The Genesis Market & Infostealer Malware Threat: What You Need to Know

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "The Genesis Market & Infostealer Malware Threat: What You Need to Know." There is white text underneath that which says "Learn More" with a light orange arrow pointing down.

One of the most challenging developments in recent years in defending against cyber attacks is the emergence of cyber crime marketplaces. Often accessible on both the dark and clear web, these marketplaces offer an outlet for threat actors to trade in stolen information, hacking tools, and even hacking services. 

This article focuses on the popular clear web Genesis Market while also analyzing the threat of infostealer malware, which is often used to steal the information that ends up for sale on genesis. When you finish reading, you’ll have a better idea of Genesis, infostealers, and how digital footprint monitoring can protect your organization against a variety of cybercrime marketplace threats. 

Genesis Marketplace Overview: What You Should Know

  • Genesis is an invitation-only cybercrime market where buyers and sellers trade in stolen credentials, cookies, and digital fingerprints. The market first came online in 2017 and has since grown to the point that almost half a million distinct stolen information relating to digital identities from consumers and business users are available for sale.
  • Genesis was shut down as of April 4, 2023, but remains functionally operational across several Telegram channels and websites. 
  • Genesis occupies an interesting space in that it’s accessible via both the clear net (e.g. a standard browser like Google Chrome or Firefox) with backup Telegram channels. Many similar cybercrime marketplaces only provide access through the dark web in an attempt to veil their activity from authorities and better anonymize communications. 
  • The Genesis market’s user interface is one of the most polished on the web, with a modern look, an in-depth page of frequently asked questions (FAQs), and tech support available in several languages. 
  • Given that Genesis marketplace trades in data that can provide access to accounts or systems, some cybercrime analysts class it as an initial access broker (IAB). These IAB services offer a handy way for hackers to attack a target without having to go through the effort of stealing passwords or other login details. This both speeds up hacking campaigns and lowers the barriers to entry for a slew of different cyber attacks, including ransomware. 
  • It’s not just stolen info on individuals or SMBs that ends up on Genesis. Gaming giant EA suffered a serious 2021 breach as a direct result of hackers buying a set of stolen authentication cookies for an internal Slack channel for the rather measly cost of just $10. 
  • The exclusive invite-only nature of Genesis spawned its own spin-off cybercrime ecosystem with many underground sites and forum posts purporting to offer access to Genesis for a fee (payment for which rarely results in getting legitimate Genesis access). 

Genesis Bots, Plugins, and Browsers

To better understand the Genesis ecosystem, it’s worth elaborating a bit on bots and browsers; both are also found in several other IAB marketplaces. 


Wipe any notion from your mind of conventional bots that automatically perform repetitive tasks. In Genesis, bot is the term used to describe the stolen information for sale along with specialized malware on the compromised system that keeps this information up to date. 

This is a really key point about Genesis because when someone buys stolen data, the promise of a bot is that it keeps the information updated by continually snooping on unsuspecting victims. For example, a bot containing form autofill data for a specific website or service will be kept updated even when the user changes their password. 

Plugins and Browsers

Reflecting the user-first nature of the Genesis ecosystem, each purchase of a bot comes with a choice of two ways to use stolen logins, autofill data, and cookies:

  1. A plugin that buyers load into their existing web browser, which enables them to then begin browsing the web while masquerading as the victim whose information was stolen. 
  2. A dedicated web browser based on the open-source Chromium browser that also allows the buyer to browser as the victim using their stolen data. 

Both options contain anti-detect code that helps buyers of stolen data evade detection by security systems, such as antifraud detection tools, when masquerading as victims. 

Gif that shows the process of creating a fingerprint to download and use from Genesis Market.
The process of creating a fingerprint to download and use from Genesis Market takes only a short amount of time.

What is Infostealer Malware?

The previous section alluded to how Genesis bots ensure that stolen victim information is continually refreshed. The ability to keep the data updated often comes from using specialized malware known as infostealers.

An infostealer is a type of malicious software that silently steals data from an infected system. This data includes sensitive and valuable information such as session cookies, saved passwords in browsers, and keystrokes that users make while typing. 

There are a number of ways that a device can get infected by an infostealer, including phishing emails, fake websites, the user downloading pirated content, or self-distributing malware that spreads from endpoint to endpoint in corporate networks. High-profile examples of infostealers include Agent Tesla, Raccoon, and RedLine.

With infostealers being such a hidden and malicious threat, what can you do to defend against them?

  • Since these files often target your users at the endpoint level, advanced security tools like endpoint detection and response (EDR) can help to combat their threat. It’s worth noting though that if a user logs into one of your apps or services from a non-company registered device without this EDR agent/software installed on it, the EDR solution won’t help much. 
  • Improving security training and awareness, specifically around email attachments and social engineering, can help reduce the chances of employees getting duped and unknowingly installing an infostealer on their systems. 
  • Companies should consider using encrypted password vaults in which employee and other user passwords are stored. The ability of this type of malware to easily snoop on and steal browser-stored information makes it risky to allow browser-stored logins, no matter how convenient. 

How Digital Footprint Monitoring Combats Cybercrime Marketplace Threats

If the continued growth of Genesis and the success of infostealers tell us anything, it’s that hackers often have the information advantage in today’s cybercrime landscape. Any stolen information about your employees available on Genesis counts as high-risk external exposure because it usually means their login details or authentication cookies are sitting there waiting to be bought and used against you.

Thankfully, dedicated exposure monitoring solutions like Flare can reduce this information asymmetry. Flare trawls the deep and clear web for indicators and signs of your digital footprint. You then get rapid alerts about risky exposures, such as stolen user data for sale on places like Genesis. Flare sets up in 15 minutes or less, which means more time spent surfacing high-risk exposure about your company and employees online and less time tweaking or getting used to a complex new tool. 

Get your free trial here.

Share This Article

Related Content