- Table of contents
Shmuel GihonShare on LinkedIn
Research Team Leader at Cyberint
Table of contents
The Snowball Effect That Led to the Genesis Market Shutdown
Since the beginning of the year, we have witnessed the success of numerous operations by law
authorities worldwide in the war against cybercrime.
Totaling 120 arrests from Hive shutdown, Pompompurin’s arrest, BreachForums Shutdown, and now Genesis market forum, it seems that law authorities are managing to hunt some high-profile threat actors
These arrests are only possible due to corporation between several government agencies worldwide. The remaining question is what has caused this snowball effect in arrests and how it will affect threat actors’ activities in the near future, if any.
Recent Cybercrime Arrests
As mentioned, recently, we are seeing the high activity of law enforcement worldwide as they shut
down several key cybercrime operations and arrested high-profile threat actors.
Hive Ransomware Shutdown
At the beginning of February, The U.S. Department of Justice declared a significant triumph in the battle
against ransomware by taking down and confiscating the infrastructure of Hive (Figure 1).
Hive, a veteran ransomware group, operated for several years and compromised around 1300 victims during that period.
The group, which was in the top 10 ransomware families of 2022, lost crucial data in an undercover operation conducted by the FBI, Europol and other intelligence agencies.
In a press conference conducted by FBI Director Christopher Wray, it was disclosed that the FBI took control of servers in Los Angeles last Wednesday, holding the crucial data of the Hive gang.
The undercover operation took at least six months. The federal agencies infiltrated the Hive family and leaked data periodically. At some point, the group’s leaders suspected they had undercover agents in their group and at that point, the FBI decided to shut down the servers and the entire operation.
On March 15, the FBI arrested an individual suspected of being the notorious Pompompurin, the admin of one of the most popular cybercrime forums today – BreachForums.
Pompompurin is a famous cybersecurity individual, familiar to anyone in the community.
21-year-old, Conor Brian Fitzpatrick, admitted to being Pompompurin during his arrest and confessed that he was the one owning and running the BreachForums operation.
Pompompurin had a partner named Baphomet who, for a short period of time, took over the BreachForums forum as an admin and tried to initiate an emergency plan he had with Pompompurin in case one of them got arrested (Figure 2).
Eventually, it seems that Baphomet decided to shut down the forum after understanding the FBI was able to obtain critical information about the forum’s users.
Shortly after, and with many speculations of a new forum, Baphomet announced that until further notice, he wouldn’t reopen the BreachForums or create a new one until further notice.
Over the past weeks, several forums were created by various threat actors to replace the BreachForums forum, but they have yet to take off.
The cyber security community is divided when it comes to Pom’s arrest. While some claim that he should be free, others claim that Pom will probably join forces with the feds and have a deal to save his skin.
Genesis Market Shutdown
On April 4, Genesis Market forum, one of the most popular underground forums, seized its operation and was shut down.
The operation, dubbed Cookie Monster, was led by the FBI and the Dutch National Police, but 17 other countries also took part.
The forum was a known marketplace for any cybercrime activity, including stolen credentials, exploit kits, access to infected machines, tools and data leaks.
Less than 24 hours later, the FBI made another announcement as they were able to perform a massive arrest, including almost 120 people worldwide.
The Genesis market takedown and arrests (Figure 3) is another major case in the cybercrime industry that tells us a lot about law authorities worldwide’s efforts against it.
RaidForums’ Snowball Effect?
The cybersecurity community is a fairly small one, especially the cybercrime community. Once you encounter real gems by shutting down one operation, we can, with effort, leverage it to shut down another one.
If we try to find one event that started the snowball, we have to look at the RaidForums shutdown in February 2022. The FBI announced that they were able to shutdown the infamous underground forum (Figure 4) and that they arrested an individual that is claimed to be Omnipotent, one of the founders of the forum.
Observing the great success of the RaidForum shutdown, it’s highly likely that much of the information captured in this operation along with possible corporation with Omnipotent enabled following investigations. Pompompurin was investigated for months along with other key individuals from the cybercrime industry as many of them, including Pompompurin, were possibly very active in RaidForums.
Are there more arrests and shutdowns to come?
As mentioned, we now see the arrests and shutdown of major pillars of the cybercrime industry. When coordinated between agencies, operations can be very successful. But the remaining question is should we expect to see more arrests and shutdowns in the near future?
Unfortunately, the cybercrime industry doesn’t seem to be too affected by these arrests. Underground forums are still operating, and some are trying to crown themselves as the new BreachForums and Genesis Market forum.
The Hive shutdown did not slow the ransomware industry by a bit; it even saw the most successful quarter we’ve seen in a long time.
However, the Cyberint Research Team is convinced that by seeing these stories, new threat actors and threat groups might think twice before entering the cybercrime industry.