On March 10th, several days after Incognito Market was assumed to be shut down or no longer be processing transactions, the site posted a message to its homepage that reads as follows:

”Expecting to hear the last of us yet? We got one final little nasty suprise for y’all. We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our “auto-encrypt” functionality. And by the way, your messages and transaction IDs were never actually deleted after the “expiry”…”

”SURPRISE SURPRISE !!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up. We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes… YES, THIS IS AN EXTORTION !!! As for the buyers, we’ll be opening up a whitelist portal for them to remove their records as well in a few weeks.”

”Thank you all for doing business with Incognito Market”

Exit scams are not uncommon on dark web markets, but this one is particularly large and openly threatening compared to most. Incognito Market requires the loading of cryptocurrency to a site-based wallet, which can then be used for in-house transactions only. All cryptocurrency on the site was seized from user’s wallets, estimated to be anywhere from $10 million to $75 million. After seizing the cryptocurrency wallets of all of the marketplace’s users, the site now openly explains that it will publish transactions and chat logs of users who refuse to pay an extortion fee. The fee ranges from $100 to $20,000, a volume based 5 tier buyer/seller classification.

Incognito Market also now has a Payment Status tab, which states ”you can see which vendors care about their customers below.” and lists the some of the market’s largest sellers. Sellers which have allegedly paid the extortion fee to not have their transaction records released are displayed in green, while those who have not yet paid are displayed in red.

Additionally, in a few weeks the site claims it will have a “whitelist portal” which would allow buyers to wipe their transactions and re-encrypt chat records.

Whoever is behind the website must be extremely, extremely confident in their anonymity, already working with government agencies, or both, because a bounty on this person is likely worth millions.

  • SubstantialNothingness [none/use name]@hexbear.net
    cake
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    8 months ago

    Yes, I think we might be missing each other a little bit again, perhaps due to different ideas about how the auto-encryption is operating.

    The correct public and private keys will always be used if the communication is going to work. Auto-PGP would still be using public and private keys for the buyer and the vendor.

    The way I understand it, auto-encryption is a one-sided mechanic: It’s something that the buyer ticks on/off.

    If so then it is designed to interface fine with people using manual PGP, such as vendors.

    If such a system generates the proper keys for the buyer and handles encryption/decryption automatically so that everything always appears to them as plaintext on the frontend (because the system maintains their keys), then it would still be able to serve the vendor a traditional UX that requires manually handling the keys. In this case, the experience of the vendor would be identical regardless of whether the buyer is using auto-encryption or not.

    This would only expose one side of the conversation to the server admins, of course: The messages sent from the vendor to the buyer (because the system only has the buyer’s private key).

    I do not know if this is the way it was actually implemented. However there is discussion on Dread right now that leads me to believe that auto-encryption works somewhat similarly to what I have just described (at least from the vendor’s perspective).

    edit: Looking back, I might have introduced some confusion with this line:

    to identify whether a specific buyer was using their own PGP key or the auto-encryption feature

    It would have been more clear for me to say:

    to identify whether a specific buyer was using their own manually-generated PGP keys or using PGP keys generated for them through the auto-encryption feature.