put the image together, which they then paste into Microsoft Office Publisher 2003 and voila, done.

All the logos on this make it look like they are sponsoring a 5k race.

Also a typo in the alt text & wonky css that leads to weird stretching when the aspect ratio is not the same as the intern's who put up the page.

FBI agent in a hoodie looking at a monitor with a similar person in a hoodie as the wallpaper reminds me of AI-generated images (when AI doesn't know when to stop with the prompt and repeats same object several times, especially somewhere in the background)

Someone has called this 'semantic bleeding' which I think is an amazing name. It also happens in text generated by large language models.

Looks almost like they're pretending to have been seized for an April Fool's joke.

Government agencies often have fun when they have occasion to produce art. You might enjoy this collection of mission patches from National Reconnaissance Organization satellite missions [1].

[1] https://www.popularmechanics.com/space/satellites/g2728/best...

I was hoping for there to be a recruitment link in the source code. None, only clean HTML.

There is very obviously a recruitment link there. Look again.

Hint: It is above the image data.

That's not "hidden" though, it's the alt text that also appears verbatim on the image itself.

Images can have data "hidden" inside of them, just so you know :)

Qintel went all in: https://www.qintel.com/

edit: lol one of their images is a mecahnical octopus climbing the Great Wall of China

I wonder if the fbi have any mandatory requirement to conform to web accessibility guidelines.

They do, actually! There's a whole laundry list of guidelines Federal entities have to adhere to when making websites, both internal and external. You can learn more here: https://www.section508.gov/

If they do, an ALT tag saying "pwned" should suffice.

Well they had to up their meme game after Anonymous managed to hack this onto a government website: https://www.youtube.com/watch?v=WaPni5O2YyI

It is amusing.

What is that next to the cookie? To the right? Is that a cookie monster with eyes?

Love the qintel logo in the bottom right corner. It's like they are not even trying to hide they're working with the baddies. Hail Hydra!

What's the controversy with Qintel about? Not to be confused with In-Q-Tel.

Some of the logos are pretty cool too. I mean, how could you even be against something called EUROJUST.

> Been active on Genesis Market? In contact with Genesis Market administrators? Email us, we're interested: FBIMW-Genesis@fbi.gov

This has big "congratulations, local felon, you've won a ticket to the Super Bowl" energy [0]. But if it was enough to fool criminals in 1985, it's probably enough to fool criminals in 2023.

[0] https://www.sportskeeda.com/nfl/what-operation-flagship-how-...

Not necessarily. There’s nothing illegal about contacting criminals if you have no intention of committing a crime. The FBI might in good faith be looking for witnesses to come forward and be available to testify in a criminal case against the administrators.

It’s actually entirely reasonable for regular people to contact botnet administrators without any intention of purchasing criminal services. Security researchers sometimes do this when investigating the source of botnet attacks or when tracing machines they deliberately allowed to be infected (honeypots). The FBI may be very interested in getting testimony from these security researchers, even outside the scope of expert witnesses they may select out of the researchers they’re regularly in contact with.

What fraction of people on Genesis do you think were security researchers versus criminals, though?

I mean, I've gone to websites similar to this in the past, after seeing them mentioned on sites like Krebs, simply out of sheer curiosity (as mentioned elsewhere in the thread, a lot of my curiosity stemmed from a place of, "Hold on, this sort of site is publicly hosted and easily available to anyone!? I can't believe that"). I've never registered or posted, but some of those sites/forums are wide open for the public to peruse. I'm not even that technologically savvy or into security research, yet I've made it there, so I imagine the number is a bit higher than you'd expect.

A very tiny fraction. But I have to assume that most criminals on there would be smart enough not to reach out to the FBI unless they were facing far worse trouble than the possibility of being charged with a crime for this. I could be wrong, there could be criminals dumb enough to expose themselves to prosecution — they are criminals after all — but I would expect them to be smarter than the average street criminal.

Most of those vendors would flip and cooperate once pressed even a tiny bit by law enforcement. They're probably just regular ole nerds who made money in a bad and stupid way.

> FBI might in good faith

Hah, cops, good faith, pick one.

