The 30-year prison sentence handed to Rui-Siang Lin, the operator of the infamous Incognito Market, is more than just another darknet takedown story. Lin, who ran Incognito Market under the alias “Pharaoh,” oversaw one of the largest online narcotics operations in history, generating more than $105 million in illegal drug sales worldwide before its collapse in March 2024. Platforms like Incognito Market are not clever experiments in decentralization. They are industrial-scale criminal enterprises, and their architects will be treated as such.

How Incognito Market Became a Global Narcotics Hub

Launched in October 2020, Incognito Market was designed to look and feel like a legitimate e-commerce platform, only its products were heroin, cocaine, methamphetamine, MDMA, LSD, ketamine, and counterfeit prescription drugs. Accessible through the Tor browser, the dark web marketplace allowed anyone with basic technical knowledge to buy illegal narcotics from around the globe. At its peak, Incognito Market supported over 400,000 buyer accounts, more than 1,800 vendors, and facilitated 640,000 drug transactions. Over 1,000 kilograms of cocaine, 1,000 kilograms of methamphetamine, and fentanyl-laced pills were likely sold, the authorities said. This was not a fringe operation—it was a global supply chain built on code, crypto, and calculated harm.

Also read: “Incognito Market” Operator Arrested for Running $100M Narcotics Marketplace

“Pharaoh” and the Business of Digital Drug Trafficking

Operating as “Pharaoh,” Lin exercised total control over Incognito Market. Vendors paid an entry fee and a 5% commission on every sale, creating a steady revenue stream that funded servers, staff, and Lin’s personal profit—more than $6 million by prosecutors’ estimates. The marketplace had a very professional-looking modus operandi from branding, customer service, vendor ratings, and even its own internal financial system—the Incognito Bank—which allowed users to deposit cryptocurrency and transact anonymously. The system was designed to remove trust from human relationships and replace it with platform-controlled infrastructure. This was not chaos. It was corporate-style crime.

Fentanyl, Fake Oxycodone, and Real Deaths

In January 2022, Lin explicitly allowed opiate sales on Incognito Market, a decision that proved deadly. Listings advertised “authentic” oxycodone, but laboratory tests later revealed fentanyl instead. In September 2022, a 27-year-old man from Arkansas died after consuming pills purchased through the platform. This is where the myth of victimless cybercrime collapsed. Incognito Market did not just move drugs—it amplified the opioid crisis and directly contributed to loss of life. U.S. Attorney Jay Clayton stated that Lin’s actions caused misery for more than 470,000 users and their families, a figure that shows the human cost behind the transactions.

Exit Scam, Extortion, and the Final Collapse

When Incognito Market shut down in March 2024, Lin didn’t disappear quietly. He stole at least $1 million in user deposits and attempted to extort buyers and vendors, threatening to expose their identities and crypto addresses. His message was blunt: “YES, THIS IS AN EXTORTION!!!” It was a fittingly brazen end to an operation built on manipulation and fear. Judge Colleen McMahon called Incognito Market the most serious drug case she had seen in nearly three decades, labeling Lin a “drug kingpin.” The message from law enforcement is unmistakable: dark web platforms, cryptocurrency, and blockchain are not shields against justice.

On November 2, 1988, graduate student Robert Morris released a self-replicating program into the early Internet. Within 24 hours, the Morris worm had infected roughly 10 percent of all connected computers, crashing systems at Harvard, Stanford, NASA, and Lawrence Livermore National Laboratory. The worm exploited security flaws in Unix systems that administrators knew existed but had not bothered to patch.

Morris did not intend to cause damage. He wanted to measure the size of the Internet. But a coding error caused the worm to replicate far faster than expected, and by the time he tried to send instructions for removing it, the network was too clogged to deliver the message.

History may soon repeat itself with a novel new platform: networks of AI agents carrying out instructions from prompts and sharing them with other AI agents, which could spread the instructions further.

Read full article

Comments

© Aurich Lawson | Moltbook

A newly disclosed security warning has drawn attention to potential risks at the HitBTC Exchange after blockchain security firm SlowMist reported identifying a potentially critical vulnerability on the platform.   SlowMist revealed the issue in a public post on X (formerly Twitter), after efforts to contact HitBTC through direct messages reportedly went unanswered. According to the blockchain security firm, responsible disclosure protocols were followed before the public warning, but the absence of acknowledgment left researchers with limited options to ensure user safety.  In its official statement, SlowMist wrote, “We have identified a potential critical vulnerability and reached out via DM in advance under responsible disclosure, but have not yet received a response. Please contact us promptly to coordinate next steps.”  Although no technical details were released to prevent misuse, SlowMist stressed that the vulnerability could pose serious risks to both user funds and sensitive data held on the HitBTC Exchange.  

