In March 2024, after several years of running his exceptionally lucrative dark web business facilitating drug trade, Lin Rui-Siang, a.k.a. ‘Pharaoh,’ was arrested in New York. But how did the FBI catch Incognito Market owner? He made a series of mistakes that included making transactions to a centralized exchange that had his Taiwanese ID, saving Incognito’s operational diagram to his personal Gmail, complaining on a dark web forum about a crypto swapping service he used to launder bitcoin (while sharing the exact transaction time and Bitcoin amount), and partially paying to register a domain that was related to Incognito Market with a KYC-verified account. All these mistakes were tracked by the FBI, which closely monitored his online activity at the time, culminating in his arrest at JFK Airport.
At PlasBit, we love exploring stories like these - those that aren’t just cautionary tales for would-be dark web kingpins but also provide a snapshot of the digital Wild West we all live in and the moral ambiguities involved in it.
Not exactly ‘incognito’
The dark web often seems like a secretive, dangerous place, where all sorts of crime takes place thanks to the privacy it offers. However, sometimes, certain dwellers on the dark web catch enough heat from the authorities or make a sufficient amount of mistakes that this anonymity falls apart like a magician’s illusion.
For Lin Rui-Siang, the ‘Pharaoh’ behind Incognito Market, the downfall began even before the marketplace was born, with a basic but fatal error. He saved Incognito’s diagram and sent it to his personal Gmail account, only to forget about it. Mistakes kept piling up, including Lin using his own government-issued ID to withdraw his ill-gotten gains.
With the FBI hot on Lin’s trail after dismantling Hydra, another major dark web marketplace, investigators developed an elaborate scheme that included cryptocurrencies, an arsenal of hacking capacities, as well as some hands-on approach - all part of the story of how did the FBI catch Incognito Market owner. Meanwhile, Lin made their job easier by making multiple fundamental missteps.
Indeed, the FBI started its investigation into Incognito only one day after Hydra was taken down. The officer in charge of the task force was a man called Mark Rubins. To open the case, he ordered five grams of drugs from the website. Six days later, a package arrived at the designated pickup address containing exactly what Rubins ordered.
In the documents from the task force’s investigation, he wrote that they purchased the substance for $170 in Bitcoin and confirmed its authenticity using a drug test. This verified that the market was genuine and was therefore a legitimate target for the FBI.
But the task force didn’t have much to work with except Pharaoh’s account on the popular dark web forum, Dread, and the Bitcoin address used for the drug purchase. Luckily for them, these bits of information turned out to be just enough to progress the investigation further - and Lin made this possible by being exceptionally careless in his actions.
To understand the FBI’s next step, there are several simple concepts related to crypto money laundering to comprehend. First, there’s a difference between a Bitcoin wallet and an address. The wallet is where Bitcoin is stored, but every wallet needs an address to receive and send Bitcoin to other wallets. Moreover, a single wallet can have an unlimited number of addresses.
In Incognito’s case, whenever the market acquired a new customer, it would create a new payment address by creating hundreds, possibly thousands of addresses. This made it nearly impossible to identify the true scope of Incognito’s activities.
If the FBI knew every address associated with Incognito’s business, they could analyze their activity. Eventually, they might discover a transaction that, instead of receiving Bitcoin, sent it to some kind of service, perhaps an exchange that allows the user to sell crypto for normal currency like the US dollar.
And because most exchanges require the user to confirm their identity through a KYC process, a single outgoing transaction can reveal someone’s true identity. Even if the exchange doesn’t require KYC, the authorities can still request information on the user’s associated bank account. Unless the bank is in a country with strong banking privacy laws, it won’t have a problem revealing the identity of an alleged crypto criminal.
To counter this, Pharaoh sent the Bitcoin through at least one other wallet aside from Incognito’s main wallet before sending it to an anonymous swapping service. There, he would swap his Bitcoin for Monero - a cryptocurrency designed to be untraceable. Finally, he would send this untrackable Monero to an exchange, where he sold it for dollars.
This would all be fine and dandy if only Lin didn’t make a ridiculous mistake. As it happens, in May 2022, he took to Dread to complain about one of the swapping services he was using to launder his Bitcoin. He said that the service had declined to accept his funds because they somehow figured out it came from illegal activities and straight-up confiscated his funds.
Although it’s unclear how this happened, in his complaint Pharaoh revealed the exact time and BTC amount he sent to the swapping service. This gave the FBI task force, which was actively watching his Dread account at this point, everything it needed to start searching for both the transaction and the address associated with it - successfully.
The address that made this transaction was part of what the task force called ‘admin wallet 1’ - a wallet that directly received profits from Incognito’s main bank wallet. The investigators discovered that one of the addresses connected to admin wallet 1 was involved in yet another gigantic mistake. Pharaoh had used admin wallet 1 to partially pay for four domains on Namecheap. Three of these were about promoting dark web markets.
However - and this is the best part - the fourth domain, which was not described in the task force’s investigation documents, was a personal website with all the details about the owner. For unknown reasons, Lin paid for it using both his KYC’d crypto exchange account and admin wallet 1, which contributed a measly 0.00501 BTC or $22.09 to complete the purchase that the KYC’d account couldn’t finish.
