Who is Behind the $100M Crypto Crime Market?

0
crypto

Two months ago, a young Taiwanese man named Lin Rui-siang, dressed in a white polo shirt and black-rimmed glasses, confidently stood behind a lectern bearing the crest of the St. Lucia police. He delivered a nearly fluent English presentation titled “Cyber Crime and Crypto” to a room filled with police officers from the small Caribbean nation.

Following the presentation, the St. Lucia government issued a press release praising the success of Lin’s training course, which had been organized by the Taiwanese embassy where Lin served as a diplomatic IT specialist. The statement proudly noted that 30 officers had gained valuable insights into the dark web and crypto tracing, thanks to Lin’s “professional background and qualifications in the field.” Lin had used his expertise to teach the officers how to better combat cybercrime.

However, just this week, the full extent of Lin’s “professional background and qualifications” became apparent, seemingly unbeknownst to either his Taiwanese employers or his St. Lucian trainees. According to the US Justice Department, 23-year-old Lin had been running a dark-web drug market called Incognito for nearly four years. This market allegedly facilitated the sale of over $100 million worth of narcotics, including MDMA and heroin, using cryptocurrencies such as Bitcoin and Monero. Lin’s double life unraveled following his alleged theft of his own users’ funds earlier this year, culminating in his arrest by the FBI at New York’s JFK airport last week.

While working as a crypto-focused intern at Cathay Financial Holdings in Taipei and later as an IT staffer at St. Lucia’s Taiwanese embassy, Lin allegedly lived a double life as a dark-web figure known as “Pharoah” or “faro” This persona, remarkable for its contradictions even by dark web standards, saw Lin launch Incognito, build it into a well-regarded crypto black market with robust safety and security features, and then abruptly steal the market’s customers’ and drug dealers’ funds in an “exit scam.” Adding a particularly malicious twist, he allegedly extorted these users with threats of exposing their transaction details.

During these same years, Pharoah also launched a web service called Antinalysis, designed to thwart crypto money laundering countermeasures. Yet, Lin, who prosecutors assert was behind the Pharoah persona, later refashioned himself as a crypto-focused law enforcement trainer. Despite his supposed expertise in cryptocurrency tracing and digital privacy, it was Lin’s own sloppy money trails that, according to the DOJ, allowed the FBI to uncover his real identity.

Amid these many incongruities, the image of Lin giving a cryptocurrency crime training session in St. Lucia stands out starkly. Lin had even posted this proud moment to his LinkedIn account. Tom Robinson, co-founder of the blockchain analysis firm Elliptic, who has long tracked Lin’s alleged Pharoah alter ego, expressed his shock. “This is an alleged dark-net market admin standing in front of police officers, showing them how to use blockchain analytics tools to track down criminals online,” Robinson noted. “Assuming he is who the FBI says he is, it’s incredibly ironic and brazen.”

Pharaoh the Crypto Kingpin—and Extortionist

Lin has been charged with not only narcotics conspiracy and money laundering but also running a “continuing criminal enterprise,” the so-called “kingpin statute” reserved for organized crime leaders who allegedly oversaw at least five employees. For that charge alone, he faces a potential life sentence.

In the DOJ’s criminal complaint against Lin, it points to a handwritten document the FBI pulled from his email, which appears to sketch out a flow chart for a dark-web market’s mechanics. The complaint’s FBI affidavit says Lin emailed himself the sketch in March 2020 when he was at most 19 years old. It describes functionality such as how “vendors” and “buyers” would register, make purchases, and encrypt shipping addresses. Seven months later, Lin would allegedly launch Incognito Market.

A sketch of a dark-web market’s infrastructure that Lin emailed to himself eight months before allegedly creating Incognito Market, according to the DOJ.

According to the FBI, the market took nearly a year to catch on, with virtually no sales during that time. But by late 2021, Incognito had started to attract users, and by the middle of 2022, the market had drawn enough vendors and sellers to generate more than $1.5 million a month in sales.

Also Read – The Ultimate List: Top Al-tcoins To Buy Now Before They Take Off

A 2022 Twitter thread about Incognito posted by Eileen Ormsby, an author of several dark-web-focused books including The Darkest Web, shows how the market by that time had added features that may have helped it to catch the attention of security- and safety-conscious users. It required that new users demonstrate they could use the encryption tool PGP before entering the market, prompted them to take a security quiz, allowed buyers to spend the more privacy-focused cryptocurrency monero as well as bitcoin, encouraged dealers to post results from a fentanyl test to certify their product was “fent free,” and even experimented with democratic voting for market-wide decisions.

By the summer of 2023, Incognito had spiked in popularity and was approaching $5 million a month in sales. Then in March of this year, the site suddenly dropped offline, taking all the funds stored in buyers’ and sellers’ wallets with it. A few days later, the site reappeared with a new message on its homepage. “Expecting to hear the last of us yet?” it read. “We got one final little nasty surprise for y’all.”

The message explained that Incognito was now essentially blackmailing its former users: It had stored their messages and transaction records, it said, and added that it would be creating a “whitelist portal” where users could pay a fee—which for some dealers would later be set as high as $20,000—to remove their data before all the incriminating information was leaked online at the end of this month. “YES THIS IS AN EXTORTION!!!” the message added.

In retrospect, Ormsby says that the site’s apparent user-friendliness and its security features were perhaps a multiyear con laying the groundwork for its endgame, a kind of user extortion never seen before in dark-web drug markets. “Maybe the whole thing was set up to create a false sense of security,” Ormsby says. “The extorting thing is completely new to me. But if you’ve lulled people into a sense of security, I guess it’s easier to extort them.”

In total, Incognito Market promised to leak more than half a million drug transaction records if buyers and sellers didn’t pay to remove them from the data dump. It’s still not clear whether the market’s administrator—Lin, according to prosecutors, whom they accuse of personally carrying out the extortion campaign—planned to follow through on the threat: He appears to have been arrested before the deadline set for the victims of the Incognito blackmail.

Also Read – Looking for User-Friendly Crypto Exchanges? Check out These Top 5

An Expert in ‘Anti Anti-Money Laundering’

At the same time the FBI says Lin was laying the groundwork for this double-cross, he also appears to have briefly tried engineering an entirely different scheme. In the summer of 2021, during Incognito Market’s relatively quiet first year, Lin’s alleged alter ego, Pharaoh, launched a service called Antinalysis, a website designed to analyze blockchains and let users check—for a fee—whether their cryptocurrency could be connected to criminal transactions.

In a post to the dark-web market forum Dread, Pharaoh made clear that Antinalysis was designed not to help anti-money-laundering investigators, but rather those who sought to evade them—presumably including his own dark-web market’s users. “Our goals do not lie in aiding the surveillance autocracy of state-sponsored agencies,” Pharoah’s post read. “This service is dedicated to individuals that have the need to possess complete privacy on the blockchain, offering a perspective from the opponent’s point of view in order for the user to comprehend the possibility of his/her funds getting flagged down under autocratic illegal charges.”

After independent cybersecurity reporter Brian Krebs wrote about the Antinalysis service in August 2021, describing it as an “anti anti-money laundering service for crooks,” Pharoah posted another message complaining that Antinalysis had lost access to its blockchain data source, which Krebs had identified as the anti-money-laundering tool AMLBot, and that it would be going offline. “Stay posted and fuck LE,” Pharoah wrote, using the abbreviation LE to mean “law enforcement.” Antinalysis eventually returned, however, and pivoted last year to acting instead as a service for swapping bitcoin for monero and vice versa.

Meanwhile, Lin appears to have maintained his obsession with cryptocurrency tracing and blockchain analysis: His final LinkedIn post last week before his arrest in New York announced that he had become a certified user of Reactor, the crypto tracing tool sold by blockchain analysis firm Chainalysis. “I’m excited to share that I’ve completed Chainalysis’s new qualification: Chainalysis Reactor Certification (CRC)!” Lin wrote in Mandarin. His last X post shows a Chainalysis diagram of money flows between dark-web markets and cryptocurrency exchanges.

It’s not clear whether Lin obtained his Chainalysis certification to bolster a new career training law enforcement in blockchain analysis or, if US prosecutors are to be believed, to advance his previous alleged career as a dark-web criminal. But it raises the troubling possibility that a former dark-web kingpin—one who was still extorting his own users—was perhaps playing both sides of the crypto tracing game, says Elliptic’s Tom Robinson.

“There’s a larger issue here about bad actors accessing blockchain analytics tools,” says Robinson. “That is a potentially risky situation, where someone who’s in the process of laundering proceeds of crime can check in commercially available tools whether they have laundered them such that they can get away with it.” Running certain checks in those tools might even allow someone to determine if they’re being actively investigated by law enforcement, Robinson says.