HitBTC Exchange and Ongoing Cryptocurrency Security Concerns 

Founded in 2013, HitBTC Exchange is one of the oldest cryptocurrency trading platforms still in operation. Registered in the British Virgin Islands, the exchange offers access to more than 250 cryptocurrencies and over 800 trading pairs. Recent figures show that HitBTC processed more than $110 million in trading volume within 24 hours.  Despite its long-standing presence, the platform has faced criticism in recent years related to transparency, customer support responsiveness, and communication practices. The current incident has intensified those concerns, especially since similar situations have occurred elsewhere in the cryptocurrency sector.  The warning involving HitBTC marks at least the third instance in recent weeks where SlowMist publicly disclosed vulnerability concerns after failing to establish contact with an exchange. In December, the firm issued comparable notices to Seychelles-registered Azbit and Turkey-based ICRYPEX Global, both of which reportedly did not respond despite managing daily trading activity. 

Data Shows Rising Impact of Cryptocurrency Attacks 

The unfolding situation reflects broader security trends affecting the cryptocurrency ecosystem. According to SlowMist’s 2025 annual security report, approximately 200 blockchain-related security incidents occurred during the year, resulting in estimated losses of $2.935 billion. While the number of incidents declined compared to 2024, the total financial impact increased by 46%, indicating more targeted and high-impact attacks. Exchange-related incidents numbered only 12 in 2025 but accounted for losses totaling $1.809 billion. In contrast, decentralized finance (DeFi) protocols experienced 126 incidents, leading to $649 million in losses. Supporting this data, blockchain security firm CertiK reported that $117.8 million was lost to cryptocurrency exploits in December 2025 alone.  SlowMist continues to play an important role in monitoring and mitigating these threats. During 2025, the firm helped freeze or recover approximately $19.29 million in stolen assets using its threat intelligence network and MistTrack analysis platform. Across 18 major incidents, around $387 million of $1.957 billion in stolen funds was recovered, representing a recovery rate of 13.2%. 

Trust Wallet users had $8.5 million in crypto assets stolen in a cyberattack linked to the second wave of the Shai-Hulud npm supply chain attack. In a lengthy analysis of the attack, Trust Wallet said attackers used the Shai-Hulud attack to access Trust Wallet’s browser extension source code and Chrome Web Store API key. “Using that access, they were able to prepare a tampered version of the extension with a backdoor designed to collect users’ sensitive wallet data [and] releasing the malicious version to the Chrome Web Store using the leaked (CWS) API key,” the crypto wallet company said. So far Trust Wallet has identified 2,520 wallet addresses affected by the incident and drained by the attackers, totaling approximately $8.5 million in assets. The company said it “has decided to voluntarily reimburse the affected users.” News of the successful attack comes amid reports that threat actors are actively preparing for a third wave of Shai-Hulud attacks.

Trust Wallet Shai-Hulud Attack Detailed

Trust Wallet said “an unauthorized and malicious version” of its Browser Extension (version 2.68) was published to the Chrome Web Store on December 24, “outside of our standard release process (without mandatory review). This version contained malicious code that, when loaded, allowed the attacker to access sensitive wallet data and execute transactions without authorization.” The $8.5 million in assets were associated with 17 wallet addresses controlled by the attacker, but Trust Wallet said the attacker addresses “also drained wallet addresses NOT associated with Trust Wallet and this incident. We are actively tracking other wallet addresses that may have been impacted and will release updated numbers once we have confirmation.” The incident affects only Trust Wallet Browser Extension version 2.68 users who opened the extension and logged in during the affected period of December 24-26. It does not affect mobile app users, users of other Browser Extension versions, or Browser Extension v2.68 users who opened and logged in after December 26 at 11:00 UTC. “If you have received an app push via the Trust Wallet mobile app or you see a security incident banner on your Trust Wallet Browser Extension, you may still be using the compromised wallets,” the company said. Browser Extension v2.68 users who logged into their wallets during the affected period were advised to transfer their funds from any at-risk wallets to a newly created wallet following the company’s instructions and to submit reimbursement claims at https://be-support.trustwallet.com.

White Hat Researchers Limited Damage with DDoS Attacks

The dramatic Trust Wallet attack was met by an equally dramatic response from white hat security researchers, who launched DDoS attacks on the attacker to limit damage, as detailed in the company’s update. Trust Wallet’s Developer GitHub secrets were exposed in the November second-wave attack, which gave the attacker access to the browser extension source code and the API key, allowing builds to be uploaded directly without Trust Wallet's internal approval and manual review. The attacker registered the domain metrics-trustwallet.com “with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension,” the company said. The attacker prepared and uploaded a tampered version of the browser extension using the codebase of an earlier version that they had accessed through the exposed developer GitHub secrets. The attacker published version 2.68 on the Chrome Web Store for review using the leaked CWS key, “and the malicious version was released automatically upon passing Chrome Web Store review approval,” Trust Wallet said. On December 25, the first wallet-draining activity was publicly reported, when 0xAkinator and ZachXBT flagged the issues and identified the attacker's wallet addresses, and partner Hashdit and internal systems “notified us with multiple suspicious alerts.” “White-hat researchers initiated DDoS attacks in an attempt to temporarily disable the attacker's malicious domain, api.metrics-trustwallet.com, helping to minimize further victims,” Trust Wallet said. The company rolled back to a verified clean version (2.67, released as 2.69) and issued urgent upgrade instructions.

Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).

