Even in this new age of darknet crime, the old adage rings true – there is no honor among thieves. And you’d be hard-pressed to find anything that exemplifies the pitfalls of crime more than the story of Rui-Siang Lin’s infamous Incognito market blackmail in which he threatened to leak his vendor's and user’s data to law enforcements by the end of May 2024, including 557k orders and 862k crypto transaction IDs, and supposedly “encrypted” or even “deleted” private chats if vendors wouldn’t pay a ransom of $100 to $20,000, even publishing a list of who hasn’t yet paid the blackmail fee, showing the site’s users “which vendors care about their customers.” This extortion attempt came after an exit scam in which Rui-Siang Lin locked users’ wallets, preventing them from withdrawing Bitcoin and Monero.
There’s a lot to unpack here, so strap in for a PlasBit-level deep dive into the world of Incognito Market, the mind behind it, and its dramatic downfall.
Incognito Market: A Case Study in Innovation and Infamy
The dark web has long been a hub for underground marketplaces, but few have managed to leave as notable a mark as Incognito Market. Launched in October 2020, the platform rose to prominence after filling the void left by the shutdown of competing marketplaces. Its creator, Rui-Siang Lin, combined technological innovation with calculated strategy to build a marketplace that, for a time, stood at the forefront of the illicit darknet industry.
Upon accessing the platform through the Tor browser, users were greeted by a sleek splash page designed to inspire trust and professionalism. Everything about the platform seemed to imply it’s a serious long-term venture. Of course, time would soon prove otherwise.
Brief Timeline of Events
- October 2020: Incognito Market makes its debut, turning some heads with its unique focus on security and customer service. Though the platform had a small loyal cohort of users, it was still overshadowed by more trusted competitors.
- April 2022: The shutdown of Hydra Market, a major player, sends a flood of displaced vendors and buyers scrambling for a new home. Incognito capitalizes on the chaos, and ends up capturing a hefty chunk of Hydra’s market share.
- June 2023: Business is officially booming. With transaction volumes hitting $5 million a month, Incognito Market became widely seen as a juggernaut, and pronounced “the next Silk Road” by the wider DNM community.
- March 2024: Panic sweeps through the darknet community as vendors are unable to withdraw funds. Days later, the Incognito market blackmail announcement is posted on the home page.
- May 2024: Rui-Siang Lin, the man behind the mask, is arrested at JFK Airport. His carefully crafted double life as a cybersecurity expert by day and darknet kingpin by night comes crashing down, exposing the full scope of his operation.
From Concept to Operation: Rui-Siang Lin’s Singular Vision
Rui-Siang Lin, alias "Pharoah," was the mastermind behind the Incognito Market and a career specialist in both cryptocurrency and cybersecurity. This Taiwanese-based digital prodigy built a platform with laser-like focus on user privacy through his deep knowledge in cryptographic systems. Such was facilitated, at least partially, by integrating auto-PGP encryption so that all communications would be secure by default.
Incognito wouldn't let new users shop until they could prove they knew how to handle encryption tools to keep things secure. In so doing, they built a security-savvy community that was less vulnerable to leaks from the outside world. Additionally, using privacy coins like Monero further cloaked transactions.
Behind the scenes, it ran with incredible precision: Lin and his team oversaw a system that moved millions in transactions while keeping tabs on vendor activity and disputes. Obviously, members of the team played a part in keeping everything running, but at every turn in his underground empire, Lin called the final shots.
What Was Sold on Incognito Market?
Though it’s true that Incognito Market predominantly dealt in narcotics, the full menu included digital goods and fake prescriptions meds. The hottest sellers included heroin, cocaine, methamphetamines, LSD, MDMA, and fentanyl-laced pills disguised as oxycodone. And since it served a global customer base, Incognito Market became a hotbed for cross-border contraband. By mid-2023, the platform was moving hundreds of kilograms of drugs each month, generating over $100 million in transactions.
Counterfeit pharmaceuticals were especially dangerous, since lab testing revealed that many held contaminated or highly powerful active ingredients. In one increasingly well-documented anecdote, during an undercover operation in November 2023, investigators bought pills sold as the brand-name prescription oxycodone. Lab testing showed the tablets actually contained fentanyl, a synthetic opioid infamous for causing millions of overdoses worldwide.
