Written by Andy Greenberg
Two months ago, Lin Rui-siang, a young Taiwanese man wearing black-rimmed glasses and a white polo shirt, stood behind a lectern emblazoned with the crest of the St. Lucia police, giving a presentation titled “Cyber Crime and Cryptocurrency” in nearly fluent English to a roomful of cops from the tiny Caribbean country.
The St. Lucia government would later issue a press release lauding the success of Lin’s training course, which had been organized by the Taiwanese embassy, where Lin worked as a diplomatic specialist in IT. The statement boasted that 30 officers had learned “nuances of the dark web” and cryptocurrency tracing skills from Lin, who had “used his professional background and qualifications in the field” to teach them how to better combat cybercrime.
Only earlier this week did it become clear exactly what Lin’s “professional background and qualifications in the field” allegedly entailed, seemingly unbeknownst to either his Taiwanese employers or his St. Lucian law enforcement trainees. For nearly four years, according to the US Justice Department, 23-year-old Lin ran a dark-web drug market called Incognito that authorities say enabled the sale of at least $100 million worth of narcotics, ranging from MDMA to heroin for cryptocurrencies including bitcoin and monero. That was before Lin’s alleged theft of his own users’ funds earlier this year and then his arrest last week by the FBI in New York’s JFK airport.
Over his years working as a cryptocurrency-focused intern at Cathay Financial Holdings in Taipei and then as a young IT staffer at St. Lucia’s Taiwanese embassy, Lin allegedly lived a double life as a dark-web figure who called himself “Pharoah” or “faro”—a persona whose track record qualifies as remarkably strange and contradictory even for the dark web, where secret lives are standard issue. In his short career, Pharoah launched Incognito, built it into a popular crypto black market with some of the dark web’s better safety and security features, then abruptly stole the funds of the market’s customers and drug dealers in a so-called “exit scam” and, in a particularly malicious new twist, extorted those users with threats of releasing their transaction details.
During those same busy years, Pharoah also launched a web service called Antinalysis, designed to defeat crypto money laundering countermeasures—only for Lin, who prosecutors say controlled that Pharoah persona, to later refashion himself as a crypto-focused law enforcement trainer. Finally, despite his supposed expertise in cryptocurrency tracing and digital privacy, it was Lin’s own relatively sloppy money trails that, the DOJ claims, helped the FBI to trace his real identity.
An April post on Lin Rui-siang’s LinkedIn account about his cybercrime and cryptocurrency training course for police in St. Lucia.
By Carlton Reid
By Emily Mullin
By Steven Levy
By Andy Greenberg
Among all those incongruities, though, it’s the image of Lin giving his cryptocurrency crime training in St. Lucia—which Lin proudly posted to his LinkedIn account—that shocked Tom Robinson, a cofounder of the blockchain analysis firm Elliptic, who has long tracked Lin’s alleged Pharoah alter ego. “This is an alleged dark-net market admin standing in front of police officers, showing them how to use blockchain analytics tools to track down criminals online,” says Robinson. “Assuming he is who the FBI says he is, it’s incredibly ironic and brazen.”
Lin stands accused of not just narcotics conspiracy and money laundering, but also operation of a “continuing criminal enterprise”, a term typically used for leaders of organized crime who allegedly supervise at least five employees. This single charge could potentially lead to a life sentence.
In the DOJ’s criminal complaint against Lin, a handwritten document reportedly found in his email becomes a crucial piece of evidence. The FBI believes that Lin created a draft of a proposed dark-web market’s structure and workflow. The email, dated back to March 2020, indicates detailed functionalities like vendor and buyer registrations, purchase methods, and encrypted shipping address steps. Seven months post this email, Lin is alleged to have launched the Incognito Market.
The alleged blueprints for a dark-web market’s operational structure were sent by Lin to his own email, as per the DOJ’s claims. This was done eight months before his suspected creation of the Incognito Market.
The FBI reports assert that the market took close to a year to draw attention, with almost zero sales during this period. However, by late 2021, Incognito began to attract a user base. By mid-2022, the platform managed to lure enough vendors and buyers to make over a million dollars in monthly sales.
A 2022 Twitter thread about Incognito posted by Eileen Ormsby, an author of several dark-web-focused books including The Darkest Web, shows how the market by that time had added features that may have helped it to catch the attention of security- and safety-conscious users. It required that new users demonstrate they could use the encryption tool PGP before entering the market, prompted them to take a security quiz, allowed buyers to spend the more privacy-focused cryptocurrency monero as well as bitcoin, encouraged dealers to post results from a fentanyl test to certify their product was “fent free,” and even experimented with democratic voting for market-wide decisions.
By the summer of 2023, Incognito had spiked in popularity and was approaching $5 million a month in sales. Then in March of this year, the site suddenly dropped offline, taking all the funds stored in buyers’ and sellers’ wallets with it. A few days later, the site reappeared with a new message on its homepage. “Expecting to hear the last of us yet?” it read. “We got one final little nasty surprise for y’all.”
