The Justice Department recently announced an international coordinated operation to dismantle Genesis Market, “a criminal online marketplace that advertised and sold packages of account access credentials–like usernames and passwords for email, bank accounts, and social media–that had been stolen from malware infected computers around the world.”[1] This concerted international effort to take down the Genesis infrastructure shows the power of a large international partnership in policing transnational cybercrime. However, the inability of such a large international partnership to arrest or even locate the operators of the Genesis Market demonstrates the limits to policing transnational cybercrime because of a lack of jurisdiction.
Genesis Market is known as an initial access broker, where criminals wanting to easily infiltrate a victim’s computer can buy packages of already stolen credentials and use it to access a victim’s sensitive data.[2] Included for sale on the Genesis Market were access credentials associated with the White House, Justice Department, Department of State, Department of Defense, USPS, NASA, and the IRS.[3] Genesis was seized in Operation Cookie Monster, an effort that involved 17 countries and was led by the U.S. Federal Bureau of Investigation and the Dutch National Police.[4] The operation entailed the seizure of Genesis Market’s domains and simultaneous actions against its users across the globe that resulted in over 200 property searches and 119 arrests.[5] U.S. Attorney General Merrick Garland stated, “Our seizure of Genesis Market should serve as a warning to cybercriminals who operate or use these criminal marketplaces: the Justice Department and our international partners will shut down your illegal activities, find you, and bring you to justice.”[6] While Attorney General Garland’s statement may be true for some of those who used those criminal markets, it seems to be more of a hollow threat when applied to the market’s operators.
The international partnership did not claim to have arrested any operators and only stated it is believed that the Genisis Market is operated out of Russia.[7] Likewise, the announcements from Europol and the other international partners include a request for anyone with information on the administrators of Genesis Market to contact the FBI.[8] The international partnerships inability to arrest or even definitively locate the market’s administrators highlights an important reality: as long as countries like Russia continue to harbor cybercriminals, jurisdiction will continue to be a serious obstacle in the effort to police transnational cybercrime.
The distributed nature of computer networks allows cybercriminals to anonymously target people regardless of jurisdiction.[9] Nations have enacted legislation permitting the exercise of extra-territorial jurisdiction over cybercrime offenders, but exercising such jurisdiction has been more challenging in practice than in theory.[10] Some have suggested that the use of an international treaty, similar to previous international treaties created to address other transnational crimes like piracy, is necessary for policing cybercrime.[11] An international treaty, however, would not solve the unique complexities in policing cybercrime, like how an individual can hide their identity and location while committing cybercrime.[12] Moreover, an international treaty would require that nations agree to turnover cybercriminals, which the nations harboring cybercriminals have been unwilling to do thus far.[13]
The dismantling of Genesis Market’s infrastructure will undoubtedly hinder the ability to facilitate transnational cybercrime.[14] That said, with the operators still out there, it is likely the Genesis Market will effectively re-emerge and continue operations on the internet.[15] Indeed, the Genesis Market can still be accessed on the dark web, and the site’s administrators have already announced they plan on setting up new domains.[16]
Europol, the U.S., and the other international partners joined together in the fight against cybercrime may have the power to dismantle these new domains that emerge, too. Nevertheless, they will always be limited in success by their lack of jurisdiction over the individuals operating these illicit markets. Without the ability to prosecute the individuals responsible and stop them from operating, the members of the international partnership are effectively stuck in a game of virtual whack-a-mole: frantically smacking down each new market that emerges while being unable to stop new ones from emerging.
[1] Press Release, U.S. Dept. of Justice Office of Public Affairs, Criminal Marketplace Disrupted in International Cyber Operation (April 5, 2023), https://www.justice.gov/opa/pr/criminal-marketplace-disrupted-international-cyber-operation.
[2] Id.
[3] Id.
[4] Press Release, European Union Agency for Law Enforcement Cooperation, Takedown of Notorious Hacker Marketplace Selling Your Identity to Criminals (April 5, 2023), https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-notorious-hacker-marketplace-selling-your-identity-to-criminals.
[5] Id.
[6] Press Release, U.S. Attorney’s Office for the Eastern District of Wisconsin, Criminal Market Disrupted in International Cyber Operation (April 5. 2023), https://www.justice.gov/usao-edwi/pr/genesis-market-disrupted-international-cyber-operation.
[7] Press Release, U.S. Dept. of the Treasury, Treasury Sanctions Illicit Marketplace Genesis Market (April 5. 2023), https://home.treasury.gov/news/press-releases/jy1388.
[8] James Pearson & Michael Holden, International Law Enforcement Seizes Dark Web Market, Reuters (April 5, 2023), https://www.reuters.com/world/uk/international-law-enforcement-seizes-dark-web-market-2023-04-04/.
[9] Michael Wilson, et al., Police Preparedness to Respond to Cybercrime in Australia: An Analysis of Individual and Organizational Capabilities, 55 J. Crim. 468, 471 (2022).
[10] See Phenyo Sekati, Assessing the Effectiveness of Extradition and the Enforcement of Extra-territorial Jurisdiction in Addressing Trans-national Cybercrimes, Compar. Int’l L.J. S. Africa, Dec. 2022, at 1.
[11] Jaime Salgado, Modern Piracy: Fighting Ransomware with a Universal Foundation and Why an International Cybercrime Treaty Must Follow in the Footsteps of the Paris Agreement, 37 Conn. J. Int’l L. 12, 37 (2022).
[12] Ajoy P.B., Effectiveness of Criminal Law in Tackling Cybercrime: A Critical Analysis, 5 Scholars Int’l J.L. Crime Just. 74, 76 (2022).
[13] Isabelle Khurshudyan & Loveday Morris, Ransomware’s Suspected Russian Roots Point to a Long Détente Between the Kremlin and Hackers, Wash Post (June 12, 2021), https://www.washingtonpost.com/world/europe/russia-ransomware-cyber-crime/2021/06/11/e159e486-c88f-11eb-8708-64991f2acf28_story.html.
[14] Gensis, a Dark Web Marketplace, Shutdown in Global Operation, Al Jazeera (April 6, 2023), https://www.aljazeera.com/news/2023/4/6/genesis-market.
[15] Eduard Kovacs, Success of Genesis Market Takedown Attempt Called into Question, SecurityWeek (April 6, 2023), https://www.securityweek.com/success-of-genesis-market-takedown-attempt-called-into-question/.
[16] Id.
