Attending InfoSec?

The Snowball Effect That Led To The Genesis Market Shutdown

The Snowball Effect That Led to the Genesis Market Shutdown

Executive Summary

Since the beginning of the year, we have witnessed the success of numerous operations by law
authorities worldwide in the war against cybercrime.

Totaling 120 arrests from Hive shutdown, Pompompurin’s arrest, BreachForums Shutdown, and now Genesis market forum, it seems that law authorities are managing to hunt some high-profile threat actors

These arrests are only possible due to corporation between several government agencies worldwide. The remaining question is what has caused this snowball effect in arrests and how it will affect threat actors’ activities in the near future, if any.

Recent Cybercrime Arrests

As mentioned, recently, we are seeing the high activity of law enforcement worldwide as they shut
down several key cybercrime operations and arrested high-profile threat actors.

Hive Ransomware Shutdown

At the beginning of February, The U.S. Department of Justice declared a significant triumph in the battle
against ransomware by taking down and confiscating the infrastructure of Hive (Figure 1).

The Shutdown message on Hive group’s Onion site
Figure 1: The Shutdown message on Hive group’s Onion site 

Hive, a veteran ransomware group, operated for several years and compromised around 1300 victims during that period. 

The group, which was in the top 10 ransomware families of 2022, lost crucial data in an undercover operation conducted by the FBI, Europol and other intelligence agencies. 

In a press conference conducted by FBI Director Christopher Wray, it was disclosed that the FBI took control of servers in Los Angeles last Wednesday, holding the crucial data of the Hive gang. 

The undercover operation took at least six months. The federal agencies infiltrated the Hive family and leaked data periodically. At some point, the group’s leaders suspected they had undercover agents in their group and at that point, the FBI decided to shut down the servers and the entire operation. 

Chat with an analyst

Pompompurin’s Arrest 

On March 15, the FBI arrested an individual suspected of being the notorious Pompompurin, the admin of one of the most popular cybercrime forums today – BreachForums. 

Pompompurin is a famous cybersecurity individual, familiar to anyone in the community. 

21-year-old, Conor Brian Fitzpatrick, admitted to being Pompompurin during his arrest and confessed that he was the one owning and running the BreachForums operation. 

Pompompurin had a partner named Baphomet who, for a short period of time, took over the BreachForums forum as an admin and tried to initiate an emergency plan he had with Pompompurin in case one of them got arrested (Figure 2). 

Baphomet’s announcement post-Pom’s arrest
Figure 2: Baphomet’s announcement post-Pom’s arrest 

Eventually, it seems that Baphomet decided to shut down the forum after understanding the FBI was able to obtain critical information about the forum’s users. 

Shortly after, and with many speculations of a new forum, Baphomet announced that until further notice, he wouldn’t reopen the BreachForums or create a new one until further notice. 

Over the past weeks, several forums were created by various threat actors to replace the BreachForums forum, but they have yet to take off. 

The cyber security community is divided when it comes to Pom’s arrest. While some claim that he should be free, others claim that Pom will probably join forces with the feds and have a deal to save his skin. 

Genesis Market Shutdown 

On April 4, Genesis Market forum, one of the most popular underground forums, seized its operation and was shut down. 

The operation, dubbed Cookie Monster, was led by the FBI and the Dutch National Police, but 17 other countries also took part. 

The forum was a known marketplace for any cybercrime activity, including stolen credentials, exploit kits, access to infected machines, tools and data leaks. 

Less than 24 hours later, the FBI made another announcement as they were able to perform a massive arrest, including almost 120 people worldwide. 

The Genesis market takedown and arrests (Figure 3) is another major case in the cybercrime industry that tells us a lot about law authorities worldwide’s efforts against it. 

NCA’s announcement of the Genesis Market’s takedown
Figure 3: NCA’s announcement of the Genesis Market’s takedown 

RaidForums’ Snowball Effect? 

The cybersecurity community is a fairly small one, especially the cybercrime community. Once you encounter real gems by shutting down one operation, we can, with effort, leverage it to shut down another one. 

If we try to find one event that started the snowball, we have to look at the RaidForums shutdown in February 2022. The FBI announced that they were able to shutdown the infamous underground forum (Figure 4) and that they arrested an individual that is claimed to be Omnipotent, one of the founders of the forum. 

 FBI announcement of the capture of RaidForum
Figure 4: FBI announcement of the capture of RaidForum 

Observing the great success of the RaidForum shutdown, it’s highly likely that much of the information captured in this operation along with possible corporation with Omnipotent enabled following investigations. Pompompurin was investigated for months along with other key individuals from the cybercrime industry as many of them, including Pompompurin, were possibly very active in RaidForums. 


Are there more arrests and shutdowns to come?

As mentioned, we now see the arrests and shutdown of major pillars of the cybercrime industry. When coordinated between agencies, operations can be very successful. But the remaining question is should we expect to see more arrests and shutdowns in the near future? 

Unfortunately, the cybercrime industry doesn’t seem to be too affected by these arrests. Underground forums are still operating, and some are trying to crown themselves as the new BreachForums and Genesis Market forum. 

The Hive shutdown did not slow the ransomware industry by a bit; it even saw the most successful quarter we’ve seen in a long time. 

However, the Cyberint Research Team is convinced that by seeing these stories, new threat actors and threat groups might think twice before entering the cybercrime industry. 

Book a Demo

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start