By Carlton Reid
By Emily Mullin
By Steven Levy
By Andy Greenberg
The message explained that Incognito was now essentially blackmailing its former users: It had stored their messages and transaction records, it said, and added that it would be creating a “whitelist portal” where users could pay a fee—which for some dealers would later be set as high as $20,000—to remove their data before all the incriminating information was leaked online at the end of this month. “YES THIS IS AN EXTORTION!!!” the message added.
In retrospect, Ormsby says that the site’s apparent user-friendliness and its security features were perhaps a multiyear con laying the groundwork for its endgame, a kind of user extortion never seen before in dark-web drug markets. “Maybe the whole thing was set up to create a false sense of security,” Ormsby says. “The extorting thing is completely new to me. But if you’ve lulled people into a sense of security, I guess it’s easier to extort them.”
Incognito Market threatened to leak over half a million drug transaction records unless a ransom was paid to remove them. It’s uncertain whether the market’s admin, who goes by the name of Lin as per the prosecutions’ claims and is accused of carrying out this extortion campaign, intended to act upon the threat. His arrest appears to have taken place before the victims’ deadline.
According to the FBI, while Lin was laying the foundation for this scheme, he also seemed to be working on an entirely different plan. During Incognito Market’s quiet first year in the summer of 2021, Lin’s alleged alter ego, Pharoah, set up Antinalysis. This is a website built to analyze blockchains and allow users to check if their cryptocurrency is linked to any illegal activities—for a fee.
In a post on the dark-web market forum Dread, Pharoah stated that Antinalysis was not created to support investigators for anti-money laundering; but for those trying to evade them, probably including users of his own dark-web market. “This service is dedicated to individuals in need of complete privacy on the blockchain. It offers a view from the opponent’s perspective, allowing users to understand the possibility of their funds being flagged under autocratic illegal charges.”, Pharoah’s post said.
After Brian Krebs, an independent cybersecurity reporter, wrote about the Antinalysis service in August 2021, calling it an “anti anti-money laundering service for crooks,” Pharoah posted another message announcing that Antinalysis had lost access to its blockchain data source (identified by Krebs as the anti-money laundering tool AMLBot) and it would be unavailable. However, Antinalysis found its way back and made a shift last year to providing a service for swapping bitcoin for monero and vice versa.
Meanwhile, Lin appears to have maintained his obsession with cryptocurrency tracing and blockchain analysis: His final LinkedIn post last week before his arrest in New York announced that he had become a certified user of Reactor, the crypto tracing tool sold by blockchain analysis firm Chainalysis. “I’m excited to share that I’ve completed Chainalysis’s new qualification: Chainalysis Reactor Certification (CRC)!” Lin wrote in Mandarin. His last X post shows a Chainalysis diagram of money flows between dark-web markets and cryptocurrency exchanges.
By Carlton Reid
By Emily Mullin
By Steven Levy
By Andy Greenberg
It’s not clear whether Lin obtained his Chainalysis certification to bolster a new career training law enforcement in blockchain analysis or, if US prosecutors are to be believed, to advance his previous alleged career as a dark-web criminal. But it raises the troubling possibility that a former dark-web kingpin—one who was still extorting his own users—was perhaps playing both sides of the crypto tracing game, says Elliptic’s Tom Robinson.
“There’s a larger issue here about bad actors accessing blockchain analytics tools,” says Robinson. “That is a potentially risky situation, where someone who’s in the process of laundering proceeds of crime can check in commercially available tools whether they have laundered them such that they can get away with it.” Running certain checks in those tools might even allow someone to determine if they’re being actively investigated by law enforcement, Robinson says.
WIRED reached out to Chainalysis to ask about Lin’s Reactor certification and what sort of safeguards prevent criminals from using the company’s software, but the company declined to comment.
If Lin did aim to outsmart law enforcement by mastering crypto tracing himself, he was much too late to avoid leaving his own blockchain evidence trail. In January of this year, the FBI states it managed to identify a core Incognito server and secure a search warrant for its contents. This allowed investigators to pinpoint a Bitcoin wallet kept there, which the FBI claims Lin had also recklessly used to pay web registrar Namecheap for four web domains—including one that observed the status of dark-web markets—and registered them under his real name.
Although the FBI alleges that Lin attempted to exchange his bitcoins for the more difficult-to-trace Monero before converting the cryptocurrency at an exchange, the criminal complaint highlights timing and transaction correlations that allowed the FBI to nonetheless track his funds to a crypto exchange where it is believed he laundered the illicit money. The exchange account was also registered in Lin’s real name, as noted by the DOJ.
The operational security blunders the FBI describes suggest that Lin was far from a criminal mastermind, no matter which side of the cryptocurrency cat-and-mouse game Lin planned to land on. His short, odd transition from alleged criminal kingpin to crypto crime expert in the end offers plenty of insights to criminals and law enforcement alike—though probably not the lessons he originally intended.