Security
Headlines
HeadlinesLatestCVEs

Headline

He Trained Cops to Fight Crypto Crime—and Allegedly Ran a $100M Dark-Web Drug Market

The strange journey of Lin Rui-siang, the 23-year-old accused of running the Incognito black market, extorting his own site’s users—and then refashioning himself as a legit crypto crime expert.

Wired
#web#git#auth#ssl

Two months ago, Lin Rui-siang, a young Taiwanese man wearing black-rimmed glasses and a white polo shirt, stood behind a lectern emblazoned with the crest of the St. Lucia police, giving a presentation titled “Cyber Crime and Cryptocurrency” in nearly fluent English to a roomful of cops from the tiny Caribbean country.

The St. Lucia government would later issue a press release lauding the success of Lin’s training course, which had been organized by the Taiwanese embassy, where Lin worked as a diplomatic specialist in IT. The statement boasted that 30 officers had learned “nuances of the dark web" and cryptocurrency tracing skills from Lin, who had “used his professional background and qualifications in the field" to teach them how to better combat cybercrime.

Only earlier this week did it become clear exactly what Lin’s “professional background and qualifications in the field” allegedly entailed, seemingly unbeknownst to either his Taiwanese employers or his St. Lucian law enforcement trainees. For nearly four years, according to the US Justice Department, 23-year-old Lin ran a dark-web drug market called Incognito that authorities say enabled the sale of at least $100 million worth of narcotics, ranging from MDMA to heroin for cryptocurrencies including bitcoin and monero. That was before Lin’s alleged theft of his own users’ funds earlier this year and then his arrest last week by the FBI in New York’s JFK airport.

Over his years working as a cryptocurrency-focused intern at Cathay Financial Holdings in Taipei and then as a young IT staffer at St. Lucia’s Taiwanese embassy, Lin allegedly lived a double life as a dark-web figure who called himself “Pharoah" or “faro”—a persona whose track record qualifies as remarkably strange and contradictory even for the dark web, where secret lives are standard issue. In his short career, Pharoah launched Incognito, built it into a popular crypto black market with some of the dark web’s better safety and security features, then abruptly stole the funds of the market’s customers and drug dealers in a so-called “exit scam” and, in a particularly malicious new twist, extorted those users with threats of releasing their transaction details.

During those same busy years, Pharoah also launched a web service called Antinalysis, designed to defeat crypto money laundering countermeasures—only for Lin, who prosecutors say controlled that Pharoah persona, to later refashion himself as a crypto-focused law enforcement trainer. Finally, despite his supposed expertise in cryptocurrency tracing and digital privacy, it was Lin’s own relatively sloppy money trails that, the DOJ claims, helped the FBI to trace his real identity.

An April post on Lin Rui-siang’s LinkedIn account about his cybercrime and cryptocurrency training course for police in St. Lucia.

Among all those incongruities, though, it’s the image of Lin giving his cryptocurrency crime training in St. Lucia—which Lin proudly posted to his LinkedIn account—that shocked Tom Robinson, a cofounder of the blockchain analysis firm Elliptic, who has long tracked Lin’s alleged Pharoah alter ego. “This is an alleged dark-net market admin standing in front of police officers, showing them how to use blockchain analytics tools to track down criminals online,” says Robinson. “Assuming he is who the FBI says he is, it’s incredibly ironic and brazen.”

Pharoah the Kingpin—and Extortionist

Lin has been charged with not only narcotics conspiracy and money laundering but also running a “continuing criminal enterprise,” the so-called “kingpin statute” reserved for organized crime leaders who allegedly oversaw at least five employees. For that charge alone, he faces a potential life sentence.

In the DOJ’s criminal complaint against Lin, it points to a handwritten document the FBI pulled from his email, which appears to sketch out a flow chart for a dark-web market’s mechanics. The complaint’s FBI affidavit says Lin emailed himself the sketch in March 2020 when he was at most 19 years old. It describes functionality such as how “vendors” and “buyers” would register, make purchases, and encrypt shipping addresses. Seven months later, Lin would allegedly launch Incognito Market.

A sketch of a dark-web market’s infrastructure that Lin emailed to himself eight months before allegedly creating Incognito Market, according to the DOJ.

According to the FBI, the market took nearly a year to catch on, with virtually no sales during that time. But by late 2021, Incognito had started to attract users, and by the middle of 2022, the market had drawn enough vendors and sellers to generate more than $1.5 million a month in sales.

A 2022 Twitter thread about Incognito posted by Eileen Ormsby, an author of several dark-web-focused books including The Darkest Web, shows how the market by that time had added features that may have helped it to catch the attention of security- and safety-conscious users. It required that new users demonstrate they could use the encryption tool PGP before entering the market, prompted them to take a security quiz, allowed buyers to spend the more privacy-focused cryptocurrency monero as well as bitcoin, encouraged dealers to post results from a fentanyl test to certify their product was “fent free,” and even experimented with democratic voting for market-wide decisions.

By the summer of 2023, Incognito had spiked in popularity and was approaching $5 million a month in sales. Then in March of this year, the site suddenly dropped offline, taking all the funds stored in buyers’ and sellers’ wallets with it. A few days later, the site reappeared with a new message on its homepage. “Expecting to hear the last of us yet?” it read. “We got one final little nasty surprise for y’all.”

