2025 Crypto Crime Report: See the key trends that shaped the illicit crypto market over the past year. Read the report

Solutions
Learn
Company
Request a demo
en
Search
Search
Insights
May 24, 2025

Operation RapTor: The Largest Darknet Takedown in History

TRM BlogInsights
Operation RapTor: The Largest Darknet Takedown in History

This week, the U.S. Department of Justice announced the results of Operation RapTor—an unprecedented international crackdown on darknet narcotics trafficking. Led by the Joint Criminal Opioid and Darknet Enforcement (JCODE) team and supported by global law enforcement partners, including Europol, across four continents, the operation resulted in the arrest of 270 individuals involved in darknet drug sales, the seizure of more than $200 million in cash and cryptocurrency, two metric tons of drugs, 144 kilograms of fentanyl, and over 180 firearms.

Described by Attorney General Pam Bondi as a historic blow to the digital drug trade, the operation targeted individuals in the United States, Austria, Brazil, France, Germany, the Netherlands, South Korea, Spain, Switzerland, and the United Kingdom. It marks the most significant JCODE operation to date, building on years of enforcement actions and marketplace takedowns, including Kingdom Market, Tor2Door, Bohemia, and Nemesis.

The Rise and Fall of Incognito Market

One of the most high-profile targets of Operation RapTor—the largest coordinated global crackdown on darknet drug trafficking to date—was Incognito Market, a dark web narcotics marketplace that operated with remarkable scale, anonymity, and apparent impunity. According to TRM Labs, Incognito launched in October 2020 and remained active until March 2024. In that time, it facilitated more than USD 100 million in drug sales, including hundreds of kilograms of cocaine and methamphetamine, alongside heroin, LSD, MDMA, oxycodone, ketamine, and misbranded prescription drugs.

Designed to resemble a legitimate e-commerce platform, Incognito offered a slick user experience with branding, advertising, and customer support. Upon visiting the site via the Tor browser, users were greeted by a graphic interface and prompted to log in with a unique username and password. Inside, buyers could browse thousands of drug listings, many accompanied by reviews and ratings. The platform also featured prescription drug listings falsely marketed as authentic, and some products were outright scams—counterfeit pills advertised as legitimate pharmaceuticals.

Vendors on Incognito paid a registration fee and a 5% commission on every sale. That revenue went to fund the site’s operations, including servers and what the DOJ described as “employee” salaries. All transactions were conducted in cryptocurrency—primarily Bitcoin and Monero—allowing customers and vendors to move funds without using traditional financial rails. Monero’s privacy features in particular obscured sender, receiver, and transaction amounts, posing challenges to investigators tracing flows.

At the center of this sprawling, crypto-powered operation was Rui-Siang Lin, a 23-year-old Taiwanese national who went by the pseudonym “Pharaoh.” According to both TRM Labs and DOJ records, Lin personally oversaw the marketplace’s operations—monitoring vendor activity, managing staff, handling disputes, and reaping the profits. In an extraordinary twist, Lin had previously worked for Taiwan’s Ministry of Foreign Affairs, where he trained law enforcement officials on the very blockchain analytics techniques used to take down platforms like his own.

Lin’s undoing came in May 2024, when he was arrested while transiting through New York’s JFK Airport. He later pleaded guilty to narcotics conspiracy, money laundering, and conspiracy to sell adulterated and misbranded medications in the Southern District of New York.

According to court records and the TRM Labs investigation, the end of Incognito was foreshadowed by chaos. In early 2024, vendors began reporting issues with BTC withdrawals—an ominous sign of what would become a classic darknet "exit scam." In March, a message appeared on Incognito threatening to leak vendor identities and private messages to law enforcement unless paid in cryptocurrency. Though the platform’s administrator later claimed the extortion threat was a “joke,” the damage had been done. Vendor activity dropped off, and law enforcement efforts intensified.

The downfall of Incognito—and its administrator’s ironic expertise in blockchain forensics—underscores the central tension of modern darknet enforcement: even as criminals lean into privacy coins and encrypted infrastructure, their operations inevitably leave a digital footprint. With the right partnerships, tools, and pressure at key chokepoints—such as when crypto is converted into fiat—law enforcement can still follow the money, identify key actors, and dismantle networks once thought untouchable. Incognito Market’s rise and fall is a case study in the evolving arms race between decentralized crime and global digital forensics.

Crypto’s Role and Law Enforcement’s Leverage

Incognito, like other modern darknet platforms, operated entirely on cryptocurrency—primarily Bitcoin and Monero. Buyers and sellers used wallets controlled either directly or through third-party mixers and exchanges. While Monero obscures transaction details, Bitcoin’s traceable blockchain provided law enforcement with critical leads, particularly at the point of off-ramp—when vendors converted crypto into fiat or moved assets through centralized exchanges.

As described by IRS Criminal Investigation Chief Guy Ficco, investigators “cracked the code of so-called ‘safe spaces’” by targeting these friction points.

One particularly revealing moment came in February 2024, when Incognito users reported that BTC withdrawals were disabled—likely part of a deliberate “exit scam.” Lin, or others acting on his behalf, threatened to leak vendor identities to law enforcement unless paid. That extortion threat, combined with increased tracing and investigative pressure, led many users to flee the platform, dramatically reducing deposits and facilitating law enforcement’s final takedown.

From Silk Road to RapTor: The Evolution of Darknet Markets

While this week’s takedown recalls the 2013 shutdown of Silk Road, the evolution of darknet commerce is stark. Silk Road popularized the use of Bitcoin, anonymizing technologies like Tor, and vendor reputation systems. But today’s markets are more fragmented, more resilient, and harder to track.

Vendors now favor Monero for its privacy features. They often sell across multiple markets or operate standalone storefronts via encrypted apps like Telegram and Signal. Operational security has increased, with mandatory PGP encryption, two-factor authentication, and more frequent use of VPNs and anonymization tools.

Perhaps most critically, today’s vendors divide responsibilities. In one example from the DOJ release, three individuals used monikers like “NuveoDelux” and “AllStateRx” to run a counterfeit Adderall ring. One handled pill pressing, another order logistics, and a third crypto wallets—indicating a more enterprise-like structure. Yet, their operations ultimately fell to the same vulnerability Silk Road faced: exposure during cash-out.

The Use of Blockchain Intelligence

Despite advanced obfuscation, blockchain intelligence remains a potent investigative tool. Law enforcement teams leveraged attribution, mixer analysis, and heuristic linking to associate vendor monikers with wallet activity. Once funds touched centralized exchanges—especially those with compliance programs—subpoenas or voluntary disclosures allowed agents to seize assets or identify account holders.

Customers from all over the world used global VASPs to send cryptocurrency to Incognito Market

In the Incognito case, crypto flows revealed how vendors laundered earnings. As DOJ noted, the conspiracy involved laundering darknet proceeds through exchanges and peer-to-peer brokers. TRM has identified structured withdrawals from the market to personal wallets and then to services with less stringent KYC.

Looking Ahead

Operation RapTor’s scale reflects a new era of international coordination. U.S. agencies like the FBI, DEA, IRS-CI, and HSI worked alongside Europol, the U.K.’s NCA, and law enforcement from over a dozen countries. At the same time, financial enforcers like OFAC sanctioned individuals running darknet markets—including Iranian national Behrouz Parsarad of Nemesis—demonstrating how financial tools are being brought into alignment with traditional law enforcement.

Yet the digital nature of these crimes ensures new threats will emerge. Just as Incognito built on the playbook of its predecessors, future markets will learn from RapTor. But with blockchain intelligence advancing and global partnerships strengthening, law enforcement is better positioned than ever to detect, disrupt, and dismantle these operations.

This is some text inside of a div block.
Subscribe and stay up to date with our insights
arrow right
March 4, 2025

US Treasury Sanctions Iranian National for Operating Darknet Market Nemesis

arrow right
May 24, 2024

Administrator of Darknet Narcotics Market Incognito Arrested

arrow right
April 28, 2022

Darknet Markets Explained

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT