The darknet is a hidden layer of the internet, where encrypted networks allow users to explore beyond the reach of conventional oversight, creating a world defined by secrecy, anonymity, and often, high-stakes deception. The Incognito Market exit scam was a darknet sting masterminded by Rui-Siang Lin who was the marketplace operator. After establishing the site's reputation Incognito Market users suddenly couldn’t withdraw their Bitcoin and Monero from the site and then Lin coerced them into depositing Ethereum and DAI instead and stole all the funds. On top of stealing all of the users crypto, Lin extorted the site vendors, threatening to leak their sensitive data and all the correspondence with their clients unless they paid him ransoms in amounts ranging from $100 to $20,000 depending on the website ranking. Lin was captured in JFK airport on may 2024 after allegedly one of the sites users doxxed him and informed the FBI of his real identity. This Sequence of events became one of the most infamous exit scams in darknet history.
Who Is Rui-Siang Lin?
Rui-Siang Lin, also known as "Pharaoh" in the dark web community, had a unique background for someone running a major illegal marketplace.
At only 23, Lin set up and was leading Incognito Market, a platform designed to be one of the largest online drug markets on the dark web. In real life, he positioned himself as an expert in cybercrime, even going as far as training law enforcement officers in St. Lucia on tracking crypto crime.
His role as the head of Incognito Market combined a mix of tech knowledge and audacity. He used his skills to create a dark web platform that felt secure and anonymous to its users, attracting people who wanted to trade in narcotics and other illegal goods using privacy-focused cryptocurrencies like Monero.
The FBI reports that Lin was clever enough to incorporate features that helped users avoid surveillance, like Antinalysis – a tool he developed to help criminals check if their crypto transactions could be traced back to illegal activities.
Lin is a paradox. The skills he was teaching law enforcement crypto-tracing skills by day gave him all the knowledge and techniques needed to run Incognito by night. His ability to juggle these roles gave him a lot of influence in the dark web, not just over the site, but in building trust among his users.
Until, of course, he turned on them with an exit scam that revealed his darker intentions.
Incognito Market – A Dark Web Drug Den
Incognito Market was founded by Lin in October 2020 at the height of the global COVID-19 pandemic. The platform made it easy for people to buy and sell drugs online through the dark web.
Users could buy and sell illegal drugs such as heroin, cocaine, MDMA and LSD. You could also find prescription amphetamines on the marketplace, including brand names such as Adderall. Over the past four years transactions worth more than $100 million took place on the platform, using cryptocurrencies like Bitcoin and Ethereum. Lin took a 5% cut of every transaction on the platform.
What Was The Incognito Market Exit Scam?
The shady darknet market (DNM) Incognito Market turned out to be anything but “incognito”. Incognito Market was set up by Rui-Siang Lin in 2020, serving the underbelly of the internet with a place to buy and sell illegal narcotics and other illegal items using crypto.
Lin started extorting his users in March 2024, using a similar tactic to ransomware gangs. Instead of infecting systems with ransomware and promising a digital key to “disinfect” them when a ransom is paid, the Incognito Market exit scam blackmailed users by blocking their funds and extorting money depending on their “status”.
According to numerous reports, low-level “Level 1” vendors could prevent their details being leaked if they paid a $100 fee, with a sliding scale up to Level 5 vendors who were blackmailed to the tune of $20,000.
How The Incognito Market Scam Worked
The scam targeted both drug buyers and sellers on the platform. The scam started with the freezing of crypto assets, making it impossible for people to withdraw them. Next, people were threatened that details of their “secure” private chats would be released to the public. This would bring people under the spotlight of law enforcement agencies.
Victims of the scam received the following message.
“Expecting to hear the last of us yet?
We got one final little nasty suprise for y’all.
We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our “auto-encrypt” functionality. And by the way, your messages and transaction IDs were never actually deleted after the “expiry”…
SURPRISE SURPRISE !!!
Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up. We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes…
YES, THIS IS AN EXTORTION !!!
As for the buyers, we’ll be opening up a whitelist portal for them to remove their records as well in a few weeks.
Thank you all for doing business with Incognito Market”
The message was accompanied by a list of the “top” vendors who had paid the ransom to protect their customers (and themselves). Payments ranged between $100 and $20,000 depending on how many transactions each person had overseen.
The scam put drug vendors in a catch-22 position. On the one hand they didn’t want to risk their business being exposed to the police. On the other, paying the blackmailers could trigger a bigger ransom demand. Where would it stop?
The sheer scale of what Lin threatened to leak is mind-boggling. When Incognito Market collapsed, Lin, instead of disappearing quietly, warned users that he held records of more than half a million orders and over 860,000 cryptocurrency transaction IDs.
It was a threat to expose the entire history of transactions on Incognito, including buyer and seller identities that could put real names to illegal orders, likely putting thousands at risk of legal exposure.
What’s striking is how Lin used this data as a bargaining chip, essentially extorting his own users to pay up or face legal attention. It shows how vulnerable users of the site were despite thinking they were safe on the dark web. It’s a wake-up call for anyone who assumes that anonymity on such platforms is bulletproof, especially in a case like this where the operator turned out to be their greatest risk.
