Alleged Incognito Market Administrator Arrested
My previous post on Incognito Market covered how its administrator came back after exit scamming to attempt to extort vendors who operated on the market.
While just over 400 vendors in total had supposedly paid the ransom to hopefully not have information about their transactions and messages with customers leaked, it appears the alleged former operator of the marketplace may not get a chance to spend any of the money.
The United States Department of Justice published a press release 1 today announcing their arrest of 23 year-old Rui-Siang Lin at JFK Airport in New York City. The criminal indictment 2 declares that Lin is facing 4 total counts, including continuing criminal enterprise, narcotics conspiracy, money laundering, and conspiracy to sell adulterated and misbranded medication.
If convicted, Lin faces a mandatory minimum penalty of life in prison for engaging in a continuing criminal enterprise; a maximum penalty of life in prison for narcotics conspiracy; a maximum penalty of 20 years in prison for money laundering; and a maximum penalty of five years in prison for conspiracy to sell adulterated and misbranded medication. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors. - Justice.gov
Total Opsec Failure
Rui-Siang Lin's criminal complaint details the many operational security mistakes that helped authorities track down and identify them. As is the case in other notable darknet market busts such as AlphaBay, Kingdom Market and Monopoly Market, major mistakes leading to arrest tend to involve poorly handling and laundering illegally-obtained funds and associating darknet activity with one's real-world identity.
The criminal complaint 3 lists multiple facts that allowed authorities to identify the alleged market administrator. These are the ones I felt were most interesting to talk about.
Bitcoin Transaction Timed With Online Blabbering
On May 23 2023, Pharoah posted on Dread that he "got fucked by [a swapping service]." He stated that he sent 1 BTC the coin swapping service happened approximately one hour prior to the post, where the service then blocked the transaction due to potential illegal activity associated with the coins and asked him to provide proof of funds. This information allowed authorities to correlate the timing of Pharoah's complaint and the amount he said to have transferred to Bitcoin's transaction history, eventually providing a strong link between Pharoah's blockchain activity and Lin's real-world identity. Sometimes, it's better to just keep your mouth shut.
Lack Of Identity Compartmentalization
A Bitcoin wallet associated with the darknet market and the previously-mentioned attempt to swap coins was used to buy a domain with Namecheap as well to register to a KYC crypto exchange, both of which allegedly had Lin's personal information; including his full name, personal email address that contained his real name, and a Taiwanese address and phone number, as well as a Taiwanese Driver's License in the case of the crypto exchange.
The personal email address that Lin used to register to Namecheap and the KYC exchange was also used on GitHub, which is associated with his personal website and other online accounts on Twitter, Medium and OpenSea.
Authorities also identified a YouTube video of a presentation Lin participated in to discuss his "PoW Shield" DDoS protection project, suggesting a link between him and Incognito's DDoS protection scheme. As the complaint put it, "[Incognito] has trumpeted its ability to deflect DDoS attacks." I recall from memory seeing how the market would assign session and auth cookies when you visited it, which is similar to how the PoW Shield project seems to function.
One particular Google search associated with Lin was for "cryptopunk generator js." Incognito Market included a feature that would generate a 'Cryptopunk NFT'-type profile picture for users when they registered or had the account level required to be able to regenerate one.
Shortly after authorities staged a server failure on July 20 2022, Lin's Google account recorded searches related to the pm2 process manager such as "pm2 crashed," "view pm2 daemon logs," "pm2 daemon logs," and "pm2 changelog," indicating that he was trying to troubleshoot the server outage.
On March 12 2020, Lin's personal email account contained an email sent to itself of this diagram, which appears to depict plans for the general workflow and operation of a darknet marketplace.
On October 4 2023, Lin applied for a US work visa stating he was "research[ing] and develop[ing] blockchain applications and backend," further suggesting his proficiency in blockchain technologies.
All this information supported the idea that not only did Lin have the technical knowledge required to operate a cryptocoin-based service such as a darknet marketplace, but also behaved and reacted accordingly in ways that heavily suggested involvement with Pharoah's activities when running Incognito Market. Rui-Siang Lin's public online presence and alleged failure to properly isolate his real-world identity from the Pharoah identity that operated Incognito Market may result in spending the rest of his life behind bars.
Schadenfreude
It turns out exit scamming and then attempting to threaten vendors and customers doesn't make people like you very much, so it's no surprise that users on Dread have been having a good laugh at Rui-Siang Lin's arrest. For allegedly being a wealthy and successful market administrator who was heavily invested into the crypto space, Lin seemed to have zero understanding of or regard for how easy it is to trace Bitcoin transactions and the dangers of using a KYC crypto exchange for exchanging and transacting with illegally-obtained coins.
This is just yet another case of a prolific criminal's finances and poor compartmentalization being their downfall, and there's no doubt that this will keep happening in the cybercriminal world despite everyone always stressing the importance of good opsec. People seem to always be willing to tell others how to be safe and secure online while doing none of the work themselves and inevitably getting caught.