Dutch police arrest 17 as Operation Cookie Monster takes down global hacker market

Police in the Netherlands arrested 17 people as part of Operation Cookie Monster, an international investigation involving Europol, Dutch police, the FBI in the United States, the UK's National Crime Agency, and investigators in 14 other countries. The investigators focused on taking down the Genesis Market, a marketplace for stolen account credentials, and bots used to obtain data and utilize it in criminal activity. The data belonging to millions of people was traded via the website, including about 50,000 people who live in the Netherlands.

A total of 119 people were arrested around the world, including the 17 suspects in the Netherlands. Investigators searched 208 properties simultaneously, including 23 Dutch locations. More arrests in the Netherlands are likely as police sift through the information collected in the investigation to identify people who used the marketplace to scam people, even if they haven't carried out a crime. Police warned that Genesis Market kept data on its own buyers, despite promises otherwise.

"Genesis Market was considered one of the biggest criminal facilitators, with over 1.5 million bot listings totalling over 2 million identities at the time of its takedown," Europol said in a statement. "With over 1.5 million bots listed on Genesis Market, chances are that your credentials have already ended up for sale on this criminal marketplace."

Those who used the Genesis Market to purchase a bot that had infected a victim's device, either through malware or account takeover tactics, could use it to collect digital fingerprints, cookies, saved logins, and autofill data from forms. The information was gathered in real time, and bot purchasers were notified of password changes as they happened. Bots could be bought for anywhere from USD 0.70 up to hundreds of dollars for bots with access to financial information and online bank accounts.

Many of the 50,000 people in the Netherlands who were victims of the scheme lost money as a result. "There are cases where a social media profile was stolen or packages were ordered from an online store on someone's account. But we also have victims where entire investment portfolios have been emptied or entire bank accounts and crypto wallets have been plundered. In short, you lose control over your entire online life," said Ruben van Well of the Rotterdam police's cybercrime team.

He referred to a 71-year-old man who called the police repeatedly when products were bought from web shops in his name, and when 70,000 euros was wiped out of his investment account. "Bank accounts were also opened in his name at several banks," Van Well said. "This victim told us that he felt like he was paddling in a large swimming pool alone and had no idea how to get out." Because the malware caught changes in real time, it did not really matter if the victim updated his passwords, Van Well said.

"The criminals buying these special bots were not only provided with stolen data, but also with the means of using it. Buyers were provided with a custom browser which would mimic the one of their victim. This allowed the criminals to access their victim’s account without triggering any of the security measures from the platform the account was on," Europol said, noting that log-in location and other identifying details no longer mattered as a result of the fraud.

Officially, it was the FBI that shut down Genesis Market, which was accessible on the public internet. Europol recommended using an antivirus program to find and remove malware. Passwords should be changed only after the malware is gone. Then, victims should notify banks, brokerages, insurance companies, and others who should be made aware of the identity theft.

Dutch police have set up a website for anyone around the world to check if their email address is included in any packages of hacked data. The website is available in English, and also in Dutch.