Full Report
Michigan man indicted for dark web credential fraud, purchased 2,500 logins from Genesis Market
Analysis Summary
# Threat Actor: Andrew Shenkosky (Unattributed Cybercriminal)
## Attribution & Identity
The individual identified is **Andrew Shenkosky**, a 29-year-old man from Michigan (who resided in Minnesota during the timeframe of the alleged crimes). No specific threat group attribution is provided; this appears to be an individual operating independent of known state-sponsored or established organized crime groups in this report, utilizing pre-existing cybercrime infrastructure.
## Activity Summary
Shenkosky was indicted in January 2025 for a scheme executed between February and November 2020 involving the purchase and downstream use of stolen credentials obtained from the Genesis Market cybercrime marketplace. His activities focused on credential fraud and subsequent financial exploitation.
## Tactics, Techniques & Procedures
- **Acquisition of Access Information:** Purchased 2,468 stolen login credentials from Genesis Market.
- **Access Broker Utilization:** Used Genesis Market, an illicit marketplace providing access to credentials harvested from malware-infected computers globally.
- **Financial Fraud:** Used stolen credentials to make unauthorized withdrawals from victims' bank accounts.
- **Monetization/Distribution:** Attempted to sell some stolen credentials on the **Raid Forums** cyber-criminal marketplace.
- **Infrastructure Use:** Created a fraudulently obtained Coinbase account to purchase an invite code for Genesis Market.
## Targeting
- **Sectors:** Financial services/Banking (implied by the nature of the fraud involving bank accounts).
- **Geography:** Activities spanned the US (Shenkosky residing in Michigan/Minnesota; victims' locations are implied to be distributed as credentials were sourced globally via Genesis Market).
- **Victims:** Individuals whose bank account credentials were stolen and sold on Genesis Market.
## Tools & Infrastructure
- **Marketplaces/Forums (Indirectly used):**
- **Genesis Market:** Source for stolen credentials (defunct, dismantled April 2023).
- **Raid Forums:** Used to attempt the secondary sale of stolen credentials (also ceased operations).
- **Payment/Access:**
- Fraudulently created **Coinbase** account (used to purchase Genesis invite key).
- **PayPal** account (used to receive fraudulent proceeds).
## Implications
This case highlights the immediate danger posed by the reuse and monetization of credentials harvested by established botnets and sold on infrastructure marketplaces like Genesis Market. It underscores how purchasing access enables low-level actors to conduct complex financial fraud quickly, bypassing initial access brokering stages. The indictment itself serves as a strong deterrent against utilizing defunct or active cybercrime forums for illicit profit.
## Mitigations
- **Credential Monitoring:** Organizations and individuals should assume credentials may have been compromised via infostealers targeting endpoint devices, reinforcing account monitoring.
- **Marketplace Awareness:** Law enforcement actions (like the dismantling of Genesis Market) confirm active efforts to disrupt the credential supply chain.
- **Multi-Factor Authentication (MFA):** Though not explicitly mentioned as a failure point exploited here, the use of credentials for unauthorized bank access highlights the necessity of MFA to block access even when credentials are stolen.