This single transaction directly linked whoever was behind the crypto exchange account with the person in charge of admin wallet 1, which received Incognito’s profits. As such, it almost certainly belonged to Pharaoh. The only thing the FBI had to do now was to force the exchange to provide them with access to the KYC’s account. And this is exactly what happened.
Through this procedure, the investigators learned that the account belonged to a 23-year-old Taiwanese man called Lin Rui-Siang. They also got their hands on the Namecheap account, which was registered under Lin’s name as well. Lastly, they figured out that the personal website was about none other than Lin himself.
This very simple but huge oversight on Pharaoh’s side facilitated a crucial breakthrough for the task force, which then proceeded to infiltrate his entire life, including his emails, social media accounts, and domains. Any internet-related businesses connected to Lin were also being investigated.
His mistake also allowed the FBI to find and compromise Incognito’s servers in July 2022 by discovering the server reseller Lin was associated with and which advertised itself as “an entity which offers services to dark web marketplaces.” The investigators copied every bit of data from the marketplace, including all of its BTC addresses and, more importantly, all of the seller and customer information.
As they infiltrated the servers, they inadvertently took them down and the site wasn’t working for anyone for a time. Lin frantically Googled for ways to fix the issue, which was another crazy mistake as he forgot to log out of his personal Gmail account. The FBI, which had also infiltrated all of these accounts, could witness his searches in real time.
On top of that, remember that old email outlining Incognito’s planned operations that Lin sent to himself via Gmail? Yep, they found it as well. In addition to all the other discoveries, it proved once and for all that Lin Rui-Siang was Incognito’s admin known as Pharaoh, putting the final nail in the coffin and bringing a conclusion to the story of how did the FBI catch Incognito Market owner.
A layover that became a lock-up
Once the FBI had enough on Lin to arrest him, they faced a problem. He was an employee at the Taiwanese Foreign Ministry and his connections made extradition to the US nearly impossible, forcing the agency to lie in wait for the ideal opportunity.
And it did - in May 2024, when ‘Pharaoh’ made yet another, this time ultimate mistake. Ironically enough, Lin was conducting a four-day training on cryptocurrency and cybercrime prevention with the police in the Caribbean country of St. Lucia. To illustrate his sheer smugness, Lin even bragged about it on Twitter. We kid you not - behold:
https://x.com/ruisiang_tw/status/1775186955719860509
Although his incoming flight from Taiwan included a stopover in Canada, where the FBI still couldn’t get to him, he nonetheless gave them the perfect shot at this when he booked his flight back home. Turns out, the returning flight included a stopover in the US, specifically JFK Airport in New York.
At around 10 a.m. local time, after the plane landed, Lin decided to stretch his legs by taking a stroll around the airport. Suddenly, he was surrounded by several FBI officers, yelling at him to get down on the ground, and arresting him on the spot.
What’s on the menu? Life in prison, probably
According to the indictment, Lin facilitated the sale of over $100 million worth of various unregulated pharmaceuticals, ranging from misbranded prescription medication to LSD to ecstasy to cocaine to heroin and other illicit products. After four years of successful dark web operations, he finally landed himself in a US jail.
And there was much rejoicing in the Dread community, which was also wronged by Lin but in a different way. Notably, during his gig in this popular black market sector, he had also managed to extort his customers for hundreds of thousands of dollars by threatening to reveal their transaction information in an exit scam.
In another interesting tale, a team of hackers targeted Lin without realizing that he was really the puppet master pulling the strings of Incognito Marketplace. With a promise of a lucrative investment deal, they managed to fool him into downloading malware and drained all his crypto accounts. But that’s a story for some other time.
Currently, Lin is awaiting trial on charges of running a criminal enterprise and money laundering, and if he’s found guilty, which seems likely, he will serve a minimum of life in prison at only 23 years of age. Furthermore, because the FBI had already seized all his data years before, he has nothing left to bargain with to lower his sentence.
Building Incognito: Lin’s magnum opus
Following Lin’s arrest, other details of his Incognito operations became public. Specifically, he developed the idea after studying dark web marketplaces like Silk Road and AlphaBay. Realizing that selling everything as they did would attract too much attention, he decided to create a drug and anonymity-centered market called the Incognito Marketplace, an allusion to Chrome’s incognito mode.
Sometime in November 2020, a subdread called d/IncognitoMarket emerged. The mysterious admin invited several people into this closed community and created two foundational posts about the market. The posts listed the market’s guidelines on what was allowed on the site and explained that its objective was to make purchasing drugs safer than if someone bought them from the streets.
Shortly after, the admin deleted his account and disappeared, leaving the invited people wondering if they could trust this new project. Hours later, another account, going by u/IncognitoOfficial, stepped in and addressed their concerns, saying that “Users will buy drugs and disappear. No trace, no tracking.” As he added, the mysterious creation of the subdread was just a way to prove the market’s commitment to anonymity.
(Image credit: Thinker)
At the same time, Pharaoh started appearing on the Incognito subdread, where he established himself as the main authority behind the Incognito project. This marked the official beginning of one of the strangest and most dramatic dark web sagas since the launch of the Internet.
