On 18th May 2024, Lin Rui-siang, AKA “Pharoah”, the alleged administrator of Incognito Market, was arrested at John F. Kennedy Airport. He appeared at Manhattan federal court later that day.

Lin was scheduled to go to Singapore via New York, when he was arrested by the police in New York. The arrest was part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation.

If convicted, Lin faces:

A maximum penalty of five years in prison for conspiracy to sell adulterated and misbranded medication.

A mandatory minimum penalty of life in prison for engaging in a continuing criminal enterprise.

A maximum penalty of life in prison for narcotics conspiracy.

A maximum penalty of 20 years in prison for money laundering.

Lin’s choice to extort vendors and buyers was mentioned in the indictment:

The defendant’s greed and disregard for others was further demonstrated by his alleged extortion attempt during the platform’s final days.

Identifying Incognito’s Servers

Law enforcement executed a search warrant on 20th July 2022 and 2nd August 2023 on several of Incognito’s servers. These servers hosted the DDOS protection frontend and data backend. Law enforcement didn’t specify how they located the servers.

Another search warrant was executed on 16th August 2022 and 5th January 2024 on additional servers. These servers hosted the cryptocurrency backend of the market.

During the time that the 20th July 2022 search warrant was executed, both servers were briefly taken offline. At the time they were taken offline, law enforcement observed that Incognito went offline.

Based on a review of Incognito’s backend, law enforcement officers further observed that it was connected to another server, the cryptocurrency backend, via SSH Tunnels. Law enforcement found transaction hashes matching several orders done by other law enforcement officers.

In its more than three years of operations, Incognito has transacted approximately $80 million in cryptocurrency, and by 2nd August 2023, Incognito had 255,519 users and 224,791 orders.

Incognito’s cryptocurrency statistics, as of January 2024, were:

The total revenue, as of 9th January 2024, was approximately $83,624,577, which yielded at least approximately $4,181,228 from its 5% commission. Incognito’s 2022 revenue was approximately $14.8 million. In 2023, it was approximately $65.5 million.

• Bitcoin deposited was 1,316 BTC ($36,895,586).
• Bitcoin withdrawn was 1,303 BTC ($36,431,574).
• 265,375 Monero transactions consisting of 181,918 deposits and 83,457 withdrawals.
• Monero deposited was 296,094 XMR ($46,728,991),
• Monero withdrawn was 294,634 XMR ($46,482,976).

How Lin was Caught

Following the Money

As of January 2024, approximately 58 deposits were made from Incognito’s Bitcoin wallet to a separate wallet. Let’s call this wallet “Pharoahs-Wallet”.

The vast majority of Pharoahs-Wallet’s funds, approximately 123 BTC ($3,351,343), came from Incognito’s wallet. After receiving funds from Incognito’s wallet, Pharoahs-Wallet transferred it elsewhere. Specifically, on 25th March 2020 through 1st October 2023, Pharoahs-Wallet received approximately 77 deposits of Bitcoin, totaling approximately 126 BTC, and then transferred all of it to other wallets.

After reviewing the blockchain, law enforcement learned that Pharoahs-Wallet conducted at least four transactions with Namecheap. In particular, Pharoahs-Wallet paid for, or partially paid for, at least four domains:

• A domain which provides real-time status updates for popular darknet marketplaces and services – darknetlive.com (assumption).
• A domain which promoted a now defunct illegal darknet market.
• A domain for a website associated with Incognito’s projects – incognite.com.
• An additional particular domain – rs.me (assumption).

This article assumes “an additional particular domain” is rs.me. Lin’s personal blog.

Lin purchased rs.me, on 25th March 2022, using a Namecheap account in his name. He used funds from both Pharoahs-Wallet and an account hosted by a cryptocurrency exchange. The total price of rs.me was approximately $20,000, the vast majority of which was paid for from the exchange, but Pharoahs-Wallet also transferred approximately $22.09 to Namecheap to complete the purchase.

Lin sent multiple transactions from Pharoahs-Wallet to a cryptocurrency swapping service. 30-60 minutes later his personal cryptocurrency exchange account received similar amounts:

• 26th July 2021 – 0.04 Bitcoin ($1,528)
• 15th May 2022 – 1 Bitcoin ($29,745)
• 17th May 2022 – 1 Bitcoin ($30,571)
• 31st May 2022 – 2 Bitcoin ($63,432)

Law enforcement also identified another cryptocurrency exchange account registered in Lin’s name. It received approximately $4.5 million dollars of cryptocurrency. Lin’s employment history is not consistent with the large amount of assets in his cryptocurrency accounts, and Lin’s bank statement indicated that he had over $1 million in his accounts.

Lin also created Antinalysis, which was designed to defeat crypto money laundering countermeasures.

Lin is the one to the right…

Following the Searches

Lin made multiple Google searches which aligned with his work on Incognito:

• “one pixel attack for fooling deep neural networks github”. The same day, he posted on Dread about one pixel attacks and linked to the GitHub page he visited earlier that day.
• “provable fair calculator”, “slot game terminology” and several searches that were related gambling. 13 days later, Incognito added new gambling features.
• “three-way conversation”. The next day Incognito offered a redesigned dispute system with “per-order three-way chats”.
• “cryptopunk generator js”, “array.reduce”, “get random in array” and “js random true false.” 20 days later, Incognito added “punk avatars – unique generated icons that represent you”.
• On 19th July 2022 the FBI imaged one of Incognito’s servers. To execute that search warrant, the FBI took Incognito’s sever offline at approximately 23:30 UTC. 1 hour later, Lin searched for “pm2 crashed”, “view pm2 daemon logs”, “pm2 daemon logs” and “pm2 changelog”. PM2 is process manager software which helps its users manage and maintain applications online.