Genesis Market 2023 Data Breach

Genesis Market Criminal Identity Marketplace Seizure (2023): 8 Million Stolen Identity Packages Including Full Credit Card & Browser Fingerprints Exposed

Threat Actor Infrastructure · Stolen identity trading and browser fingerprint trafficking · Identity fraud marketplace · Global

Genesis Market Criminal Identity Marketplace Seizure (2023): 8 Million Stolen Identity Packages Including Full Credit Card & Browser Fingerprints Exposed

Criminal marketplace for stolen browser fingerprints and credentials (seized by FBI)

Compilation · ObscureIQ Intelligence
Limited DisclosureThis data comes from an illicit online community. Because merely appearing in it could wrongly imply involvement, we do not confirm anyone’s presence publicly or allow third parties to look others up. Check your own exposure privately below.
Breach Risk Index i
44/100
Lower riskHigher risk
Moderate: notable exposure with meaningful misuse potential.
Data Sensitivity i
Restricted
Being associated with this breach can itself be harmful. Disclosure is limited and presence is not confirmed to unverified parties.
8.0MRecords
2023Year

The Breach Risk Index (BRI) is a proprietary 0–100 score rating how dangerous a breach is right now, based on how recently the data has been circulating on the dark web and how valuable it is to attackers.

Crucial data exposed
FinancialCredit Card; Credit Card CVV
AddressPhysical address
Classification Tags
Genesis MarketMalware / InfostealerCybercrimeThreat Actor InfrastructureUsers2023

Breach Summary

In April 2023, the FBI and an international coalition (Europol, Dutch police) seized Genesis Market in "Operation Cookie Monster." Genesis was a criminal marketplace that sold stolen "identity packages" (browser fingerprints, cookies, saved credentials, and full payment-card data) harvested from ~1.5 million malware-infected devices covering 80M+ accounts. Data from the seizure (~8 million records in this dataset) was made available for victim notification. Exposed fields include names, emails, phone numbers, addresses, dates of birth, passwords, full credit cards with CVV, and browser user-agent/fingerprint details. This is a law-enforcement-seized criminal/infostealer dataset, not a breach of a single legitimate organization.

Full threat analysis, exploitation vectors, and principal guidance below.

12 additional sections · verified field analysis · defensive doctrine

Querying breach corpus…
Cross-referencing exposed field types…
Resolving threat-actor attribution…
Compiling principal risk advisory…

8.0M records analyzed

About Genesis Market

Genesis Market was an invitation-only criminal marketplace that sold "bots" - packages of stolen credentials, browser fingerprints, cookies, and session tokens harvested from malware-infected devices, enabling buyers to impersonate victims and bypass authentication. It operated for roughly five years until its April 2023 takedown.

Why They Hold Your Data

Identity-fraud marketplaces collect user accounts, billing records, search activity, and listings tied to stolen identities, browser fingerprints, cookies, and access artifacts.

Recent Developments

On April 4, 2023, the FBI, Europol, and Dutch police seized Genesis Market in "Operation Cookie Monster," with ~120 arrests and 200+ searches worldwide. The marketplace had offered data stolen from 1.5M+ computers covering 80M+ accounts (~460,000 packages listed). Seized data was made available for victim notification (e.g., via Have I Been Pwned).

Data Points Exposed

10 verified field types
Credit Card Critical
Credit Card CVV Critical
Date of Birth High
Email Address
Full Name
Password High
Phone Number
Physical address High
User Agent
Username

Breach Impact

The seized dataset represents victims of infostealer malware whose complete "identity packages" - credentials, full credit-card data and CVV, browser fingerprints, cookies, DOB, contact and address data - were sold to criminals for account takeover and impersonation. For affected individuals the exposure is severe and multi-vector (financial fraud, ATO, identity theft, session hijacking); the law-enforcement seizure and notification are mitigations.

Exploitation & Downstream Threats

• Financial fraud using full credit-card + CVV data | • Account takeover via stolen credentials, cookies, and session tokens (MFA-bypass) | • Identity theft and synthetic identity construction using name + DOB + address | • Impersonation using browser fingerprints | • Targeted phishing/SIM-swap using contact data

Principal Risk Advisory

What this means for a principal

A consumer-service breach: contact and account data supports phishing, account takeover and profile enrichment. For a high-profile principal this is targeting-grade, not merely identity-theft-grade: the combination lets an adversary locate, impersonate, or pressure the principal with little additional work.

What You Should Do

  1. Treat the home address as exposed: review mail and package handling and physical-security routines, and brief household staff to verify unusual requests.
  2. Reset any reused passwords and enable MFA on email first, then financial accounts.
  3. Guard against SIM-swap and vishing: add a carrier port-out PIN and verify any 'support' calls independently.
  4. Do not use unofficial 'am I affected' lookups; several are themselves harvesting operations.

How ObscureIQ Can Help

  1. Corpus confirmation: determine whether and where the principal (plus household and staff) appear in this dataset and which specific fields are exposed for them.
  2. Exposure mapping and footprint neutralization: cross-reference against broker-available data and suppress still-removable elements, prioritizing address and phone, since this record re-seeds broker networks.
  3. ThreatWatch tuned to this incident's identifiers and misuse pattern (impersonation and targeting patterns, not generic credential monitoring).
GM
Threat Actor: Genesis MarketConfidence: High
Credential marketplace

Motivation: Financial gain (criminal marketplace)
A notorious dark-web marketplace selling stolen credentials and browser fingerprints ('bots'); at seizure it had offered access to 1.5M+ compromised machines and 80M+ credentials.

Read the full threat-actor profile →
This breach is linked to the LE malware takedown (Endgame / Genesis / Duck Hunt) campaign. See the full campaign analysis →

Protect Yourself

Protect Yourself: Limited Disclosure

Check Your Own Exposure: Verification Required

This data originates from an illicit online forum, and being listed is not proof of involvement. To protect people from false association, we confirm exposure only to the individual concerned. Verify your identity to privately check your own exposure.

We never confirm whether a specific person appears in this breach to anyone but that person.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation