Incognito Admin Arrest and SuperMarket Wallet Drain: Darknet Marketplaces Plunge into Uncertainty
2024-5-24 19:31:39 Author: cyble.com(查看原文) 阅读量:8 收藏

Unraveling the seedy underbelly of the darknet marketplaces 

Executive Summary 

The arrest of Riu-Siang Lin, the former administrator of the closed Incognito marketplace, by the US authorities on 18th May is causing a domino effect in the underground illegal communities, leading to an alleged exit plan on the SuperMarket. On Dreads, the co-administrator of the Supermarket announced to the community on May 21, 2024, that the wallets had been emptied and that the only person who would have had access to them was “FatherBear”, the other administrator of the marketplace.  

Incognito Dark Web Drugs Market Boss Collared in New York

On May 18, 2024, Homeland Security Investigations (HSI) New York, in coordination with law enforcement partners, arrested Rui-Siang Lin at John F. Kennedy International Airport in connection with his operation and ownership of Incognito Market. On 20 May, the defendant was arraigned in Manhattan Federal Court. 

The 23-year-old Taiwanese administrator is charged with 4 counts, including engaging in a continuing criminal enterprise, narcotics conspiracy, money laundering, and conspiracy to distribute adulterated and misbranded drugs, which carry a minimum of 5 years and a maximum of 20 years in prison.  

The indictment alleges the illegal sale of more than $100 million in illicit narcotics and misbranded prescription drugs, including heroin, cocaine, LSD, MDMA, oxycodone, methamphetamines, ketamine, and alprazolam. In addition, in November 2023, an undercover law enforcement officer received several tablets purporting to be oxycodone purchased on the Incognito Market. Tests on these tablets revealed that they were not authentic oxycodone at all but were, in fact, fentanyl pills. 

According to the indictment, between 2022 and 2023, law enforcement agents executed search warrants to gain access to three servers used to operate the marketplace and containing marketplace data. One of the servers searched by the agents was the so-called “bank”, a database containing all cryptocurrency transactions. This allowed US law enforcement to trace cryptocurrency transfers to a digital wallet linked to Lin, leading to his identification and arrest. 

Figure 1. MommaBear initial post on Dread

Figure 1. MommaBear initial post on Dread 

On May 21, after online media wrote about Rui-Siang’s arrest and rumors spread throughout the darknet community, ‘MommaBear’, one of the administrators of the SuperMarket darknet marketplace, posted on Dread that the Cold Storage Escrow and Joint Pocket wallets had been emptied. Based on the same post, ‘MommaBear’ indicated that the only other person who had access to the wallets was the second administrator, ‘FatherBear’, who ‘MommaBear’ has confidence was not compromised and was responsible for draining all the wallets in an alleged exit plan due to the arrest of the Incognito Marketplace administrator. 

‘MommaBear’ has announced that all server access keys have been changed to prevent further unauthorized transactions. In addition, all onion links for accessing the site have been removed and orders are being paused to protect remaining assets and prevent further losses. The administrator has promised to keep users updated as more information becomes available and efforts continue to recover the lost funds. 

Figure 2. Second post of 22MommaBear22

Figure 2. “MommaBear” Second post 

Later, on May 22, ‘MommaBear’ returned with another post, indicating that the restoration process was ongoing and that he had not abandoned the community. However, there’s no mention of how they’re going to get their money back from ‘FatherBear’.  

Decoding Incognito Exit Scam

Figure 3. Incognito Market preview

Figure 3. Incognito Market preview 

Incognito Market was a globally available online narcotics bazaar active through Tor web since October 2020, when it was created by Lin. The marketplace was closed in March 2024 when Rui-Siang Lin, under his online pseudonym “Pharoah” or “Faro,” allegedly committed an exit scam. Further, in an attempt to extort the members, the admin threatened to leak private messages, transaction information, and order details of vendors and buyers unless they paid a fee ranging from 100 to 20 thousand dollars. 

At that time, the project administration threatened to publish a complete dump of 557,000 orders and 862,000 hashes of cryptocurrency transactions by the end of May. For the marketplace users, the situation had begun to get grim. They understood that the administrators had already committed an exit scam, as they could not withdraw their money.  

Figure 4. 22Pharoa22 latest post on Incognito

Figure 4. “Pharoa” latest post on Incognito 

A particular vendor sold each listing on Incognito Market. To become an Incognito Market vendor, people were required to register with the site and pay an admission fee. In exchange for listing and selling narcotics as a vendor on Incognito Market, each vendor paid 5% of the purchase price of every narcotic sold.  

Incognito Market had its own “bank,” which allowed its users to deposit cryptocurrency on the site into their accounts. After a narcotics transaction was completed, cryptocurrency from the buyer’s account was transferred to the seller’s account, less the 5% fee that Incognito collected. 

Who is Rui-Siang Lin aka Pharoah? 

Rui-Siang Lin is a 23-year-old developer who describes himself on LinkedIn as a “crypto enthusiast and developer” from Taiwan. He claims to be an employee of Taiwan’s Ministry of Foreign Affairs, working as a “diplomatic specialist” in the technical section of the Taiwanese embassy in St Lucia. Previous jobs include a three-year internship at Cathay Financial Holding as a “Backend and Blockchain R&D” since November 2019. The former Incognito Market administrator claims to have graduated from National Taiwan University in June 2023. On May 18, the latest post on LinkedIn was related to the celebration of obtaining the Chainalysis Reactor Certification (CRC).  

Figure 5

Figure 5. LinkedIn account of “Pharao, Experience section. 