> There’s nothing illegal about contacting criminals if you have no intention of committing a crime.

The resoundingly consistent legal advice from any lawyer you can find regarding communicating with cops will ALWAYS be: "don't."

I can't fathom why anyone would go out of their way to have a chat with the FBI.

If the FBI needs to talk to you for whatever they're up to, they can find and contact you, and then have a pleasant conversation with your lawyer. If they absolutely need to talk to you, they should only do it after forcing the matter with the subpoena, and your lawyer should be there.

These processes and protections exist for a very good reason.


People in places where they can’t be extradited might be able to bargain for some recouping of costs in exchange for reliable information.

Honestly surprised that this site was able to function undisputed, entirely on the public internet for this long despite it's entirely illegal nature.

I work, kind of, in this space - and it's been wild to me how incredibly easy it is to embed myself into public Discord servers that offer fraud/abuse bots. That might speak to the sophistication of what I find (vs. groups with better OpSec). I agree though, I'm surprised this was operated on the public internet with a great domain name.

Probably much the same for phone spam which is why all of us get (semi-targeted) calls from indian call centers daily.

Plenty of these are spawn out of Discord/Telegram networks to coordinate infrastructure. Via the grey/blackhat versions of Twilio.

It's far too common for the operators to give a shit.

See: https://www.youtube.com/watch?v=le71yVPh4uk

Yea but whats the option?

They need to sell to people so the Discord/Telegram and website need to be easy to access.

And Discord/Telegram and websites want it to be easy to make stuff with/on them. The alternative is some vetting process where you submit a form for what the site is for and then someone from an authority logs in and checks manually.

I'm under the assumption that there are groups that require reputation to join (e.g. on private Telegram) that have a higher barrier of entry than a public Discord invite.

It looks like before the seizure, they had Chinese DNS (dnspod) and Russian web hosting (CLOUDX-AS, RU).

So they complied to US requests? Or did the FBI go for the tld?

The wording ("domains have been seized") implies they went for the TLD. The registry for .market is Rightside, who are US based.

Back when Brian Krebs was still on twitter, it was a pretty constant parade. New cybercrime site goes up, it's compromised by LEO on week two, they hang out collecting evidence for a year, then roll it up and send everyone to jail. A month later, a new site goes up...

Well, it’s worth considering that FBI had control over it long ago and ran it themselves for a while (hence it’s ability to be so public), and the impetus to give it up could be any number of things from threat of revelation to the more mundane cause of it having outlived its usefulness or just new projects taking priority/reassignments.

This is not conspiracy, the FBI seriously does shit like this.

Yeah this is entirely true, wouldn't be surprised if this is exactly how it went down, FBI can be very clever.

So, as a web programmer, I'd like to infer how this data got into the marketplace in the first place. The offerings are all powered by browser data exfiltration! Which means their vector is another process on the host, or it could be a malicious browser extension, or a resource 0-day. Or the tokens could be exfiltrated from from the server-side, too.)

Does anyone know how they get this data?

Chrome has a browser extension API which allows plugins to access all cookies, but its use is considered suspicious and a red flag; an extension which uses it would generally get caught during initial review. However, Chrome extensions are also allowed to “hotload” portions of their own code/scripts from external 3rd party servers.

So an extension will seem benign when it initially gets checked by Google as part of becoming part of its submission to the Chrome Store. Then, later, the external “3rd party” script that is hosted remotely will get replaced with a different, malicious script. The malicious extension carries on stealing cookies, credentials, and fingerprints until someone reverse engineers it and reports it to Google.

Google will not always recognize the issue immediately because the 3rd-party malicious code is not strictly “part of” the extension so there’s a bit of a song and dance while the person who reversed it convinces Googles reviewers that “yes, this really is actually malicious, you need to analyze the third party code that loads later” and then Google eventually takes it down after a semi-involved back-and-forth where extensive documentation and video walk-throughs are provided by the exasperated white-hat Good Samaritan.

Remote loading of code has been banned by Google and Mozilla for several years now. The automated review tools pick up script injection and eval() calls. Unless you can craft something unique, you’re not going to get past the automated review.