European law enforcement agencies have taken down an illegal cryptocurrency mixing service that they say has been used to facilitate cybercrime and money laundering. The operation to take down the cryptocurrency mixing service ‘Cryptomixer’ was conducted between November 24 and 28 and was announced today by Europol, which assisted Swiss and German law enforcement agencies in the action. The operation resulted in the seizure of three servers in Switzerland, 12 terabytes of data, €25 million in Bitcoin, and the cryptomixer[.]io domain. Law enforcement placed a seizure banner on the website after the takeover. “Mixing services such as Cryptomixer offer their clients anonymity and are often used before criminals redirect their laundered assets to cryptocurrency exchanges,” Europol said. “This allows ‘cleaned’ cryptocurrency to be exchanged for other cryptocurrencies or for FIAT currency through cash machines or bank accounts.”

Cryptocurrency Mixing ‘A Service to Obfuscate the Origin of Criminal Funds’

Europol called Cryptomixer “A service to obfuscate the origin of criminal funds.” “Cryptomixer was a hybrid mixing service accessible via both the clear web and the dark web,” the European law enforcement agency stated. “It facilitated the obfuscation of criminal funds for ransomware groups, underground economy forums and dark web markets. Its software blocked the traceability of funds on the blockchain, making it the platform of choice for cybercriminals seeking to launder illegal proceeds from a variety of criminal activities, such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud.” Since its launch in 2016, Europol says that more than €1.3 billion in Bitcoin were mixed through the service. Deposited funds from users were pooled “for a long and randomised period” before they were redistributed to their destination addresses. “As many digital currencies provide a public ledger of all transactions, mixing services make it difficult to trace specific coins, thus concealing the origin of cryptocurrency,” the agency said.

Action Follows ChipMixer Takedown in 2023

Europol was also involved in the multi-national takedown of the crypto mixing service “ChipMixer” in 2023, an operation that involved four European countries and the U.S. ChipMixer was considered the largest mixing service of its time, and was suspected to have facilitated the laundering of 152,000 Bitcoins, worth an estimated €2.73 billion at the time. The joint law enforcement operations in both cases was part of EMPACT, the European Multidisciplinary Platform Against Criminal Threats, which aims to address the most important threats posed by organized and international crime affecting the EU.

The U.S. Justice Department has announced the sentencing of Samourai Wallet’s two co-founders for their role in knowingly transmitting more than $237 million in criminal proceeds through the cryptocurrency-mixing platform Authorities say the platform’s design enabled users to mask the origin of funds tied to drug trafficking, darknet marketplaces, cyber intrusions, fraud schemes, sanctioned jurisdictions, murder-for-hire operations, and child exploitation sites. Nicolas Roos, Attorney for the United States acting under 28 U.S.C. § 515, said the outcomes “send a clear message that laundering known criminal proceeds—regardless of whether the funds are in fiat or cryptocurrency—will face serious consequences.”

Five- and Four-Year Prison Terms

U.S. District Judge Denise L. Cote sentenced CEO Keonne Rodriguez to five years in prison on August 6, 2025, and CTO William Lonergan Hill to four years on November 19, 2025. Both were convicted of participating in a conspiracy to operate an unlicensed money-transmitting business that knowingly processed criminal proceeds. In addition to prison time, each will serve three years of supervised release and pay a $250,000 fine. They have jointly forfeited more than $6.3 million, representing the fees Samourai earned through the illicit transactions.

How Samourai Wallet Enabled Large-Scale Laundering

According to court documents, Rodriguez and Hill began building Samourai Wallet in 2015 with features designed to hide transaction origins. Two core services—Whirlpool and Ricochet—played a central role:

• Whirlpool mixed Bitcoin among batches of users, obscuring transaction histories and preventing investigators and exchanges from tracing the original source.
• Ricochet added intentional “hops” between sending and receiving addresses, complicating blockchain analysis and further distancing funds from their origins.

Between Ricochet’s launch in 2017 and Whirlpool’s expansion in 2019, more than 80,000 Bitcoin—valued at over $2 billion at the time—moved through Samourai’s infrastructure. Prosecutors emphasized that the volume of transactions showed how deeply the platform was embedded in criminal financial flows.

Promotion to Criminal Users

Evidence presented in court showed that both co-founders actively encouraged use of Samourai Wallet on darknet forums, encrypted channels, and social media. Hill allegedly promoted Whirlpool on Dread, a marketplace forum, positioning it as a superior method to “clean dirty BTC.” Rodriguez, in a separate 2020 exchange, urged hackers involved in a major social media breach to route their stolen funds through Samourai. In private WhatsApp messages, Rodriguez reportedly described mixing as “money laundering for bitcoin.” Samourai’s own internal marketing material classified its target users as “Dark/Grey Market participants.”

Global Investigation and International Support

The investigation involved multiple international partners, including Europol, the Portuguese Judicial Police, and the Department of Justice’s Office of International Affairs. Hill was arrested in Portugal and extradited in July 2024. Rodriguez was taken into custody in the United States. The FBI, IRS-Criminal Investigation, and several European agencies contributed to evidence collection, digital forensics, and cross-border coordination