To become part of Incognito’s network, drug sellers had to create a job application, sort of a drug dealer CV, in which they listed past experiences, recommendations from other marketplaces, and assigned PGP messages. They would then send this resume to Incognito’s team, which would analyze the information and make its decision.
On top of that, each drug vendor, unless they were already highly trusted, would have to pay a fee ranging between $300 and $1,500, and only via cryptocurrencies Bitcoin or Monero. Following the successful application, the team would send all the necessary details to the dealer’s PGP address to get them started.
(Image credit: Thinker)
Over time, Incognito became a major player in the dark web market economy. This was largely due to Pharaoh always asking the community for feedback and implementing platform updates on a nearly monthly basis - something that the members highly appreciated.
Additionally, Incognito’s team seemed to handle disputes between sellers and buyers extremely efficiently. In one case, a vendor who went by u/wallstreetbet_support promised a completely unrealistic price for certain drugs. As the community took notice, its members downvoted his promotional post and warned everyone that he had a reputation for scamming people on other markets.
Eventually, the Incognito team reviewed his account, banned him, and decided to take the money from his account and send it to all of the customers who didn’t get the promised products. Then, u/wallstreetbet_support went on Dread to complain, but instead of receiving support, he was exposed for having over 50 undelivered orders, 30 disputed orders, a negative score of almost 300 vendor points, and countless complaints about his business.
At this point, everything seemed to be working great for Incognito. With the disappearance of other major dark web marketplaces, there weren’t many obstacles left for Incognito’s climb to the top. Darkode Reborn was gone and so was White House. Hydra, the largest, longest-running illegal market in the world, was dismantled in April 2022.
As it happens, Hydra allowed users in mainly Russian-speaking countries to trade illicit goods and services, including illegal drugs, stolen financial information, hacking tools, and more. After it was taken down, it left a massive power vacuum in the dark web ecosystem, and Incognito positioned itself to become one of the main contenders for the throne.
The influx of new users to Incognito was so large that, from April to June 2022, the site’s monthly transaction value skyrocketed from around $700,000 to $2 million - and none of this was made by directly selling drugs. Notably, the marketplace, like most other similar websites, mainly made money through its banking and escrow services, acting as the mediator between the customer and the vendor.
To illustrate, let’s say a customer wanted to purchase $1,000 worth of a product. First, they had to send this money to the site’s bank, which is basically just a crypto wallet. In the following step, the marketplace would take a fee (which in Incognito’s case was 5%) and credit the remaining money to the seller’s account.
In other words, Incognito was easily profiting at least $100,000 per month by facilitating the $2 million monthly transaction volume between drug dealers and their buyers. That is, until it all came crashing down in the wild story of how did the FBI catch Incognito Market owner.
Dark web hall of fame: Other fallen kingpins
In terms of dark web masterminds, Lin is far from being the first (or probably the last) to be caught by simply being human. All of these have slipped up in one way or another, leaving clues leading to their downfall, or merely overestimating their anonymity.
Among the most high-profile cases is that of Ross Ulbricht, the OG of the dark web. Arrested in 2013, Ulbricht is currently serving two life sentences without parole for operating the Silk Road marketplace. His mistake? Using his real name on a programming forum long before launching the marketplace.
Another story is that of AlphaBay’s Alexandre Cazes, who was busted in 2017 after using his personal email on the marketplace’s receipts. Cazes’s story is also a tragic one, as he died under mysterious circumstances while in custody in Thailand.
Finally, there’s Paul Le Roux, a dark web operator-turned-cartel drug lord who made Walter White look like an amateur. Currently, Le Roux is cooperating with authorities after being sentenced to 25 years in prison.
Should these guys get life? The moral gray zone
But here’s where we might reach a moral gray zone. Should all of these guys be treated like literal cartel bosses and end up in jail for life? For instance, Ross Ulbricht’s defenders have argued that he didn’t sell drugs - he just created a platform. So, how fair is it to equate coding with drug selling?
You could even compare it to holding Mark Zuckerberg or Craig Newmark accountable for every illegal deal made on Facebook or Craigslist. They would both already be in prison by now, serving life without parole like the above dark web operators.
Furthermore, one of Incognito’s selling points was that purchasing drugs this way was safer than buying them on the streets, and there’s actual truth in this. There are no guns involved, no turf wars, no accidental fentanyl overdoses (well, maybe fewer). So, neither Lin nor Ulbricht were pulling triggers - they were pulling code.
Here at PlasBit, as a platform that champions responsible crypto use, we frequently emphasize the blurred lines between enabling technology and enabling crime. The real question is whether these marketplaces create societal problems or just reflect them.
Conclusion
All things considered, the story of how did the FBI catch Incognito Market owner isn’t just about a dramatic decline. It is a testament to our complicated and often ambiguous relationship with technology - as well as how simple lapses of judgment could lead to someone’s undoing, whether they be a pharaoh or a simple pyramid builder.
For responsible crypto users, platforms like PlasBit offer a safe and legal way to navigate this dynamic space. We believe in the potential of blockchain technology and strive to create an environment free from criminal activity.
