May 31, 2024
How OSINT Helps Unmask Dark Web Actors Like Incognito Market’s Mastermind
Steve Adams
Product Marketing Manager
Earlier this month, a Taiwanese national, 23-year-old Rui-Siang Lin, was arrested on suspicion of owning and running one of the dark web’s most successful drug marketplaces. He now faces charges for drug trafficking, money laundering, and misbranding prescription medication that could result in a life sentence if convicted.
Lin is the alleged mastermind behind Incognito Market, a massive illegal narcotics e-commerce platform on the dark web that allowed anonymous users to buy and sell heroin, cocaine, oxycodone, methamphetamines, prescription drugs, and other controlled substances. Based on reports, since inception, Incognito Market facilitated over $100 million in sales across 557,000 orders linked to 862,000 cryptocurrency transaction IDs. However, the marketplace's operations came crashing down in March 2024 when the administrator, operating under the aliases "Pharoah" and "Faro," attempted to extort all vendors and customers in a brazen ransomware-style shakedown, threatening to release their transaction histories.
Despite technical measures to remain anonymous and conceal his real-world identity, a multi-agency investigation involving the FBI, Homeland Security, DEA, FDA, and NYPD identified Lin as the suspected architect of Incognito Market. On May 18, 204 Lin was apprehended when he entered the U.S. at JFK airport.
Leveraging Public Data for Internet Investigations
While the official details of the investigation remain confidential, publicly available information is readily available on Lin in support of the case. Often, individuals running dark web platforms rely on encryption, anonymizing technologies, and cryptocurrency to cloak their involvement with illicit drug distribution networks. However, public data is commonly accessible and extremely useful once a real-world identity is confirmed.
Methodically piecing together breadcrumbs of information found throughout an investigation, which might involve internet, human, and classified intelligence, investigators can chip away at the layers of obfuscation surrounding criminals to determine their true identities. In Lin's case, once his identity was determined, accounts across social media and web pages, including X, LinkedIn, GitHub, and Medium, among others, provided insights into his life, including his current role as an Information Technology Specialist for the Taiwanese Ministry of Foreign Affairs in Saint Lucia.
Lin is not the only dark web actor with a large digital footprint on the surface web. By researching similar dark web actors, it is clear that no matter how stealthily these individuals attempted to operate, investigators can often reveal digital clues that unmask their identities. A combination of data points can usually be pieced together to build successful cases against criminals.
Unmasking Dark Web Identities with OSINT
To ascertain a real-world identity and make an arrest, investigators first need to link that dark web alias to a person. While many dark web users seek to remain anonymous, skilled investigators can leverage analytical techniques to uncover identities behind their darknet aliases. A common approach involves searching for related accounts and digital footprints that may pre-date an individual's criminal activities. By researching usernames across various online platforms like gaming forums and social media, common usernames can unearth links pointing to dark web personas and personal details inadvertently left behind. Additionally, linguistic analysis of writing styles, word choices, and other idiosyncrasies present in dark and surface web posts can support assertions that they were authored by the same individual. Combining these OSINT methods with traditional investigative procedures has helped law enforcement attribute dark web actors to their offline identities in many cases.
The Power of Automated OSINT Platforms
Discovering digital clues can be complex, requiring extensive resources and knowledge of advanced OSINT techniques. Fusing consumer records, public records, social media, web articles, dark web breach data, and many other public and commercial data sources, automated solutions like Skopenow harness identity resolution algorithms to connect those data points to real names.
While underground sites like Incognito Market depend on encryption and other technologies to evade detection, dark web actors are not impervious to user error, which can enable OSINT professionals to strip away anonymity and build strong cases against them. By leveraging automated OSINT platforms, government, and law enforcement teams can enhance their internet investigations while scaling operational capacity.
Join over 1,500 organizations, including numerous large government and law enforcement agencies, that rely on Skopenow's platform to automatically collect and process relevant publicly available information and make better decisions. Learn more and schedule a personalized demo today at www.skopenow.com/try.