Features and Fee Structure
Incognito Market’s success was also tied to its sophisticated features and competitive fee structure. Opening a booth at the drug bazar meant a 5% commission on all transactions for all vendors, with an additional lump-sum security deposit required at sign-up. These fees funded both the operational costs and Lin’s personal profits.
The Mastermind of Incognito Market Blackmail
Rui-Siang Lin's path into the world of cybercrime is one of paradox. Born around 2000 in Taiwan, Lin proved to be a rare talent early in life. Lin attended the prestigious National Taiwan University to obtain his degree in information management, perfecting his technical prowess with a major in cybersecurity and information systems. This would lay the bedrock on which Lin would develop a profound understanding of cryptographic systems, blockchain technologies, and digital anonymity-skills that later defined his double life.
The opportunity to go legitimate was a curious one for Lin. In Taiwan, all young men are required to do some kind of military service unless, like Lin, they can find other ways to serve their country. He taught a cybercrime task force in Saint Lucia where he worked with the local police to train officers to go after cybercriminals. In the process, his effort helped trace cryptocurrency transactions by law enforcement and formed an understanding of digital criminal behavior. It would appear that Lin was, on the surface at least, a rising star in the field of cybersecurity, using his knowledge to battle crime.
Lin's technical repertoire didn't stop at the marketplace. He produced "Antinalysis," a tool by which crypto users could scan their blockchain transactions for any connections to illicit activity, which basically means enabling them to check whether their crypto funds are "clean". The irony of his dual roles – training law enforcement on crypto tracing while enabling the criminals to evade its detection – wasn't lost on the people who later discovered his activities.
When it came to crime, Rui-Siang Lin adopted the attitude of an Silicon Valley executive
Lin treated Incognito as any other e-commerce enterprise, taking the corporate method of retail in the criminal world to the fullest. He made sure the spotlight was on things like:
- World-Class Customer Service: The only platform that was as responsive and reliable as a legitimate e-commerce site was Incognito.
- User Experience: Lin wanted to emphasize the seamless and secured environment he created for shoppers.
- Strategic Marketing: Utilizing forums and dark web channels to promote the platform.
- Data Analytics: Monitoring user behavior to optimize the marketplace.
- Market Dominance: A full-fledged marketing campaign was executed by Lin’s team on forums and dark web channels.
As the leader and architect of Incognito Market, Lin maintained ultimate decision-making authority over every aspect of its operations. And, to be fair, under his leadership, Incognito Market didn't just function; it thrived for over three years.
The Exit
Dark net markets have never been known for high life expectancies. Some are shut down by law enforcement and a rare few retire with grace, but most DNMs end up doing an exit scam sooner or later.
DNMs typically have some sort of an escrow system where buyers hand over funds to a third party, which releases them to the sellers once the trade is complete. For obvious reasons, this means vendors can withdraw their crypto only after it spends days in escrow. In a run-of-the-mill exit scam, marketplace operators seize these escrowed funds—along with any vendor deposits—before disappearing, leaving users and vendors unable to recover their money.
- “Hacking” of Silk Road 2.0
After the FBI took down the original Silk Road in 2013, its successor, Silk Road 2.0, quickly rose to fill the void, promising to carry on its legacy. But by February 2014, the platform’s administrator, "Defcon," claimed it had been hacked, with 4,400 Bitcoin—worth about $2.7 million at the time—stolen. The explanation didn’t sit well with the community, as no proof of the hack ever surfaced. Before long, it became clear: this wasn’t a cyberattack but an exit scam. - Evolution Market Scam
By 2015, Evolution had built a solid reputation as a well-organized and trusted darknet market. Buyers and vendors alike relied on its stability—until March of that year, when it vanished without warning. Administrators "Kimble" and "Verto" disappeared along with an estimated $12 million in Bitcoin. Unlike other scams that hid behind claims of hacks, Evolution’s exit was bold and unapologetic, leaving its users stunned.
3. Dread's Sudden Exit
Dread, often called the darknet’s Reddit, wasn’t just a marketplace but a community hub. So when it went offline in 2020 with no explanation, the word on the virtual streets ranged from a police sting to a hack. After the dust settled, it became apparent that it was an exit scam, and it was the admins who pocketed the platform’s funds. The fallout drove Dread’s hoards of users straight to Incognito Market, which tripled in size within a month or so.
Incognito's Not-So-Silent Exit
In early March 2024, users found Incognito Market inaccessible. Administrators ceased all communications, and panic began to spread.
Days later, while the strongest supporters of “Pharoah” were still defending him on Tor message boards, he made his final move:
The message sent shockwaves through the community. It showed that the platform, which had assured users of privacy and encrypted communications, had secretly been logging it all in one place: private messages, transaction IDs, and even details of specific orders. Pharoah’s taunting tone and the explicit admission of extortion—"YES, THIS IS AN EXTORTION!!!"—underscored his lack of remorse. The man believed to be some champion of privacy rights, attracting legions of loyal supporters, has cynically stabbed them in the back.
The betrayal was massive: the admins claimed to have data from 557,000 orders and 862,000 cryptocurrency transactions. They threatened to release it all unless users paid up. Ransom demands ranged from $200 for small-time buyers to as much as $20,000 for high-volume vendors.
And to encourage compliance, the admins added a darkly manipulative twist: they published a list of users who hadn’t yet paid, effectively shaming them into action. This fueled panic among the market’s vendors and buyers, creating a toxic cocktail of fear, anger, and desperation.
After the dust settled, some vendors discussed their experience on darknet forums, with most reporting extreme psychological stress (in addition to the financial kind).
- "SilentRunner": A high-volume cocaine vendor threatened with exposure of 12,000 transaction records unless they paid $20,000 in untraceable Monero. Initially refusing, they ultimately paid $15,000 for peace of mind.
- "GreenRx": A small-scale vendor specializing in counterfeit Xanax received an extortion demand of $1,000. GreenRx’s attempts to warn others were stifled, possibly due to pressure from Lin's associates.
- Anonymous Ketamine Vendor: Publicly admitted to paying $10,000 after receiving snippets of incriminating transaction data.
In order to increase the psychological pressure and induce panic, Lin went on to post a list of users who were “at risk”, alongside those who already paid. This left thousands of former users paranoid, waiting for their lives to be uprooted at any given moment.
At PlasBit, we believe crypto’s path to success lies in its mainstream adaptation, and that effort is often stifled by crime-related developments. We want the crypto ecosystem to grow and eventually replace centralized currencies, which is why we don’t support so-called privacy activists who are only in it for ill-gotten profits. That said, even we couldn’t help but feel bad for the hundreds of Incognito criminals who were bound to be spiraling into full-on existential panic.
So when Lin withdrew his blackmail threats, it was widely seen as welcome news. Rumor has it that another infamous DNM figure and Incognito vendor who had knowledge of Pharoah’s identity gave him an ultimatum, saying what Lin was doing is beyond the pale, even by criminal standards.
The Arrest of Rui-Siang Lin
Rui-Siang Lin, the mastermind behind Incognito Market, was arrested after years of painstaking investigation. Using advanced blockchain analysis, surveillance, and international collaboration, law enforcement slowly dismantled the veil of anonymity he had so carefully constructed.
Follow the Blockchain
The key to dismantling Incognito Market lay in its financial backbone—cryptocurrency. Law enforcement agencies began their investigation by tracing transactions conducted on the platform. While Lin’s marketplace primarily accepted Monero, a privacy-centric cryptocurrency, many initial transactions occurred in Bitcoin. Bitcoin’s transparent blockchain, though pseudonymous, allowed investigators to follow money trails.
One pivotal mistake Lin made was paying for a domain associated with the marketplace using Bitcoin tied to his personal wallet. By examining the blockchain, investigators were able to link this wallet to domains registered under Lin’s real name. Ironically enough, advanced analytics tools based on Lin’s own Chainalysis were likely deployed to narrow the suspect pool.
Operational Security Lapses
Lin's op-sec was sophisticated but also contained critical gaps. For instance, he never bothered to fully obscure his identity when setting up services tied to Incognito Market. Despite his background, Lin got overly confident and ended up using his personal email address to set up accounts linked to marketplace infrastructure. After a rookie mistake like that, it’s no wonder that investigators were able to find his administrative credentials from IP addresses traceable to Taiwan.
Furthermore, Lin tried to convert Bitcoin into Monero to further mask his financial transactions. While Monero transactions are nearly impossible to trace, the conversion process involved Bitcoin, which exposed additional data points, such as timestamps and amounts. These details were cross-referenced with known exchange accounts, one of which was registered under Lin’s real name.
The Deep Cover Ops
Undercover agents were critical in providing the evidence. They would go undercover, pretending to be buyers on Incognito Market, and would buy narcotics from the largest dealers. These controlled buys gave the police hard evidence of illegal activities being conducted on the platform. Every transaction was documented, and the packages traced back to where they shipped from, giving insight into logistics around the supply chain of the marketplace.
One of those purchases-a batch of oxycodone pills-was sent to a lab and came back laced with fentanyl. That sealed the case against Lin, linking the platform directly to the distribution of deadly counterfeit drugs.
Seizing the Servers: The Digital Takedown
The authorities’ big break came when they found and seized physical servers hosting internal communications, transaction info, and some sellers’ personal details. This digital evidence painted a clear picture of Lin’s role in the marketplace’s operation. It also provided critical leads for tracking other high-profile vendors and accomplices operating on the platform.
Lin’s arrest wouldn’t even be possible without teamwork between task forces belonging to multiple countries and agencies. The FBI, DEA, and Homeland Security Investigations worked alongside international partners to monitor Lin’s movements and financial activities. When Lin planned to travel to New York in May 2024, authorities were ready. Upon his arrival at JFK Airport, he was apprehended and charged with operating one of the largest dark web marketplaces in history.
Lin’s Charges
In most cases, the outcome of a court proceeding can be difficult to predict. But you don’t have to be a legal expert to see that Lin is probably going to spent the rest of his life behind bars. His charges include:
- Engaging in a Continuing Criminal Enterprise
This charge targets individuals who organize or manage large-scale drug operations involving five or more participants. If convicted, Lin faces a mandatory life sentence due to the scale and scope of Incognito Market’s activities. - Narcotics Conspiracy
Lin is accused of conspiring to distribute controlled substances, including heroin, cocaine, methamphetamines, and fentanyl. Depending on the amounts proven, this charge can result in a life sentence. - Conspiracy to Distribute Adulterated and Misbranded Drugs
This charge alleges Lin facilitated the sale of counterfeit prescription medications, including pills marketed as oxycodone but containing fentanyl. A conviction carries a maximum sentence of five years in prison. - Money Laundering Conspiracy
Lin is charged with laundering proceeds from illegal drug sales using cryptocurrencies such as Bitcoin and Monero to conceal their origins. This offense is punishable by up to 20 years in prison.
The Future of The Dark Web Economy
This betrayal of user anonymity—a cornerstone of darknet markets—sent shockwaves through the underground economy. However, the dark web has proven resilient to such breaches before. The truth is that this isn’t the first time blackmail has been weaponized in the shadows of the internet, and it’s unlikely to be the last.
AlphaBay (2017)
Before its takedown by law enforcement, AlphaBay had internal problems of its own where a moderator attempted to extort vendors by threatening to expose their DMs. That scheme was foiled, but it could show weaknesses even within the largest marketplaces.
Silk Road 2.0 (2014)
Following the shutdown of the original Silk Road, Silk Road 2.0 came to life but shortly thereafter had its own set of internal corruption. In 2014, one of its staff, known as "Defcon," was accused of blackmailing vendors by threatening to release their personal information unless a payoff was made.
Dark Overlord (2019)
In 2019, a darknet user operating under the alias "Dark Overlord" threatened to release sensitive legal documents related to the 9/11 terrorist attacks unless a ransom was paid in cryptocurrency. "Dark Overlord" distributed his threats and released documents via darknet forums and platforms. They posted demands through anonymous darknet channels and also employed encrypted methods of communication for both issuing their demands and showcasing portions of the stolen data.
The cautionary tale of Rui-Siang Lin’s Incognito Market blackmail shows how greed and laziness can unravel even the most calculated schemes. Lin's double life as a cybersecurity expert by day and darknet kingpin by night sounds like the plot of a movie, but the fallout was all too real. The dark web runs on fragile trust, and when that trust is broken, it's usually game over