At Plasbit, we think the moral of the story is – don’t do anything illegal on the dark web. It’s as simple as that. In fact, don’t do anything illegal. We’re not here to pass judgment on what you do in your day-to-day life, but if you do illegal things online, then don’t be surprised when bad things happen to you.
The Arrest of Rui-Siang Lin, Incognito Market’s “Pharoah”
Rui-Siang Lin, the 23-year-old Taiwanese administrator of Incognito Market, was arrested on May 18, 2024, sending shockwaves through dark web communities.
Lin was apprehended at JFK Airport in New York by Homeland Security Investigations (HSI), with his arraignment following on May 20 in Manhattan Federal Court. He faced numerous charges, including engaging in a continuing criminal enterprise to narcotics and money laundering conspiracies, all linked to over $100 million in illegal drug sales. He could face up to 20 years in prison if found guilty.
The arrest didn’t just end with Lin, though. Following his detainment, dark web forums buzzed with news that another marketplace, SuperMarket, had been compromised. On May 21, a co-administrator posted on Dreads (a dark web forum) that SuperMarket’s funds had been mysteriously drained, pointing fingers at “FatherBear,” another admin. This fallout is a classic example of how a takedown in one part of the dark web can unravel other illicit operations.
Tracking Down A Dark Web Kingpin
What’s interesting about Lin’s arrest is how the authorities tracked him down. Law enforcement traced transactions from servers used in Incognito’s operations, in particular one server dubbed the “bank,” which stored details of every crypto transaction.
According to FBI task force officer Mark Rubens, the bureau tracked Rui-Siang Lin’s financial activities from Incognito Market right down to his personal accounts. The FBI discovered that Lin’s crypto wallet, which held funds from Incognito Market, funneled Bitcoin (BTC) to a swapping service to exchange it for Monero (XMR), a cryptocurrency known for its privacy features. Once swapped, the Monero was deposited into a crypto exchange account, which the FBI claims belonged to Lin.
Rubens noted at least four transfers in the deposition, linking Incognito’s earnings to Lin’s account. What really nailed down Lin’s identity, though, was the information provided by the exchange. They handed over Lin’s Taiwanese driver’s license, email address, and phone number and they were all tied to that account.
And as if that wasn’t enough, the FBI cross-referenced Lin’s personal details with a Namecheap account linked to Lin. This Namecheap account had bought a domain to promote Incognito Market, and payment was traced back to the same crypto wallet and account associated with Lin.
The numbers show just how lucrative Incognito was for Lin. His account deposits rose from $63,000 in 2021 to almost $4.2 million in 2023, and another exchange account tied to him saw $4.5 million deposited in just five months last year. So, the paper trail, or in this case the blockchain trail, was clear enough for the FBI to tie these transactions directly to Lin, essentially leaving no room for plausible deniability. If nothing else, Lin’s tale is a reminder that, despite the perceived security of the dark web, digital breadcrumbs are always left behind. However, there are some types of private and untraceable cryptocurrency that make it much more difficult to track down the parties involved in a transaction.
Other Notorious Dark Web Exit Scams
Silk Road 2.0
After the original Silk Road was shut down, Silk Road 2.0 launched. The promise was that it would bring back the anonymous marketplace for drugs and illegal goods. But things didn’t end well. The FBI arrested the operator, “Defcon,” and seized millions of dollars in assets. But before that happened, a massive “hack” drained users’ Bitcoin wallets, although many believe it was an inside job.
Evolution
One of the most notorious exit scams, Evolution’s operators disappeared overnight in 2015, taking around $12 million in Bitcoin with them. The site was a popular marketplace for everything from stolen data to illegal goods, and users trusted it because of its popularity. That’s why it was a shock when the entire platform vanished, leaving a huge number of buyers and sellers in the lurch.
AlphaBay
AlphaBay didn’t start as an exit scam, but it had a shady exit nonetheless. When the site was shut down by law enforcement in 2017, the founder Alexandre Cazes was arrested, and over $23 million in Bitcoin and other cryptocurrencies were seized. Users lost access to their funds with no chance of recovery, sparking fears of another exit scam as people wondered if the admins had also siphoned funds before the takedown.
Empire Market
In 2020, Empire Market, one of the most active dark web markets at the time, pulled off an exit scam, making off with an estimated $30 million in user funds. Users had grown suspicious due to weeks of “downtime” and “DDoS attacks,” only for the platform to disappear entirely, with admins claiming they were “securing user funds”—classic exit scam behavior.
Apollon Market
This one was a double-cross. In early 2020, Apollon admins were accused of pulling an exit scam as the site went down, leaving users unable to access funds. It was later discovered that “fake DDoS attacks” had been used to cover up the withdrawal of funds. Apollon’s exit scam cemented the reputation of dark web markets as high-risk places, where even admins couldn't be trusted.
How Common Are Exit Scams In The Cryptocurrency World?
As we’ve shown, exit scams are pretty commonplace in the underground world of the dark web or darknet. But what about mainstream crypto sites and projects? How common are they and are there other types of scams you should look out for?
Unfortunately, exit scams aren't just limited to the dark web. They also pop up in the mainstream cryptocurrency space, especially during market booms when there’s a flood of new investors and projects.
In the world of legitimate crypto projects, exit scams usually involve Initial Coin Offerings (ICOs) or new token launches where founders suddenly vanish after raising funds, leaving investors high and dry. This happened with the Pincoin and iFan projects in 2018, where founders allegedly walked away with around $660 million in investor money.
Besides exit scams, there are other shady schemes to watch out for. At Plasbit, we want you to be aware of these and not fall prey to them, so we’ve compiled a list of the top three most common crypto scams below.
Rug Pulls
Rug pulls are probably the most common type of crypto scam, especially with the rise of decentralized finance (DeFi) projects.
The scam involves a team of so-called “developers” creating a flashy new token and building up hype around it, often through promises of big returns or exclusive features. They market the token aggressively on social media, with influencers or even in communities like Telegram and Discord. The goal is to get as many people as possible to invest, which drives up the token’s price and liquidity.
In a legitimate project, liquidity pools are there to support trading, letting people buy and sell tokens freely. But in a rug pull, once the developers feel they’ve pumped the price high enough, they “pull the rug” by withdrawing all the liquidity from the pool. Without liquidity, the token becomes untradeable, leaving investors stuck with worthless tokens that they can’t sell. Meanwhile, the developers disappear with the funds, often leaving no trace.
The risk is especially high with new or anonymous projects, where developers have little accountability. To avoid getting caught in a rug pull check if the project has a public team with a history, if the code is audited, and whether there’s a locked liquidity pool. Rug pulls often prey on the “fear of missing out” (FOMO) that’s rampant in crypto, so staying level-headed and cautious is key.
Phishing Scams
Phishing scams usually work by setting up fake wallet sites or apps that look almost identical to legitimate ones. These fake platforms prompt you to enter private keys or recovery phrases, and once you do, they’re able to access your funds instantly. It’s like handing over your bank card to a stranger who looks trustworthy.
Scammers are sneaky about ways to get you onto these fake sites too. They might send phishing emails that look like they’re from a reputable wallet service or exchange, with a link that takes you to a replica site. Sometimes, they even run ads on legitimate search engines with fake links that look like the real deal. There are also cases of fake wallet apps in app stores, which are tough to spot unless you know exactly what the official app looks like.
To stay safe, always go directly to the official website of a wallet provider rather than clicking on links in emails, ads, or using the app store. It’s also a good habit to double-check the URL for slight misspellings or odd characters, which are subtle signs of a phishing site. Remember, no legitimate wallet or exchange will ever ask for your private key or recovery phrase out of the blue – those are just for you to use.
Pump-and-Dump Schemes
Here’s how pump-and-dump schemes work. A group of people, often organized in private chat rooms or social media, will pick a low-value or obscure coin. They start spreading hype about it, saying things like it's about to "explode" or that some big development is going to make it "the next big thing." They’ll do whatever they can to generate excitement, including posting fake news or making exaggerated claims.
As more people buy into the hype, the price of the coin skyrockets. The people who started the pump are only interested in getting the price high enough so they can cash out for a massive profit. So, at the peak of the frenzy, they sell off all their holdings. This sudden sell-off causes the price to crash, leaving everyone who bought in at the high point with heavy losses.
New or inexperienced investors often get caught up in these schemes, thinking they’re getting in on a great opportunity. Pump-and-dumps are hard to spot until they’re already in motion, and by the time people realize what’s happening, it’s usually too late to get out without a loss.
To avoid falling for them, be cautious of any coin that seems to be skyrocketing out of nowhere, especially if there’s a lot of hype but no solid news or development behind it. Real growth usually comes with actual improvements, partnerships, or other concrete reasons, not just hype.
Scams like the ones detailed above are fairly common, so it always pays to do your research before investing. Check for transparency, look at the development team’s history, and be cautious with any project promising guaranteed returns. In crypto, if it sounds too good to be true, then it probably is.
Staying Safe in the World of Crypto
The Incognito Market exit scam and other dark web cons serve as a stark reminder of the risks that come with shady online dealings and unchecked crypto projects.
Lin’s dramatic scheme, from locking users out of their funds to outright extortion, highlights how far bad actors are willing to go to turn a profit. They don’t really care who they hurt in the process.
The world of cryptocurrency is full of opportunities but also rife with pitfalls like exit scams, rug pulls, and phishing schemes. As crypto and blockchain tech evolves, so do the tactics of those trying to exploit it. So, whether you’re dabbling in new tokens or simply moving funds online, a little caution goes a long way.
At PlasBit, we’re strong believers in transparency and security. That’s why we help you to understand the risks, stay informed, and use trusted platforms. So, take the Incognito Market exit scam story as a lesson to always do your research, double-check, and remember – if a deal seems too good to be true, there’s a good chance it is.
