On May 18, 2024, Lin Rui-siang, known as “Pharaoh” and the alleged administrator of Incognito Market, was arrested at John F. Kennedy Airport. Later that day, he appeared in Manhattan federal court.
Lin was en route to Singapore via New York when he was apprehended by New York police. This arrest was part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation.
If convicted, Lin faces severe penalties:
- A mandatory minimum penalty of life in prison for engaging in a continuing criminal enterprise.
- A maximum penalty of life in prison for narcotics conspiracy.
- A maximum penalty of 20 years in prison for money laundering.
- A maximum penalty of five years in prison for conspiracy to sell adulterated and misbranded medication.
The indictment mentioned Lin’s extortion attempts during the platform’s final days, highlighting his greed and disregard for others.
Identifying Incognito’s Servers
Law enforcement executed search warrants on July 20, 2022, and August 2, 2023, on several of Incognito’s servers, including the DDOS protection frontend and data backend. Additional search warrants were executed on August 16, 2022, and January 5, 2024, on servers hosting the cryptocurrency backend.
When the servers were briefly taken offline during the July 2022 search warrant execution, law enforcement observed that Incognito also went offline. A review of Incognito’s backend revealed a connection to the cryptocurrency backend via SSH Tunnels, and transaction hashes matched several orders placed by law enforcement officers.
Incognito’s Statistics
Over its more than three years of operation, Incognito Market processed approximately $80 million in cryptocurrency transactions. By August 2, 2023, the platform had 255,519 users and 224,791 orders.
As of January 2024, Incognito’s cryptocurrency statistics were:
- Bitcoin deposited: 1,316 BTC ($36,895,586)
- Bitcoin withdrawn: 1,303 BTC ($36,431,574)
- 265,375 Monero transactions: 181,918 deposits and 83,457 withdrawals
- Monero deposited: 296,094 XMR ($46,728,991)
- Monero withdrawn: 294,634 XMR ($46,482,976)
The total revenue by January 9, 2024, was approximately $83,624,577, yielding at least $4,181,228 from a 5% commission. Incognito’s revenue was approximately $14.8 million in 2022 and about $65.5 million in 2023.
How Lin was Caught
Following the Money
By January 2024, approximately 58 deposits were made from Incognito’s Bitcoin wallet to a wallet identified as “Pharaohs-Wallet.” Most funds in Pharaohs-Wallet, around 123 BTC ($3,351,343), came from Incognito’s wallet. Between March 25, 2020, and October 1, 2023, Pharaohs-Wallet received about 126 BTC from 77 deposits and then transferred all funds to other wallets.
Blockchain analysis revealed that Pharaohs-Wallet conducted at least four transactions with Namecheap, paying for domains related to darknet activities, including incognite.com and rs.me (Lin’s personal blog).
Lin used Pharaohs-Wallet to pay for rs.me on March 25, 2022, using funds from both Pharaohs-Wallet and an account at a cryptocurrency exchange. The total price was about $20,000, with Pharaohs-Wallet contributing approximately $22.09.
Lin also conducted multiple transactions from Pharaohs-Wallet to a cryptocurrency swapping service, followed by deposits into his personal exchange account:
- July 26, 2021: 0.04 BTC ($1,528)
- May 15, 2022: 1 BTC ($29,745)
- May 17, 2022: 1 BTC ($30,571)
- May 31, 2022: 2 BTC ($63,432)
Another cryptocurrency exchange account registered in Lin’s name received about $4.5 million. Lin’s employment history did not justify the large assets in his accounts, and his bank statement showed over $1 million.
Lin also created Antinalysis, a tool designed to circumvent crypto money laundering countermeasures.
Following the Skills
Law enforcement identified Lin’s GitHub account, which described him as a “Backend and Blockchain Engineer, Monero Enthusiast.” His 35 public coding projects demonstrated significant technical expertise, including:
- PoW Shield: a DDoS mitigation tool
- Monero Merchant: a tool for online merchants to accept XMR
- Koa-typescript-framework: a web application framework used by Incognito
A YouTube video featured Lin explaining various DDoS attack mitigation methods during a 15-minute interview about his PoW Shield project.
Following the Searches
Lin’s Google searches aligned with his work on Incognito, including:
- “one pixel attack for fooling deep neural networks github”
- “provable fair calculator” and “slot game terminology”
- “three-way conversation”
- “cryptopunk generator js,” “array.reduce,” and “js random true false”
On July 19, 2022, when the FBI took an Incognito server offline, Lin searched for PM2 process manager software issues an hour later.
On March 12, 2020, Lin emailed himself a diagram of a darknet market.
About Lin
Lin was active on Twitter, vocal about his support for Monero, and his blog featured his Monero and Tor nodes and NFT collection.
Since November, Lin had been working at Taiwan’s embassy in St. Lucia, one of Taiwan’s few allies. He applied to the embassy’s technical corps in lieu of mandatory military service, expected to be discharged in July. He left St. Lucia on May 18.
Three months before his arrest, Lin presented “Cyber Crime and Cryptocurrency” to St. Lucia police. Two months before his arrest, he tweeted about Kraken clamping down on Monero. A week before his arrest, he posted on LinkedIn about becoming a certified user of Chainalysis Reactor. His last tweet showed a Chainalysis diagram of money flows between darknet markets and exchanges, including Incognito.
One of Lin’s final posts on Dread announced Incognito’s extortion and exit scam.