In a LinkedIn post in April 2024, Lin shared some pictures from a “cybercrime and cryptocurrency training” at the Saint Lucia Police Academy. In another post, he promoted his new healthcare project called ‘Face2ID’, which uses contactless biometric scanning to create unique and secure patient identifiers, improving the accuracy and security of patient data management. 

Figure 6 1

Figure 6. LinkedIn account of “Pharao” 

Lin’s GitHub account describes him as a “backend and blockchain engineer, Monero enthusiast.” This GitHub account has approximately 44 publicly available software coding projects. His preferred programming language is JavaScript, followed by HTML and TypeScript. He has contributed 1,741 times on the platform, and his main projects are related to blockchains, cryptocurrency, and network security.  

Figure 7

Figure 7. Github account of “Pharao” 

Programming projects include running cryptocurrency servers and web applications such as PoW Shield, a tool to mitigate DDoS attacks; Monero Merchant, a software tool that allows online merchants to accept XMR as payment; and Koa-typescript-framework, a webframe software program used as a foundation for web applications. 

On other platforms, such as OpenSea, Lin sells NFTs with basketball players, and his collections appear to be up to 37 NFTs. In October 2021, the defendant also gave a YouTube interview explaining how his anti-DDoS tool “PoW Shield” worked for Pentester Academy TV, demonstrating his technical skills. 

On the X platform, formerly known as Twitter, where he has been active since March 2022, most of Lin’s posts are about cryptocurrencies. He also posted about the training he did for the Saint Lucia Police, but this time, he covered his face with an emoji. In an interesting post, he appeared to be proud of the newly elected president in Taiwan, suggesting that he likes the current regime, which is opposing China’s pressure. He also posted an analysis from Cloudflare showing that his DDoS solutions passed a stress test from China-based IPs. 

SuperMarket overview 

The marketplace has been active since July 1, 2023, and has been among the top five infamous marketplaces providing shopping for illicit goods in the darkweb, offering more than 16 categories of narcotics and over 1000 products. Compared to other marketplaces, it offered innovative and a much more user-friendly interface. Among these features one could find Direct Pay, implying buyers could use their wallets instead of those provided by the marketplace.  

Based on a public analysis made by researchers on January 9, 2024, the marketplace had 2,144 users, 237 sellers, 1,102 products, and 1,565 total orders. 

Figure 8

Figure 8. The main page of SuperMarket 

Conclusion  

Investigation of crypto transactions that led to the arrest of Riu-Siang Lin shows that threat actors and criminals in the underground forums cannot operate alone and without leaving any traces when switching to real life. “Pharao” created the Incognito marketplace when he was just a student, probably trying to make more money. However, after a few years of success in the Darkweb by operating the marketplace, he allegedly also obtained an important job for the Taiwan Ministry of Foreign Affairs, which probably offered him an opportunity to move away from his shady business and erase all traces to be able to continue the normal life.  

This hypothesis may sound explainable considering the exit scheme happening in March 2024 with Incognito Marketplace. Therefore, after a month, he began to post images with training provided to some law enforcement agents in order to appear clean on a basic OSINT check or if any traces from Darkweb could lead to him. However, the gambler’s fallacy to conduct an exit scam and extort the loyal members of Incognito may have caused his downfall. 

In addition to the US authorities’ investigation, we can assume that after the exit plan, some of his former associates will talk about his accounts and other useful information that the authorities can trace. 

On the other hand, based on his illicit background and willingness to make money, Riu-Siang Lin could have been a well-placed insider for Chinese intelligence in the Taiwanese embassy, and why not a first point of access in the Taiwanese MFA network for APT espionage operations. Even if one of his posts suggests an affinity with the current regime, HUMINT recruitment operations are only sometimes straightforward. 

Regarding the announcement of the SuperMarket co-administrator in relation to the wallets emptied by the other administrator, this has happened in the past in other cases of the “domino effect” that occurs when law enforcement makes arrests in the underground community. There are more hypotheses to follow, but the most reasonable one is that there could be some relationship in terms of crypto accounts shared between ‘FatherBear’ and ‘Pharao’, which could lead to other traces. In this case, ‘FatherBear’ will keep a low profile for a while with all the money and then probably resurface with a different identity.  

However, depending on how much Riu-Sian Lin knows about other accounts that could expose the criminal’s identity, we will see in the next period of time in the other law enforcement takedown and arrest operations. In the case of SuperMarket, users will likely migrate to other illegal communities due to a lack of trust in the platform. It also depends on what action the remaining administrator ‘MommaBear’ will take. 

References  

https://www.justice.gov/opa/media/1352576/dl
https://www.dhs.gov/hsi/news/2024/05/22/incognito-market-owner-arrested-operating-one-largest-online-narcotics-marketplaces
https://twitter.com/DarkWebInformer/status/1792905407968453089/photo/1
https://x.com/DarkWebInformer/status/1793360349149983134 
https://github.com/RuiSiang  
https://github.com/RuiSiang/PoW-Shield  
https://opensea.io/ruisiang 
https://www.youtube.com/watch?v=zeNKUDR7_Jc  
https://x.com/ruisiang_tw  
https://medium.com/@DarkWebInformer/supermarket-a-darknet-marketplace-focused-on-usability-and-security-7f0f2b256441  

Related


文章来源: https://cyble.com/blog/incognito-admin-arrest-and-supermarket-wallet-drain-darknet-marketplaces-plunge-into-uncertainty/
如有侵权请联系:admin#unsafe.sh