Threat Actor Infrastructure · Stolen identity trading and browser fingerprint trafficking · Identity fraud marketplace · Global
Criminal marketplace for stolen browser fingerprints and credentials (seized by FBI)
The Breach Risk Index (BRI) is a proprietary 0–100 score rating how dangerous a breach is right now, based on how recently the data has been circulating on the dark web and how valuable it is to attackers.
In April 2023, the FBI and an international coalition (Europol, Dutch police) seized Genesis Market in "Operation Cookie Monster." Genesis was a criminal marketplace that sold stolen "identity packages" (browser fingerprints, cookies, saved credentials, and full payment-card data) harvested from ~1.5 million malware-infected devices covering 80M+ accounts. Data from the seizure (~8 million records in this dataset) was made available for victim notification. Exposed fields include names, emails, phone numbers, addresses, dates of birth, passwords, full credit cards with CVV, and browser user-agent/fingerprint details. This is a law-enforcement-seized criminal/infostealer dataset, not a breach of a single legitimate organization.
Full threat analysis, exploitation vectors, and principal guidance below.
12 additional sections · verified field analysis · defensive doctrine
8.0M records analyzed
Genesis Market was an invitation-only criminal marketplace that sold "bots" - packages of stolen credentials, browser fingerprints, cookies, and session tokens harvested from malware-infected devices, enabling buyers to impersonate victims and bypass authentication. It operated for roughly five years until its April 2023 takedown.
Identity-fraud marketplaces collect user accounts, billing records, search activity, and listings tied to stolen identities, browser fingerprints, cookies, and access artifacts.
On April 4, 2023, the FBI, Europol, and Dutch police seized Genesis Market in "Operation Cookie Monster," with ~120 arrests and 200+ searches worldwide. The marketplace had offered data stolen from 1.5M+ computers covering 80M+ accounts (~460,000 packages listed). Seized data was made available for victim notification (e.g., via Have I Been Pwned).
The seized dataset represents victims of infostealer malware whose complete "identity packages" - credentials, full credit-card data and CVV, browser fingerprints, cookies, DOB, contact and address data - were sold to criminals for account takeover and impersonation. For affected individuals the exposure is severe and multi-vector (financial fraud, ATO, identity theft, session hijacking); the law-enforcement seizure and notification are mitigations.
• Financial fraud using full credit-card + CVV data | • Account takeover via stolen credentials, cookies, and session tokens (MFA-bypass) | • Identity theft and synthetic identity construction using name + DOB + address | • Impersonation using browser fingerprints | • Targeted phishing/SIM-swap using contact data
A consumer-service breach: contact and account data supports phishing, account takeover and profile enrichment. For a high-profile principal this is targeting-grade, not merely identity-theft-grade: the combination lets an adversary locate, impersonate, or pressure the principal with little additional work.
Motivation: Financial gain (criminal marketplace)
A notorious dark-web marketplace selling stolen credentials and browser fingerprints ('bots'); at seizure it had offered access to 1.5M+ compromised machines and 80M+ credentials.
This data originates from an illicit online forum, and being listed is not proof of involvement. To protect people from false association, we confirm exposure only to the individual concerned. Verify your identity to privately check your own exposure.
We never confirm whether a specific person appears in this breach to anyone but that person.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation