The Rise and Fall of Rui Siang Lin and the Incognito Market

13 MIN READ
Rui Siang Lin

This article is about Rui Siang Lin, also known as “Pharaoh”, a 23 year old Taiwanese who operated a dark web marketplace called “Incognito Market” that had proceeds of more than $100 million and was shut down in March 2024 in an infamous exit scam in which Lin basically stole all the funds held in the user's escrow wallets and threatened the vendors that if they did not pay up to $20,000 each, he would publish their personal details and private messages.

Incognito Market

According to the investigation conducted by several US law enforcement agencies (FBI, DEA, Homeland Security, NYPD, and others), Rui-Siang Lin Incognito Market opened in October 2020 and was closed in March 2024. It was an online narcotics bazaar that existed on the dark web to sell narcotics online, including hundreds of kilograms of cocaine and methamphetamines. Anyone with internet access could sell goods and services globally to anyone with internet access; the platform could be accessed using the Tor web browser on the dark web. Lin operated the market under the online pseudonym Pharoah or Faro.

It was an e-commerce platform like many others with employees, vendors, and customers. They even had a customer service number. Incognito aimed to facilitate seamless narcotics transactions across the internet and the world with features like branding and advertising.

How Incognito Market worked

Users who accessed the platform would find a splash page and a graphic interface.

Rui-Siang

Once they had entered a unique username and password, users could search several listings for narcotics of their choice. Incognito Market sold illegal drugs and misbranded prescription medication, including heroin, cocaine, LSD, MDMA, oxycodone, methamphetamines, ketamine, and alprazolam. The site had a vetting process for vendors. Once they registered to the website and acquired a user ID and password, they were asked to prepare a ‘job application’ consisting of references from other marketplaces and details of their activities and send it to Incognito using a PGP message. (PGP stands for Pretty Good Privacy, an unbreakable encryption system). They were also asked to pay a bond of $1,500 in Bitcoin or Manero. The Incognito Admin would vet their application and inform them whether they were accepted.

Customers could rate vendors, and those ratings were published in the marketplace, including regular leaderboards of top vendors for each item sold. Incognito was constantly monitoring its vendors and providing excellent customer service. Fraudulent vendors were banned, and the money deposited in the Bank (see more information below) would be distributed among defrauded customers.

Rui-Siang

Listings included offerings of prescription medication that was advertised as being authentic but was not. For example, in November 2023, an undercover law enforcement agent received several tablets that purported to be oxycodone, which were purchased on Incognito Market. Testing on those tablets revealed that they were not authentic oxycodone at all and were, in fact, fentanyl pills.

As Pharoah, Lin supervised all its operations, including its employees, vendors and customers, and had ultimate decision-making authority over every aspect of the multimillion-dollar operation. Each listing on Incognito Market was sold by a particular vendor. To facilitate these financial transactions, Incognito Market had its own “bank,” which allowed its users to deposit cryptocurrency on the site into their own accounts.

Rui-Siang

Buyers and sellers could stay anonymous because once a narcotics transaction was completed, cryptocurrency from the buyer’s account was transferred to the seller’s account, minus the 5% fee that Incognito collected. Lin collected millions of dollars in profits. The fees funded operations, including salaries and computer servers.

Incognito becomes the largest marketplace in the dark web

In April 2022, law enforcement agencies closed Hydra, the largest marketplace in the dark net. A lot of Hydra customers and vendors moved to Incognito. Between April 2022 and June 2022, the total monthly transaction fees earned by Incognito shot up from $750,000 to $2,000,000, equaling a monthly transaction turnover of $400,000,000.

“For nearly four years, Rui-Siang Lin allegedly operated Incognito Market, one of the largest online platforms for narcotics sales, conducting $100 million in illicit narcotics transactions and reaping millions of dollars in personal profits,” said FBI New York Assistant Director in Charge James Smith. “Under the promise of anonymity, Lin’s alleged operation offered the purchase of lethal drugs and fraudulent prescription medication on a global scale.”

Rui

Rui-Siang Lin downfall: the hack, the extorsion, and the arrest

In October 2023, a team of hackers came together to plan their next heist; one of their members stumbled upon what seemed like an easy target: a 23-year-old Taiwanese crypto developer named Rui-Siang Lin. They identified his Twitter account, where he frequently posted about the General State of crypto and shared his trades, showing off a bunch of big P&L numbers, bragging about being a level three VIP on Binance, and continuously revealing his new NFTs; the hackers decided that attempting to hack him would be worthwhile based on the information he shared on Twitter. They created an entire business around a project called XA, a meeting software similar to Zoom that could translate the speech from each participant in real-time. Obviously, it was a ploy to get their victims to download the app onto their computers; once downloaded, the app would infect their victim’s system and drain every crypto-related account.

The Hack

They had to find the perfect excuse to entice Rui-Siang Lin to download the app; to get him to talk to them, they stole the credentials of an employee of Fabric VC, a well-known crypto VC fund, and reached out to Lin, telling him that they wanted to invest in one of his projects. Then, they set up a meeting with Lin on February 8th, 2024; at that time, Lin was working for the Taiwanese Foreign Ministry and was based in St. Croix. Lin began communicating with what he thought was a team of investors from Fabric VC; however, due to a supposed language barrier, they requested that he download a special real-time translation meetings app called XA. Lin downloads the app, and the alleged Fabric VC team almost immediately ceases to communicate with him. That was when Lin realized all his crypto accounts had been emptied, including a set of bored ape NFTs; nobody can confirm it, but it is likely that the hackers stole a large sum of his illegal profits from Incognito. The hackers did not know that their actions would lead to the most significant move in the history of the dark web.

The extorsion

A few days after the hackers stole Lin’s money, a vendor tries to withdraw his money from Incognito’s Bank, but nothing arrives. Many complained about withdrawals not going through and fake transaction logs generated by Incognito. The site starts acting weirdly, and rumors of an exit scam started.

An exit scam happens when a marketplace admin steals all the money in a marketplace bank and disappears, leaving everyone else wondering what happened. Incognito had built a massive customer base of over 250,000 buyers and over 1,000 vendors; if they were playing the exit scam ‘card’, they would likely run off with at least five to ten million of their community money.

Pharaoh (Lin’s handle in the Dread Forum, a forum in the dark web) countered the rumors by stating that they were working on the issue and insisted they were not scamming; days later, the creator of the Dread Forum, HugBunter, published a post claiming that Incognito had indeed exit scammed and advised people not to deposit any more money into their Bank.

On March 10th, Lin, using the username StayingInnovative, confirmed the exit scam and hinted at one final surprise from Incognito. The site displayed the following message

Notice

Allegedly, Lin had stolen millions of dollars worth of customers’ BTC and XMR. On top of that, he demanded fees varying from $100 to $20,000 not to publish information about their transactions. Some Incognito users paid the fee to have their data removed (the FBI was probably watching all of this unfold).

Usewrs

Hugbunter wrote a post in the forum complaining about Incognito extorsion. Eventually, HugBunter and Lin had a private conversation, and Lin withdrew the threat to release details. It turned out that HugBunter knew Lin’s true identity.

However, nobody could know that Incognito’s threats were useless because the FBI had raided their servers in 2022. Unencrypted data were already known to them.

The investigation and the arrest

Rui-Siang Lin, 23, of Taiwan, is charged with one count of engaging in a continuing criminal enterprise, which carries a mandatory minimum sentence of life in prison; one count of narcotics conspiracy, which carries a mandatory minimum sentence of 10 years in prison and a maximum potential sentence of life in prison; one count of money laundering, which carries a maximum possible sentence of 20 years in prison; and one count of conspiracy to sell adulterated and misbranded medication, which carries a maximum potential sentence of five years in prison.[Quoted from a US DOJ website]

The way the FBI managed to obtain enough evidence to associate Rui-Siang-Lin and Incognito Market is very interesting and proves that anonymity is as strong as the weakest link.

1) The FBI traced at least four transfers showing Lin’s crypto wallet sending Incognito Market-derived BTC to a “swapping service” to exchange it for XMR.

2) Then, the XMR was deposited into a crypto exchange account the FBI claimed was Lin’s.

3) The exchange provided the FBI with Lin’s Taiwanese driver’s license, which was used to open the account, and an email address and phone number associated with the account.

The FBI also claimed it tied the email and phone number to a Namecheap account, which used funds from Lin’s alleged crypto wallet and account to buy a domain for a site that promoted Incognito Market. According to the FBI, the account grew from around $63,000 in 2021 to nearly $4.2 million during 2023, and $4.5 million was deposited in a second unnamed exchange account between July and November 2023.

They could not extradite Lin because of his ties with the Taiwanese government. However, when Lin booked a flight to go home to Taiwan with a connection in New York, the FBI could arrest him on US soil at Kennedy Airport. (In the US, international connections must clear passport control and enter US soil before leaving the US again on the connecting flight.)

The Silk Road: The First Darknet Marketplace

Ross William Ulbricht founded the Silk Road digital black market platform in October 2011; it is considered the first darknet marketplace hosting illegal drug transactions and money laundering activities using Bitcoin. The FBI shut it down in 2013.

How did it work?

Silk Road was a trading platform using data anonymization technology and a feedback system. Users were able to transact drugs, hacked passwords, illegal data, and other illicit trades. The platform used the feedback received by buyers to ban fraudulent sellers, promoting trust in the platform and rewarding ‘reputable’ sellers. Bitcoin was the only currency that could be used to pay for transactions.

The site was accessible only through a network known as Tor, which obscures users’ addresses so they appear hidden from unwanted parties looking to monitor the users’ transactions and activities. Silk Road, Tor, and cryptocurrency were the ultimate privacy toolkits for illegal operations.

Some examples of what was sold on the Silk Road website:

  • Illegal drugs
  • Controlled prescription drugs
  • Books
  • Digital goods such as malware, hacked online accounts, and pirated media
  • Erotica and pornography
  • Forged driver’s licenses and passports
  • Services such as computer hacking or cyberstalking
  • Performance enhancing drugs
  • Weapons

How did the FBI shut it down?

Every Bitcoin transaction is recorded on a public ledger, which legal and regulatory bodies can investigate.

On October 11th, 2011, Ulbricht accidentally shared his Gmail account while posting as “altoid” on a forum; the FBI was already following that pseudonym after a report published a few months earlier drew the attention of politicians to the Silk Road.

Ulbricht made other self-incriminating mistakes, such as alluding to Silk Road on his LinkedIn profile using his actual photograph for Silk Road server rental; the FBI eventually tracked him to an internet cafe in San Francisco, where he logged in as Dread Pirate Roberts. On October 1st, 2013, a couple started bickering in San Fransisco’s Glen Park Library. They caught the attention of the nearby Ulbricht, who turned his head from the laptop he was working on. It was a trap. At that moment, FBI agents swooped in from behind bookshelves and grabbed Ulbricht’s laptop before he could log out and lock away his 144,000 BTC — the proof he was Dread Pirate Roberts.

Ulbricht received a double life sentence plus 40 years with no possibility of parole, but he was not the only person behind Silk Road. Richard Bates was Ulbricht’s head programmer, and Roger Thomas Clark, aka “Mongoose” or “Variety Jones,” acted as Ulbricht’s mentor. Both were apprehended. To escape prosecution, Bates testified against Ulbricht in 2015, while Clark was sentenced to 20 years in prison in 2023.

Precursors to the Silk Road

Before available technology allowed the creation of platforms like the Silk Road, there were other examples of ‘marketplaces’ to sell or trade information about illegal substances or other illicit activities.

In the early 1970s, Stanford University and MIT students used ARPANET to coordinate the purchase of cannabis (The Advanced Research Projects Agency Network – ARPANET - was the first wide-area packet-switched network with distributed control and one of the first computer networks to implement the TCP/IP protocol suite. It is considered one of the precursors of the internet.); newsgroups like alt.drugs became the online centers of drug discussions and information by the end of the 1980s, but deals were arranged off-site between individuals. Drug forums moved to the internet in the 1990s; for instance, ‘The Hive’ launched in 1997 as an information-sharing forum. In the early 2000s, Operation Web Tryp shut down many websites and made several arrests. In 2000, some Eastern European “Cyber-arms Bazaar” started operating, trafficking crimeware and hacking tools. Later, some early cybercrime forums experimented with selling drugs on a limited scale.

Before cryptocurrencies, payments were the weakest link to maintain anonymous operations; for instance, the Farmer’s Market, a sort of proto-Silk Road, used payment services such as PayPal and Western Union. The lack of anonymity allowed law enforcement agencies to make several arrests when the site was closed in 2012.

Silk Road successors

Law enforcement agencies have learned to infiltrate and monitor the dark web; therefore, it has become easier for them to shut down illegal e-commerce platforms. However, Incognito lasted over three years, while Silk Road survived only about a year and a half.

The following replacements for Silk Road have all gone the same way as the original dark web marketplace.

Silk Road 2.0

Blake Benthall, AKA “Defcon,” tried to resurrect Silk Road by copying it almost exactly.

Silk Road 2.0 had over 13,000 listings for many original Silk Road categories. The FBI and Europol shut it down after about a year of activity.

Silk Road 3 Reloaded

After Silk Road 2.0 shut down, a “new” Silk Road website was advertised as Silk Road 3.0, or “Silk Road 3 Reloaded.” But it was simply a rebranding of a pre-existing dark web marketplace called Diabolus Market trying to take advantage of the Silk Road’s notoriety.

Agora

Agora ran from 2013 to 2015, avoiding the crackdown that saw the demise of Silk Road 2.0 and other dark web marketplaces. Agora was unaffected by Operation Onymous, the November 2014 seizure of several darknet websites (including Silk Road 2.0). It became the largest darknet market until, in August 2015, Agora’s admin released a digitally signed message announcing a pause of operations to protect the site against potential attacks that might be used to deanonymize server locations. In other words, Agora’s management, not law enforcement agencies, shut it down.

Dream Market

Dream Market was founded in late 2013 and officially shut down on April 30th, 2019. A prolific Dream Market vendor was arrested in August 2017 with $500,000 in cryptocurrency on his laptop. The dark web marketplace allegedly amassed up to $168 million in annual revenue.

Hydra

Russian darknet site Hydra became the world’s largest and longest-running darknet marketplace. Hydra amassed 17 million users and $5 billion in revenue over 8 years before being shut down by German authorities in 2022. Hydra was also notorious for facilitating the only documented case of a dark web contract killing.

AlphaBay

AlphaBay ran from 2014 to 2017, with over 400,000 users and 300,00 items listed when it was shut down in 2017. AlphaBay was one of the first darknet markets to accept cryptocurrencies other than Bitcoin, such as Monero and Ethereum. AlphaBay and Hansa were shut down in Operation Bayonet. It returned briefly in 2021, but it soon disappeared again.

Other dark web marketplaces

The darknet has several other marketplaces in existence at any given time. They pop up and disappear quickly, often with cryptocurrency and data that belong to their users (known as ‘exits scam’). Abacus Market, Russian Market, FreshTools, BriansClub, Torzon Market, FreshTools, Cybermarketplace, Archetyp, ASAP Market, and Bohemia are the closest marketplaces to the Silk Road. Still, they may be gone by the time you read this, and others may become active

Other, more limited, markets exist on the dark web to trade-sensitive data that cybercriminals can use to commit fraud. That’s why it’s a good idea to use services that regularly scan the dark web for any compromised information that could be used to steal your identity.

Why do you need to be aware of darknet marketplaces

The dark web is the internet equivalent of the proverbial dark alley. A place where illegal transactions take place and where both providers and customers of illegal products or services meet. What happened in the last days of Rui-Siang Lin Incognito Market or even Ulbricht Silk Road shows the importance of protecting your personal data and anonymity.

Even though you have no intention of transacting anything illicit on the dark web, you need to know that these platforms exist. They are the place where your personal data could be traded to commit fraud, steal your identity, or other illegal activities that may damage you. While it is annoying if your email is sold to mailing companies, your emails sold on the darknet may be used for something more serious than sending you unwanted emails.

An easy-to-implement tactic to protect your data is to use ‘transit accounts,’ such as a virtual card, to pay for web purchases and protect your banking and credit card details. Reloadable virtual cards are safer because losing the balance you keep on the card is the worst that can happen; your bank accounts and other credit cards are safe from any data leaks.