I’m guessing the malware is something else besides a browser extension.

stuff like setTimeout accepts strings too. I wonder how good those scanners are at detecting overwriting an initial innocent function that's later called in a timeout with a string, it can get fairly indirect

    let harmless = { func : function() { }, harmlessExternallyLoadedString : '' };
    let toAccess = 'func';
    //do stuff that seems legit
    if(true) {
        let toAccess = 'harmlessExternallyLoadedString';
    harmless[toAccess] = 'alert(1);'; //imagine this being a fetch request
    //later on
    setTimeout(harmless.func, 1);

now imagine the logic for what othervar is set to is obfuscated a bit by a more complex logic tree, and the example was a bit less contrived.

Seems like you speak from experience.

Do you have any specifics to share ?

Genesis infect your computer with a persistent malware (the "bot" as mentioned in the article) which let their customer who bought access do anything on the infected machine. There are plenty of way your computer can get compromised, which will install the botnet client as the final payload.


Wait so its not a market? I thought this was a resource where black hats go to sell their data. But you're saying that Genesis is the only black hat, and their "market" is just selling their own data?

Yep. But there was nothing stopping a black hat from contacting the admin and selling their own botted data to genesis shop. Criminal organizations have supply chains.

black hat compromise targets by installing genesis bot then there is revenue sharing

I don’t have any insider knowledge or anything but only suspicions - I have friends who have developed relatively simple browser extensions like dark mode ones / filtering ones etc.

Once they get to like 100k DAU popularity level you’ll start getting emails from people who claim to want to purchase the extension from you for a few thousand or “sponsor” the development by supporting you with ads.

You either sell it, or include some JavaScript that later (few weeks) turns malicious and starts harvesting.

That’s probably how. Like I say, I have no idea if that’s how these people work, but it seems a likely attack vector.

malware spread by email. this is how yotube channels get hacked for Elon crypto scam livestreams. the session is hijacked too.

a second way is through chrome extensions that log cookies and form data. the old cookies can be replaced with the new, stolen session via cookie editor

Discord stores its data in local storage. Other electron apps do, too.

Genesis Market provided access to a wide list of services with user accounts from all over the world. Among them were Gmail, Facebook, Netflix, Spotify, WordPress, PayPal, Reddit, Amazon, LinkedIn, Cloudflare, Twitter, Zoom, and Ebay.

This is why 'strong passwords' will never be good enough when hackers simply control the actual session

...all ten of the ten most expensive bots at the time included Coinbase credentials.

Is it ironic that you can pay bitcoins to steal bitcoins?

It's like ten thousand spoons, when all you need is more spoons.

No, it's not.


At first I thought a bot shop was a robot or gadget company, and I looked forward to reading about crime committing robots.

I wonder why Spain and Poland topped the list of bots.

Imagine a DAO Contract using Chat GPT to re-opening such markets with laundered drug funds every time the last one expires.

Talk about whack the mole debugging of the virtual by the real space. It could even come to a "arrangement" with the agents, increasing the number of markets to "bash" over time, so a metric for success exists and grows.

Interestingly, CenturyLink wont even let me visit the site. There's a "Continue to Site" button, but it does nothing.

Few ISPs around in Europe I tested with also blocks the site wholesale, took over the DNS request and serves their own blocking page.

Be nice if the FBI could get a hold of their customer list and go after those clowns as well.

> Purchasing a bot kit with the fingerprint, cookies and accesses, you become the unique user of all his or her services and other web-sites.

Are these bots using the cookies stored locally by the browsers that the compromised systems user is using?

Sounds like it and it sounds like they built a chrome extension that effectively acts as a proxy for traffic through the target IP with the appropriate metadata to trick fingerprinters.

I feel safer and better about the future already, thanks for the good work guys!

this kind of access to hacking should be reserved only for the legitimate institutions of civilized society.

In other words, it should be legitimayzed?

dude. it already is accessible to military powers.

I'm just waiting for hackers to seize fbi.gov and replace their page with a "this page has been seized by Anonymous" (or whoever). I will laugh my ass off when it happens.

If the FBI did that intentionally it would be a great April fool’s joke.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact