Incognito Extorts Vendors, Threatens To Dump Payment Details and Transaction IDs

11 Mar, 2024

You may want to see my previous blog post on Incognito's exit scam:
Incognito Market Exit Scams

On March 5 2024, Dread admin HugBunter confirmed that Incognito Market was exit scamming.

On the 9th, the market administrator Pharoah claimed they have collected 557k order details and 862k transaction IDs, and will leak them at the end of May. While the market had a function to automatically encrypt messages to a vendor if a customer didn't do so themselves, Pharoah claims a significant number of messages and orders were still collected in plain-text, and that messages and transaction IDs were never deleted.
Depending on how successful a vendor was on the market, they may have to pay anywhere from $100 U S D t o$ 20k USD if they hope to have information about their customers' transactions deleted.

Screenshot of Incognito Market's extortion page

While 374 vendors are already listed as having paid the ransom, it seems that the general sentiment on Dread is that the ransom is just an attempt from the market to squeeze more coins out of its users while the price of Bitcoin is at an all time high of just over $72K USD; The legitimacy of the threat is questioned.

Doubt About The Extortion

Some users argue that Incognito would release all the data anyway regardless of who pays them, others doubt that the market even has the data to begin with and that this is all a bluff. Comments on Dread discussing the extortion A user on Dread argues the ransom might all be fake

I have a list of the vendors that Incognito claims have paid the ransom, and will occasionally come back and refresh it in case more vendors happen to pay. ¹ incognito-paid-extortion.txt

User Shift_0x43 has set up a website to list known mirrors of the website for people to DDOS. Considering that the market is still very accessible, I'd say that their efforts are in vain.

Screenshot of a page with Incognito's known mirrors Here is the onion address to the page:
2lbxwmr2hqgmdsrrlsmzvlreflv4uxrarqfzmo2g7wlesqnhskojp4yd.onion

Other users like have taken to trying to identify and dox Pharoah. It remains to be seen whether this will lead anywhere.
Meanwhile, Pharoah has been posting under the alt account /u/stayinginnovative after their primary account was banned. They have yet to post any data or even provide a sample to prove they are serious about their threat to dump it all, but are instead just taunting other users.

Regardless of what comes of this, users have learned the hard lesson they should already have learned from the Hansa Market takedown ², as user /u/mayehessman politely states: A post on Dread titled "USE FUCKING PGP YOU FUCKING IDIOTS"

Footnotes

If you want to check the payment status list yourself: create a throwaway account on the market, log in and navigate to the /records page. It should go without saying, assume that any username and password you are using will be collected in plain-text, so don't use the name of your dog or whatever.↩
As part of Operation Bayonet, law enforcement agencies compromised Hansa Market and continued to operate it themselves. They recoded the website to collect information on users such as their logins unencrypted messages and orders, and image metadata. Basically, anyone who relied on the website's functionality to keep them safe would have had their information collected by the feds. See: "Operation Bayonet: Inside the Sting That Hijacked an Entire Dark Web Drug Market" - Andy Greenberg, Wired.com [link]↩

#darknet