Also Read – Know Everything About NeskBit Exchange

WIRED reached out to Chainalysis to ask about Lin’s Reactor certification and what sort of safeguards prevent criminals from using the company’s software, but the company declined to comment.

If Lin did hope to evade law enforcement by becoming an expert in crypto tracing himself, he was far too late to avoid creating his own blockchain trail of evidence: In January of this year, the FBI says it somehow identified a central Incognito server and obtained a search warrant for its contents. That allowed investigators to identify a bitcoin wallet stored there, which the FBI says Lin had also carelessly used to pay web registrar Namecheap for four web domains—including one that tracked which dark-web markets were online or down—and register them under his own name.

Although the FBI says Lin tried to swap his bitcoins for harder-to-trace monero before cashing out the cryptocurrency at an exchange, the criminal complaint points to timing and amount correlations that nonetheless allowed the FBI to follow his funds to a crypto exchange where he allegedly liquidated the dirty funds. That exchange account, too, was registered in Lin’s real name, according to the DOJ.

The operational security mistakes the FBI describes suggest that, regardless of which side of the cryptocurrency cat-and-mouse game Lin intended to end up on, he was far from a criminal mastermind. His brief, strange journey from alleged kingpin to crypto crime expert ultimately provides plenty of lessons to criminals and law enforcement alike—though probably not the ones he intended.

Leave a Reply

Your email address will not be published. Required fields are marked *

  • bitcoinBitcoin (BTC) $ 82,328.00
  • ethereumEthereum (ETH) $ 3,182.33
  • tetherTether (USDT) $ 1.00
  • solanaSolana (SOL) $ 216.64
  • bnbBNB (BNB) $ 623.40
  • dogecoinDogecoin (DOGE) $ 0.291283
  • usd-coinUSDC (USDC) $ 0.999790
  • xrpXRP (XRP) $ 0.584948
  • staked-etherLido Staked Ether (STETH) $ 3,180.14
  • cardanoCardano (ADA) $ 0.611108
  • shiba-inuShiba Inu (SHIB) $ 0.000026
  • tronTRON (TRX) $ 0.165268
  • wrapped-stethWrapped stETH (WSTETH) $ 3,783.04
  • the-open-networkToncoin (TON) $ 5.31
  • avalanche-2Avalanche (AVAX) $ 32.42
  • wrapped-bitcoinWrapped Bitcoin (WBTC) $ 82,203.00
  • wethWETH (WETH) $ 3,181.88
  • suiSui (SUI) $ 3.20
  • chainlinkChainlink (LINK) $ 14.06
  • bitcoin-cashBitcoin Cash (BCH) $ 436.24
  • polkadotPolkadot (DOT) $ 5.15
  • leo-tokenLEO Token (LEO) $ 7.23
  • nearNEAR Protocol (NEAR) $ 5.34
  • aptosAptos (APT) $ 11.38
  • litecoinLitecoin (LTC) $ 76.91
  • wrapped-eethWrapped eETH (WEETH) $ 3,349.49
  • uniswapUniswap (UNI) $ 8.95
  • usdsUSDS (USDS) $ 0.994369
  • pepePepe (PEPE) $ 0.000012
  • internet-computerInternet Computer (ICP) $ 9.11
  • bittensorBittensor (TAO) $ 581.08
  • crypto-com-chainCronos (CRO) $ 0.156842
  • fetch-aiArtificial Superintelligence Alliance (FET) $ 1.51
  • kaspaKaspa (KAS) $ 0.153703
  • ethereum-classicEthereum Classic (ETC) $ 22.85
  • daiDai (DAI) $ 0.999525
  • stellarStellar (XLM) $ 0.110171
  • polygon-ecosystem-tokenPOL (ex-MATIC) (POL) $ 0.407662
  • dogwifcoindogwifhat (WIF) $ 3.07
  • blockstackStacks (STX) $ 2.03
  • whitebitWhiteBIT Coin (WBT) $ 20.83
  • moneroMonero (XMR) $ 160.93
  • ethena-usdeEthena USDe (USDE) $ 1.00
  • aaveAave (AAVE) $ 188.31
  • okbOKB (OKB) $ 44.75
  • injective-protocolInjective (INJ) $ 26.62
  • mantleMantle (MNT) $ 0.766313
  • filecoinFilecoin (FIL) $ 4.21
  • arbitrumArbitrum (ARB) $ 0.632212
  • render-tokenRender (RENDER) $ 6.16