Wherever there is Internet, there are businesses looking to take advantage of the twenty-first century gold rush: data collection. Cybercrime is no exception. Attackers focus on breaching applications to collect data on Internet users and then monetize that data in darknetAn encrypted network that runs on the Internet, enables users to remain anonymous, and requires special software to access it. Tor and Freenet are examples of darknets. markets. The dark webInternet content that exists on darknets and is not accessible via search engines. Special software is required to access it. economy is growing, and its users have a specific penchant for dealing in digital identities and credentials. Every year billions of credentials are spilled powering credential stuffing and stocking the shelves of darknet markets selling stolen data. Shape Security and F5 Labs are tracking credential spills for our 2021 Credential Stuffing Report (due out in January 2021). To date in 2020, a period plagued with the COVID-19 pandemic driving increased remote access and decreased visibility, we have tracked over 1.5 billion exposed credentials in breaches.

To protect the anonymity of users, darknet markets only transact in cryptocurrency. Research by Chainanalysis shows that bitcoin transactions grew from $250 million in 2012 to $872 million in 2018. They estimate bitcoin transactions for 2019 reached $1 billion. Some darknet markets have generated huge amounts of sales, for example Silk Road 2.0 generated more than $9.5 million in bitcoin prior to its shutdown in 2014. According to Juniper Research, it is estimated that all online fraud losses will reach $48 billion by 2023.

With the growing sophistication of defense mechanisms, cyber attackers are interested in more than simple username and password pairs to various online sites and services. In late 2018, a new darknet marketplace, Genesis Store, emerged offering a unique product: the option to generate unique or random device fingerprints. Hackers can purchase stolen device fingerprints through the purchase of bots controlling infected machines on Genesis. Device fingerprints include information about a user’s account, including passwords and usernames, but also detailed identifiers such as browser cookies, IP addresses, user-agent strings, and other operating system details. Many anti-fraud solutions still consider device fingerprints to be a unique identifier, so mimicking this to bypass anti-fraud solutions is very attractive to attackers.

Genesis Marketplace at a Glance

The Genesis Marketplace, available both on the dark web and the public internet provides an avenue for attackers to buy digital fingerprints. As shown in Figure 1, the site features a wiki, a news page, a rolling ticker of how many bots are available for sale, and a ticketing system.