The message explained that Incognito was now essentially blackmailing its former users: It had stored their messages and transaction records, it said, and added that it would be creating a “whitelist portal” where users could pay a fee—which for some dealers would later be set as high as $20,000—to remove their data before all the incriminating information was leaked online at the end of this month. “YES THIS IS AN EXTORTION!!!” the message added.

In retrospect, Ormsby says that the site’s apparent user-friendliness and its security features were perhaps a multiyear con laying the groundwork for its endgame, a kind of user extortion never seen before in dark-web drug markets. “Maybe the whole thing was set up to create a false sense of security,” Ormsby says. “The extorting thing is completely new to me. But if you’ve lulled people into a sense of security, I guess it’s easier to extort them.”

In total, Incognito Market promised to leak more than half a million drug transaction records if buyers and sellers didn’t pay to remove them from the data dump. It’s still not clear whether the market’s administrator—Lin, according to prosecutors, whom they accuse of personally carrying out the extortion campaign—planned to follow through on the threat: He appears to have been arrested before the deadline set for the victims of the Incognito blackmail.

An Expert in ‘Anti Anti-Money Laundering’

At the same time the FBI says Lin was laying the groundwork for this double-cross, he also appears to have briefly tried engineering an entirely different scheme. In the summer of 2021, during Incognito Market’s relatively quiet first year, Lin’s alleged alter ego, Pharoah, launched a service called Antinalysis, a website designed to analyze blockchains and let users check—for a fee—whether their cryptocurrency could be connected to criminal transactions.

In a post to the dark-web market forum Dread, Pharoah made clear that Antinalysis was designed not to help anti-money-laundering investigators, but rather those who sought to evade them—presumably including his own dark-web market’s users. “Our goals do not lie in aiding the surveillance autocracy of state-sponsored agencies,” Pharoah’s post read. “This service is dedicated to individuals that have the need to possess complete privacy on the blockchain, offering a perspective from the opponent’s point of view in order for the user to comprehend the possibility of his/her funds getting flagged down under autocratic illegal charges.”

After independent cybersecurity reporter Brian Krebs wrote about the Antinalysis service in August 2021, describing it as an “anti anti-money laundering service for crooks,” Pharoah posted another message complaining that Antinalysis had lost access to its blockchain data source, which Krebs had identified as the anti-money-laundering tool AMLBot, and that it would be going offline. “Stay posted and fuck LE," Pharoah wrote, using the abbreviation LE to mean “law enforcement.” Antinalysis eventually returned, however, and pivoted last year to acting instead as a service for swapping bitcoin for monero and vice versa.

Meanwhile, Lin appears to have maintained his obsession with cryptocurrency tracing and blockchain analysis: His final LinkedIn post last week before his arrest in New York announced that he had become a certified user of Reactor, the crypto tracing tool sold by blockchain analysis firm Chainalysis. “I’m excited to share that I’ve completed Chainalysis’s new qualification: Chainalysis Reactor Certification (CRC)!” Lin wrote in Mandarin. His last X post shows a Chainalysis diagram of money flows between dark-web markets and cryptocurrency exchanges.

It’s not clear whether Lin obtained his Chainalysis certification to bolster a new career training law enforcement in blockchain analysis or, if US prosecutors are to be believed, to advance his previous alleged career as a dark-web criminal. But it raises the troubling possibility that a former dark-web kingpin—one who was still extorting his own users—was perhaps playing both sides of the crypto tracing game, says Elliptic’s Tom Robinson.

“There’s a larger issue here about bad actors accessing blockchain analytics tools,” says Robinson. “That is a potentially risky situation, where someone who’s in the process of laundering proceeds of crime can check in commercially available tools whether they have laundered them such that they can get away with it.” Running certain checks in those tools might even allow someone to determine if they’re being actively investigated by law enforcement, Robinson says.

WIRED reached out to Chainalysis to ask about Lin’s Reactor certification and what sort of safeguards prevent criminals from using the company’s software, but the company declined to comment.

If Lin did hope to evade law enforcement by becoming an expert in crypto tracing himself, he was far too late to avoid creating his own blockchain trail of evidence: In January of this year, the FBI says it somehow identified a central Incognito server and obtained a search warrant for its contents. That allowed investigators to identify a bitcoin wallet stored there, which the FBI says Lin had also carelessly used to pay web registrar Namecheap for four web domains—including one that tracked which dark-web markets were online or down—and register them under his own name.

Although the FBI says Lin tried to swap his bitcoins for harder-to-trace monero before cashing out the cryptocurrency at an exchange, the criminal complaint points to timing and amount correlations that nonetheless allowed the FBI to follow his funds to a crypto exchange where he allegedly liquidated the dirty funds. That exchange account, too, was registered in Lin’s real name, according to the DOJ.

The operational security mistakes the FBI describes suggest that, regardless of which side of the cryptocurrency cat-and-mouse game Lin intended to end up on, he was far from a criminal mastermind. His brief, strange journey from alleged kingpin to crypto crime expert ultimately provides plenty of lessons to criminals and law enforcement alike—though probably not the ones he intended.

Wired: Latest News

Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies