Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

New York Detective Indicted for Darknet Card Data Buys

FBI Tracking Alleged Fraudsters Using Evidence Seized From Shuttered Genesis Market
New York Detective Indicted for Darknet Card Data Buys
A Buffalo Police Department detective is accused of buying stolen payment cards and of lying to federal investigators. (Image: Shutterstock)

An FBI probe into shuttered Genesis Market cybercrime site has led to the indictment of a police detective in Buffalo, New York.

See Also: OnDemand | Everything You Can Do to Fight Social Engineering and Phishing

A federal grand jury on Friday handed down a three-count indictment charging Terrance Michael Ciszek, 34, with possession of unauthorized access devices in the form of stolen credit card data. He also faces two counts of making false statements to federal investigators. Each charge carries a maximum penalty of 10 years in prison; the unauthorized access device charge carries a maximum fine of $250,000.

In the indictment and a previously filed complaint, authorities accused Ciszek of using the moniker "DrMonster" on Genesis Market over a four-month period in 2020 to buy 11 packages of data that included 194 stolen account credentials.

Genesis, which launched in beta in late 2017, offered for sale packages that often included username and password combinations, as well as device fingerprints, including browser cookies and system information that enabled hackers to bypass security measures such as multifactor authentication. The site also offered users a propriety browser plug-in, designed to facilitate the use of the stolen data to impersonate victims.

When the market debuted, its operators claimed that those fingerprints could be used to evade anti-fraud controls used by 283 major banks and payments systems, according to security researchers at ReliaQuest.

Investigators said they additionally tied Ciszek to a Bitcoin wallet address hosted by CashApp, which was used to buy stolen data on UniCC, a dark net carding site devoted to the buying, selling and use of stolen payment card data.

Investigators said Ciszek on March 16, 2020, accessed his CashApp account - opened using his driver's license to confirm his identity - from an IP address used later that day to access the Genesis account of the user DrMonster. Funds from the CashApp account appeared in DrMonster's Genesis account three days later.

The indictment also accused Ciszek of recording a video around that time "explaining to others how he anonymized his identity on the internet when purchasing stolen credit cards," as well as how he used UniCC. "In the video, the defendant stated, among other things, 'And then I usually get my credit cards from UniCC, which is an amazing place if you guys don't have it,'" it said.

The Department of Justice alleged that when the FBI interviewed Ciszek on April 4, 2023, he lied by stating that he hadn't purchased the stolen credentials online and suggested that the culprit might be his nephew.

Ciszek first appeared in court on May 2, 2023, after which the Buffalo Police Department suspended him with pay pending further internal investigation. The court required that he participate in a computer and internet monitoring program run by the U.S. Probation Office.

Genesis Probes Continue

The indictment against Ciszek reflects ongoing probes into Genesis Market by multiple law enforcement agencies. The FBI began investigating in 2018, shortly after the market launched. Authorities said the site was run by Russia-based administrators.

An international law enforcement effort involving 17 countries, dubbed "Operation Cookie Monster" and spearheaded by the FBI and Dutch National Police in April 2023, seized Genesis Market and arrested over 170 suspected users worldwide, with additional arrests following (see: Dutch Police Nab Suspected Genesis Market Super User).

Investigators said the site was the largest of its kind, offering access to more than 1.5 million compromised computers around the world and more than 80 million account credentials while sporting a user base that numbered about 59,000 accounts.

"This was definitely the largest in its class," said John Fokker, head of the threat intelligence group at Trellix, which supported Operation Cookie Monster shortly after the disruption. "It was almost the Amazon of account takeovers."

The market's core operators relaunched the site through a darknet-based mirror about two weeks after the disruption, although it appears to have fizzled out since then. A security researcher shortly thereafter spied on the administrators offering to sell Genesis Market as a going concern, "with all the developments, including a complete database (except for some details of the client base), source codes, scripts, with a certain agreement, as well as server infrastructure."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.