Rui‑Siang Lin indicment , exactly how he was caught

1. The arrest at JFK — how and when law enforcement moved

U.S. authorities arrested Lin as he transited John F. Kennedy International Airport on May 18, presenting him in Manhattan federal court days later, a move confirmed in Department of Justice and FBI statements that framed the arrest as the culmination of a long HSI/FBI investigation into Incognito Market ^{[1] [3]}.

2. The trail from dark‑web nickname to a real person — the critical links

According to unsealed court materials and press releases, investigators ultimately linked the administrator account “Pharoah” to Lin by piecing together multiple leads: internal marketplace files and operational evidence, a hand‑drawn marketplace workflow diagram that originated from Lin’s personal email, and cryptocurrency exchange Know‑Your‑Customer (KYC) records that investigators compelled to identify account holders — the confluence of those elements produced the identification law enforcement used to charge him ^{[2] [5] [4]}.

3. Cryptocurrency forensics and the “bank” for dealers

Reporting and DOJ statements say Incognito operators instituted a 5% commission and maintained internal escrow‑style ledgers; FBI and HSI agents used blockchain analytics and compelled exchange cooperation to follow funds, which investigators allege showed Lin received millions in proceeds — the exchange KYC was a decisive link from on‑chain addresses to a real name ^{[6] [4] [7]}.

4. Operational mistakes and the “simple” piece of evidence

Several outlets and the indictment emphasize that a seemingly mundane mistake—a diagram of how the marketplace would operate emailed from Lin’s personal account—served as a blunt identifying artifact against him, a human‑error counterpoint to sophisticated blockchain tracing that together “put the final nail in the coffin,” according to cybersecurity reporting ^{[5] [4]}.

5. Marketplace behavior that drew attention — closure, extortion and exit drama

Incognito’s abrupt March closure and alleged extortion of vendors and customers triggered additional scrutiny and complaints that, in combination with undercover purchases and seized server data, fed investigative leads; unsealed filings cite site screenshots, splash pages, and internal communications used as evidence of operator control ^{[8] [2]}.

6. Prosecution, plea and open questions left in public reporting

Lin later pleaded guilty to narcotics conspiracy, money laundering, and conspiracy to sell adulterated and misbranded medication, per the U.S. Attorney’s Office; those pleas and subsequent reporting outline the charges and potential penalties but public sources leave some forensic details—such as exact technical methods used to map every crypto movement or the full content of discovery—summarized rather than exhaustively disclosed in publicly available press materials ^{[2] [9]}.

7. Competing narratives and reporting caveats

While U.S. authorities emphasize a combination of blockchain tracing and a hand‑drawn diagram tied to Lin’s email as the decisive proof, third‑party explainers and blog posts differ in emphasis—some foreground the forced KYC from a single exchange, others spotlight human error—and the public record available through press releases and news stories does not release every investigatory detail, meaning some aspects of the chain of custody and forensic methodology remain described at a high level in those sources ^{[4] [5] [6]}.