Operation RapTor: the collapse of the largest darknet empire in history

The US Department of Justice reported on the largest operation in history to shut down the darknet marketplace: 270 people around the world were detained and arrested, $200 million, about two tons of drugs, and 180 firearms were seized. GetBlock AML Research reveals details of the complex operation, which was conducted simultaneously on four continents in the strictest secrecy and conspiracy.

Criminals evolve

The times when darknet marketplaces resembled websites from the early 2000s are long gone. This can be understood by examining the activities of Incognito Market. It was the key object of investigation in the RapTor operation. The marketplace appeared in 2020 and immediately began to actively attract customers. On the surface, Incognito Market is not much different from Amazon or other popular trading platforms: the marketplace has a modern design, an elaborate advertising system, user pages, a responsive support service, a seller rating system, and product reviews.

Incognito Market home page

Sellers on Incognito Market trade mostly in narcotics, prescription medical drugs, and their counterfeits. To become a seller on the platform, one had to pay a special registration fee, as well as pay a 5% tax on each sale. Marketplace administrators spent their earnings on the support and development of the platform: paying for servers and paying employees. All financial transactions were conducted in cryptocurrency, mainly Monero (XMR) and bitcoin (BTC) were used.

Incognito Market product catalog

For a long time, Incognito Market users managed to hide financial flows precisely due to the anonymity of Monero, which qualitatively hides the recipients and senders of cryptocurrency, as well as the amounts of transfers.

Double agent

During the RapTor operation, it became known that Incognito Market was run by Rui-Siang Lin, a 23-year-old Taiwanese citizen who hid under the alias “Pharaoh.” The operatives found that Lin was the owner of the platform, as he personally managed the staff, paid the salaries of the employees, and received all the profits from the marketplace.

Rui-Siang Lin was not a dark horse, he previously worked for Taiwan’s Ministry of Foreign Affairs, where he trained law enforcement officers on how to track illegal transactions involving cryptocurrencies and digital assets. That is, he helped law enforcement officers identify Incognito Market analog platforms.

Rui-Siang Lin, owner and administrator of Incognito Market

Lin was apprehended in May 2024 at John F. Kennedy Airport in New York, the US. After his arrest, he pleaded guilty to all charges (conspiracy to distribute narcotics, money laundering, and conspiracy to sell counterfeit and mislabeled pharmaceuticals).

Controlled collapse

A few months before Lin and other actors were arrested, Incognito Market began to have users leave en masse. This was because the platform disabled BTC support. There were also unknown people posing as Incognito Market administrators and blackmailing users. Unknown people threatened to hand over user data to law enforcement agencies and demanded cryptocurrency rewards from them.

After these incidents, the number of illegal Incognito Market cryptocurrency transactions and their volume decreased significantly. This played into the hands of law enforcement agencies, which found it easier to monitor the activities of the darknet marketplace.

From SilkRoad to the present day

The closure of Incognito Market was the biggest victory for law enforcement against the illegal sale of drugs on the darknet in more than a decade. In 2013, SilkRoad suffered a similar fate. But since then, the activities of darknet marketplaces have changed. Criminals have learned their lessons and have made a number of changes to protect themselves.

For example, during SilkRoad’s infancy, platform users used mostly BTC, Tor browsers, and rudimentary reputation systems. Now, drug traffickers use Monero, as the technology of this cryptocurrency provides high privacy. Distribution of illicit goods now takes place mainly in encrypted messengers such as Telegram and Signal. Criminals have started using virtual private networks (VPNs) and other technologies en masse to cover their tracks.

One of the major changes that has made it more difficult to combat illegal drug manufacturing and distribution has been the segmentation of activities. Incognito Market sellers had a complex hierarchical structure: each employee was dedicated to his or her own process and had no physical contact with others who were involved in the manufacture and distribution of drugs.

On-chain investigation

Chain analysis allowed law enforcers to identify wallets used by Incognito Market and marketplace sellers. The cryptocurrency was passed through mixers (Tornado Cash and others) before sending funds to the marketplace or the seller.

Incognito Market cryptocurrency laundering scheme. Data: TRM Labs

Once Incognito Market’s operating wallets were discovered, uncovering the marketplace’s overall financial scheme was easy. Within a few months, how the profits generated were laundered and withdrawn into cash were uncovered. Mostly centralized (CEX) and peer-to-peer (P2P) exchanges were used for this purpose.