Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.

The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.

The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.

“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”

For the second time in only four months, all is not well on the ALPHV (aka BlackCat) ransomware gang’s dark web site. Gone are the lists of compromised victims. In their place, a veritable garden of law enforcement badges has sprouted beneath the ominous message “THIS WEBSITE HAS BEEN SEIZED.”

So far, so FBI, but all is not what it seems.

ALPHV is arguably the second most dangerous ransomware group in the world. It sells Ransomware-as-a-Service (RaaS) to criminal affiliates who pay for its ransomware with a share of the ransoms they extract.

When a task force of international law enforcement agencies score a hit on a target this big, they tend to make a bit of a song and dance about it. At a minimum, there are announcements. Last time the FBI disrupted ALPHV with an unscheduled home page redecoration in December, the law enforcement agency was very happy to tell everyone.

When the UK’s National Crime Agency (NCA) took a slice out of the LockBit gang last month it didn’t just tell everyone in a press release, it celebrated with a week-long fiesta of premium-grade trolling on LockBit’s own website.

They have every reason to celebrate their success, but this takedown—if that’s what it really is—has been greeted with nothing but silence from law enforcement.

In fact, ransomware experts have weighed in with an alternative explanation: ALPHV has recycled the takedown banner provided by law enforcement in December, and staged a fake takedown to cover its tracks while it runs off with its affiliates’ money.

The story starts on February 21, 2024, when an ALPHV affiliate attacked Change Healthcare, one of the largest healthcare technology companies in the USA. The attack has caused enormous disruption and been described by the American Hospital Association (AHA) President and CEO Rick Pollack as “the most significant and consequential incident of its kind against the US health care system in history.”

On March 3, a user on the RAMP dark web forum claimed they were the affiliate behind the Change Healthcare attack. They alleged that two days earlier Change Healthcare had paid ALPHV $22 million—backing up their claim with a link to a Bitcoin wallet that shows a 350 bitcoin transfer on March 1—and that ALPHV then suspended their account.

VX Underground reported that a day later, other ALPHV affiliates were also locked out of their accounts, while ALPHV issued an “ambiguous” message seemingly pointing the finger at the FBI for…something, before putting the source code to its ransomware up for sale for $5 million.

The final act in this entirely unconvincing drama was the appearance of a “THIS WEBSITE HAS BEEN SEIZED” banner on the ALPHV dark web site. Not only was the banner identical to the one used by law enforcement in December, it appeared to have been lazily copied from the compromised site.

The giveaway, spotted by ransomware researcher Fabian Wosar, was the URL of the takedown image, which was being kept in a directory called THIS WEBSITE HAS BEEN SEIZED_files.

“An image URL like this is what Firefox and the Tor Browser create when you use the ‘Save page as’ function to save a copy of a website to disk,” he pointed out.

Of course, it’s not impossible that law enforcement would do this, but it’s a far cry from the no-stone-left-unturned effort of the recent LockBit takedown. Unconvinced, Wosar took to X (formerly Twitter) to say he’d reached out to contacts at Europol and the NCA, and they declined “any sort of involvement”.

It’s the second reminder in under a month, following revelations that the LockBit gang didn’t delete its victims’ stolen data when they were paid a ransom, that you just can’t trust criminals.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.