He Taught Police How to Trace Crypto Flows — Yet Used PGP and Monero to Sell Drugs! A Top NTU Student Became the World’s Biggest Dark Web Drug Lord, Only to Fall Because of Bitcoin.

GM,

Today’s article has a long title because the story is just too fascinating. Last week, the U.S. Department of Justice announced the results of “Operation Raptor,” the largest dark web takedown in history. Among the arrests, Taiwanese suspect Lin Rui-Xiang, who operated the “Incognito Market,” was considered the crown jewel.

At first, I thought this was just an ordinary criminal case, but after digging deeper, I realized that Lin Rui-Xiang was truly a big name in the dark web world. Before his arrest, Incognito Market had already become the world’s largest drug marketplace on the dark web, seen as the successor to the infamous Silk Road. The platform’s cumulative transaction volume exceeded NT$3 billion, and its number of active users far surpassed other platforms.

To piece together the full story, I not only read through the U.S. Department of Justice indictment but also scoured every trace of Lin Rui-Xiang I could find online — forum posts, on-chain records, GitHub accounts, and social media updates. Honestly, if he hadn’t gone down the criminal path, I probably would have invited him onto the Blocktrend Podcast to talk about Monero’s privacy technology and the challenges of tracking its money flows — he even described himself as a hardcore Monero fan on his personal accounts.

While Taiwanese media have focused mainly on Lin Rui-Xiang’s family background, I want to focus on a different angle: How did Incognito Market rise to become the world’s largest dark web marketplace? How did Lin use PGP and Monero to win user trust, only to ultimately fall because of Bitcoin?

This is extortion!

On March 5, 2024, a user on a dark web forum raised an alarm: when they tried to withdraw Bitcoin (BTC) and Monero (XMR) from Incognito Market, the site showed the withdrawal as successful, but the funds never arrived. The user tested it again with another account and found that deposits were working fine — but still no withdrawals.

The news spread quickly. The operator of Incognito Market, known by the handle “Pharoah,” came forward to explain: the system was undergoing an upgrade to handle increasing traffic and would soon support Ethereum and introduce stablecoin payments. Pharoah tried to calm the community with data, claiming there were 154 transactions currently in the queue — only 3% of the platform’s total withdrawals over the past 24 hours — and announced that a major interface overhaul was coming for the platform’s third anniversary.

Founded in October 2020, Incognito Market branded itself as the “Amazon of the dark web,” focusing on user experience and privacy — and it was picky about its customers, refusing to do business with beginners. Users had to access the marketplace through the Tor network, and investigative journalist Eileen Ormsby, who specializes in tracking dark web crime, attempted to register and documented the process. She found that users had to pass several tests on dark web jargon and security knowledge just to reach the registration page. Eileen’s takeaway: “It’s been a long time since a dark web marketplace put this much effort into the user experience.”

To ensure user privacy, Incognito Market emphasized two key security tools: PGP encrypted communication and Monero (XMR) transactions. The former is the same encryption technology 1 used by private email service Proton Mail — without the private key, it’s nearly impossible to decrypt messages. Monero, on the other hand, is known for its privacy features: block explorers can only see the transaction ID, not the sender, recipient, or amount. For law enforcement, hitting a Monero wall often means hitting a dead end — it’s even trickier to trace than using a coin mixer.

In April 2022, Incognito Market suddenly saw a massive influx of users. The reason? At that time, the world’s largest dark web marketplace, Hydra, was shut down by U.S. and German authorities, and a wave of users fled to other platforms.

Fast forward to the critical point in March 2024. Although Pharoah, the market’s operator, claimed the missing withdrawals were just due to system upgrades, dark web users weren’t naive. They knew these platforms typically ended one of two ways: either an exit scam or a law enforcement takedown — and Pharoah was likely preparing to vanish.

Soon after, another user posted a bombshell: Pharoah had privately tried to bribe them to delete negative posts about Incognito Market. This user stepped up to warn everyone: stop depositing funds.

Realizing the secret was out, Pharoah dropped all pretenses and openly extorted the platform’s entire user base. He issued an announcement claiming he held records of 550,000 orders, 860,000 crypto transactions, and even the full content of private messages. If you’d ever bought drugs, opened a vendor store, or negotiated a deal on the platform, you were now at risk of being exposed — unless you paid the ransom.

Pharoah even updated a live list on the platform showing who had paid, stoking panic. Sellers who paid the ransom got a green checkmark, ensuring their names wouldn’t be made public. Buyers could also proactively pay to keep their identities hidden. Ransom demands ranged from $100 to $20,000, depending on how frequently the user had transacted on Incognito Market.

To prove he truly had communication records and transaction data, Pharoah deliberately published a list of unpaid users. This was a classic case of “black eats black.” Many, upon seeing their details exposed, panicked and rushed to pay the ransom — only then realizing that the PGP-encrypted communications and Monero payments that Incognito Market had touted were, in fact, useless!

PGP and Monero Cracked?

PGP, which stands for “Pretty Good Privacy,” is a widely used end-to-end encryption system. The email service I personally use, Proton Mail, relies on PGP encryption, which is based on a public-private key cryptographic mechanism. The public key acts like an account identifier and can be shared openly, while the private key is like a password that must be securely stored.

For example, let’s say buyer Alice wants to purchase drugs from seller Bob. They would communicate through PGP-encrypted messages on the platform:

• Alice visits Bob’s profile page to retrieve his public key.
• Alice encrypts a message using the public key: “I want 3 grams of heroin, ship to P.O. Box in Zhongzheng District, Taipei, recipient code: GHOST.”
• Once encrypted with the public key, the message turns into a string of unreadable cipher text that only Bob’s private key can decrypt.
• Bob can then respond using the same encryption method. This allows both parties to safely negotiate the deal.

Under normal circumstances, even if the platform intercepts the message, without the private keys, it would only see indecipherable cipher text. But here’s the catch: the PGP encryption system was a built-in feature of Incognito Market, and Pharoah secretly logged the messages before they were even encrypted with the public key. Although the messages appeared encrypted afterward, Pharoah saw them all in plain text — completely unbeknownst to the users.

In the cybersecurity world, many experts warn: if a PGP encryption implementation isn’t transparent and the code isn’t open-source, it can easily become a façade that tricks users into trusting it. But when it comes to dark web transactions, there’s no such thing as open-source transparency. With few options available, users often have no choice but to trust the tools the platform provides — even if those tools are just empty promises of security.

While Incognito Market claimed to accept privacy coins like Bitcoin and Monero, in reality, it operated like a third-party escrow service, similar to Alipay. When a buyer made a payment, the funds were first sent to a platform-controlled account. Only after the seller shipped the goods and the buyer confirmed receipt could the seller withdraw the money. The platform even provided complaint and dispute resolution services — it was, in effect, a structured e-commerce operation.

But ultimately, all transactions happened within the centralized hub of Incognito Market. No matter how anonymous Monero was, or how decentralized Bitcoin was, once the funds entered the platform’s wallet, Pharoah knew exactly who paid how much, for what, and where it was being sent. Whether or not cryptocurrency was used didn’t make much difference in the end.

Although Incognito Market emphasized its user experience, a quick glance at its homepage would reveal that its “good” design was only relative to other dark web marketplaces — it was nowhere near comparable to the e-commerce platforms we’re familiar with. No matter how much it focused on design aesthetics or user flow, at the end of the day, it was still just a drug trafficking platform. Most users didn’t truly trust Incognito Market; they simply had no other choice — engaging in drug transactions inherently came with the risk of black-on-black betrayal.

According to documents released by the U.S. Department of Justice, the FBI had been monitoring Incognito Market since as early as 2021. They repeatedly posed as buyers to conduct undercover purchases and gather evidence. It wasn’t until March 2024, when they discovered Pharoah was preparing to flee, that they decided to close in and make arrests.

Pharoah Captured

During these undercover operations, the FBI identified a set of Bitcoin wallets frequently used by Pharoah. Monero, by design, is highly private, making it almost impossible to trace. But Bitcoin isn’t nearly as opaque. Blockchain analytics firm TRM Labs discovered that Pharoah habitually transferred Bitcoin into a coin mixer² to obfuscate the transaction trail, and then funneled the funds into centralized exchanges to convert them into Monero for withdrawal — a textbook example of money laundering.

The turning point came when the FBI managed to “break through” the mixer. To this day, no one outside knows exactly how the FBI pulled it off, but they successfully traced one of the Bitcoins held by Pharoah — following it through the mixer and ultimately into a centralized exchange. The account holder’s registration details showed it belonged to a Taiwanese national named Ruei-Hsiang Lin.

But that alone wasn’t enough to convict; after all, straw accounts are common on the black market. The FBI needed more evidence to definitively confirm who Pharoah was.

By tracking the inflows and outflows of the “Ruei-Hsiang Lin” account, the FBI continued following the Bitcoin trail and soon uncovered multiple wallet addresses that overlapped with Pharoah’s past activities. Among these, one particular Bitcoin transaction stood out — it had been used to pay for proxy servers and to rent domains from the domain registrar Namecheap, which became a critical clue in the investigation.

No matter how covert a website is, it ultimately needs servers and domain names. While many infrastructure providers support crypto payments, they typically only accept the less-anonymous BTC. This turned out to be Pharoah’s fatal flaw.

The FBI followed the BTC flows to these web services and examined the registration information, only to discover that the registrant was, once again, “Ruei-Hsiang Lin.” They immediately issued requests to the cloud providers and obtained server access. When the FBI opened up the servers, they were stunned: inside were complete records of every transaction, buyer-seller communication logs, and even details of the goods traded and transaction amounts. Another server contained an even more valuable trove — a list of BTC and XMR wallet addresses, complete with account annotations.

Tracing these wallets led the FBI to yet another centralized exchange, and once again, the registered identity was “Ruei-Hsiang Lin.” To confirm that these servers were indeed the core infrastructure of Incognito Market, the FBI briefly shut down the system for testing — and sure enough, the website immediately went offline. With all the evidence lining up, Pharoah’s true identity became unmistakably clear.

In May 2024, Ruei-Hsiang Lin was arrested during a layover in New York. He’s only 25 this year, but he may end up spending the rest of his life in a U.S. federal prison.

Overconfidence

To me, the most puzzling part of this case isn’t the technical flaws — it’s the initial motive. Why did Ruei-Hsiang Lin, in March 2024, decide to halt withdrawals and extort all his users, effectively destroying the underground empire he had built with his own hands?

I found posts on social media suggesting that around that time, he had been hit by a hacker attack, losing a batch of NFTs, including two Bored Apes. He also shared a screenshot showing a single-day loss of $250,000 on his Binance account and complained about Monero’s price crashing after being delisted from Binance. I don’t know if these losses left him short on funds and tempted him to “rob the robbers” to make the money back. Maybe he had already been planning his exit and just chose that moment to strike. But either way, the outcome was the same — no matter how much money he had, now there’s nowhere left to spend it.

Ruei-Hsiang Lin was clearly very confident in his own technical abilities. That’s what allowed him to play the role of “crypto flow expert Lin Ruei-Hsiang” by day, and transform into “Pharoah, king of the dark web market” by night. And he truly convinced both sides — law enforcement believed they could learn the latest crypto-tracing techniques from him, while the drug lords believed his platform could guarantee their privacy. Yet in the end, he fell because of a rookie mistake: registering domains under his real name.

Lin’s story reminds me of two other hyper-confident “Sams” — Sam Bankman-Fried (SBF) and Sam Altman. SBF thought it was fine that FTX was short by 20% — after all, he believed, “we’ll make it back eventually.” So even though the money hadn’t materialized, he kept pretending everything was fine on the outside, until a liquidity crunch exposed the truth.

Sam Altman launched the groundbreaking ChatGPT and the eye-scanning crypto project WorldCoin 3. I almost bought a plane ticket to get my iris scanned, until I later saw the wave of controversies surrounding Altman and WorldCoin, which made me pull back. What these figures share is a tendency to not really see people as people. Though each of them is a genius and at the forefront of cutting-edge technology, in their eyes, humans often look like nothing more than cold, faceless numbers.

The former is now sitting in a U.S. prison. As for the latter — well, even though I try to resist his influence, this very article … I still couldn’t help but use ChatGPT to revise it 😂.

P.S. This is the 694th article. Blocktrend plans to launch a lifetime membership subscription with the 700th article, while also adjusting the subscription rates to $10 per month or $100 per year. The new rates will only affect new subscribers or those who cancel and resubscribe — the prices for existing subscribers will remain unchanged.

When Blocktrend moved to Substack five years ago, many readers linked their credit cards and have been paying to support the publication ever since. Since most credit cards have a five-year expiration, this period marks a peak time for renewals. To those who choose to unsubscribe, I sincerely thank you for your past support; to those willing to update their card and journey through the next five years together, I will cherish it even more. You can click here to check your current subscription status.

1 Proton Mail Crosses into Bitcoin: Defending Freedom of Speech and Moving Toward Financial Freedom

2 Tornado Cash: Hackers’ Favorite Mixer and an Everyday Person’s Privacy Tool

3 Worldcoin Coming to Taiwan: Is Scanning Your Eye’s Iris Worth It?