The credential-and-cookie pair from a stealer log is only half the package an attacker needs to take over a high-value account. The other half is the browser fingerprint, the combination of user agent, screen size, timezone, language, fonts, plugins, canvas hash, WebGL signature, and dozens of other properties that the victim’s browser advertises and that anti-fraud systems use to detect impostors. Without it, the stolen-cookie replay raises a flag the moment the attacker logs in. With it, the replay looks indistinguishable from the real user.
Why fingerprints matter
Modern fraud-detection systems (Sift, Forter, Riskified, the in-house equivalents at every major bank and SaaS) score every login on dozens of signals. A fresh login from the right cookie but the wrong device fingerprint, the wrong IP geolocation, the wrong timezone, all of those raise the risk score. The transaction gets flagged or blocked.
The countermeasure: replay the cookie from a browser environment that matches the victim’s. Same canvas hash, same fonts, same timezone, same network ASN. From the fraud system’s perspective, nothing has changed.
How the markets work
Genesis Market was the most-visible example until its 2023 takedown. Successor markets (RussianMarket, 2easy, several smaller Telegram-based operations) followed the same model. The seller offers “bots”, packages combining a victim’s stolen credentials, cookies, full browser fingerprint, and instructions for which custom browser tooling to use to replay the fingerprint accurately.
The buyer downloads the bot, pastes it into a fingerprint-spoofing browser (commercial offerings exist; some are mass-marketed under “anti-detect” branding for affiliate marketing too), and presents themselves to the target site as the victim. The fraud-detection systems usually let it through.
The pricing
Bot pricing depends on the contained credentials. A bot with banking credentials runs $50-$500 depending on the bank and the country. A bot with a verified PayPal account, $20-$100. A bot with corporate VPN access, dramatically higher, multiple hundreds to thousands.
Bots have shelf lives. Once the victim notices the takeover and changes credentials, the bot is dead. Markets price accordingly: fresh bots at premium, older bots at discount, with explicit “freshness” timestamps in the listings.
What’s slowly working as defence
Three things degrade the fingerprint-market model. First, anti-fraud vendors continuously update their detection signals, what worked in a 2023 anti-detect tool no longer works against the latest fraud system. Second, device-bound session credentials (DPoP, the upcoming browser standards) tie the cookie to a hardware-level key the fingerprint can’t replicate. Third, behavioural biometrics (typing cadence, mouse movement patterns) add signal that’s hard to spoof from a stolen fingerprint alone.
The arms race continues. Defenders win when device-bound credentials become the standard. Until then, fingerprint markets will keep pricing in the difficulty of detecting them.
The takeaway
The credential-theft economy is more sophisticated than the headlines suggest. Stolen passwords alone aren’t the threat, they’re the input to a packaging operation that produces something that looks like a legitimate user session to almost any fraud detector. The defensive priorities follow: cookie binding, behavioural biometrics, continuous risk-scoring, and aggressive session lifetimes are the controls that make stolen-credential replay actually difficult, regardless of fingerprint sophistication.