January 2026 is in the books and honestly, what a month. Law enforcement had themselves a field day this month. We saw guilty pleas from major darknet marketplace operators, a record prison sentence, a $400 million government forfeiture, and one of the biggest data breaches to ever hit the cybercrime community itself. If you thought the feds were going to slow down in the new year, think again.
Here is your full rundown of everything that went down on the dark web this January.
BreachForums Got Breached and the Irony Is Beautiful
Let’s kick things off with the most ironic story of the month. On January 9th, BreachForums, one of the most well-known hacking forums on the internet, got a taste of its own medicine. Somebody going by the name “James” dumped the forum’s entire user database online for anyone to grab. We’re talking about 324,000 user accounts exposed, including usernames, email addresses, password hashes, and roughly 70,000 public IP addresses.
For context, BreachForums has been THE place where hackers trade stolen data, sell credentials, and offer all sorts of cybercrime services for years. It popped up in 2022 as a replacement for RaidForums after law enforcement shut that one down. Since then, BreachForums has been seized, relaunched, seized again, and relaunched again so many times it’s hard to keep track.
The leaked database was published on a website named after the ShinyHunters extortion gang, though a ShinyHunters representative told BleepingComputer they weren’t affiliated with the site. Along with the database, “James” also dropped the forum’s PGP private key and published a weird, rambling manifesto calling out specific people in the cybercrime world by name.
The current BreachForums admin, who goes by “N/A,” tried to play it cool. They posted a message claiming the leaked data was old and came from a backup that was briefly stored in an unsecured folder during a site restoration back in August 2025. They said it was only downloaded once. Make of that what you will.
Cybersecurity firm Resecurity analyzed the dump and confirmed many of the records are authentic and can be cross-referenced with other intelligence sources. For law enforcement agencies around the world, this is basically a Christmas gift that arrived two weeks late. Have I Been Pwned added the breach to their database on January 10th.
The whole thing has made trust issues on the dark web even worse. A lot of people in that scene already suspected BreachForums was a honeypot run by law enforcement, and this incident does absolutely nothing to put those fears to rest. Whether you’re a researcher or just someone following this world, the takeaway is clear: anonymity on the dark web is way more fragile than most people assume.
Google Killed Its Dark Web Monitoring Tool
On January 15th, Google officially stopped scanning the dark web for your personal data. Their free “Dark Web Report” feature, which monitored breach dumps and dark web marketplaces for your email address, phone number, or Social Security number, went dark for good.
Google first launched this tool back in March 2023, initially only for Google One subscribers. By July 2024, they rolled it out to everyone with a Google account. But apparently it wasn’t doing enough to actually help people. In an email sent to users in mid-December, Google said feedback showed the tool “didn’t provide helpful next steps.” So instead of fixing it, they just pulled the plug.
The scanning stopped on January 15th and the entire tool gets removed on February 16th, 2026, at which point all your monitoring data gets permanently deleted. If you had a monitoring profile set up and want to remove it early, you can do that through your Google account settings.
Google’s advice? Use their other security tools instead. Things like Security Checkups, Passkeys, two-step verification, and their “Results about you” feature that helps you find and remove personal info from Google Search results. That’s nice and all, but losing a dedicated dark web scanner still stings. BleepingComputer covered the shutdown in detail if you want the full story.
For anyone who was relying on this service, there are alternatives out there. Have I Been Pwned still does a solid job of alerting you when your email shows up in data breaches. But for a company the size of Google to just walk away from dark web monitoring entirely? It feels like a step backward.
Under Armour’s 72 Million Customer Records Hit the Dark Web
Sportswear giant Under Armour had a really rough January. Back in November 2025, the Everest ransomware group claimed they’d broken into Under Armour’s systems and grabbed 343 gigabytes of data. They posted the company on their leak site and gave them a deadline to pay up. Under Armour apparently didn’t bite.
So in January 2026, Everest followed through on their threat and dumped the stolen data. According to Have I Been Pwned, the dataset contains 72.7 million unique email addresses along with names, dates of birth, genders, geographic locations, and purchase histories. That’s a massive amount of personal information floating around the dark web now. The data quickly spread across multiple hacker forums and leak sites after the initial dump.
Under Armour has been playing things close to the chest. They confirmed they were investigating but said they found “no evidence” that passwords, payment systems, or their main UA.com site were affected. Not exactly reassuring when your name, birthday, and shopping habits are sitting in a database that any script kiddie can download.
This isn’t even Under Armour’s first rodeo. Back in 2018, they had a breach that exposed 150 million MyFitnessPal accounts. Two breaches affecting tens of millions of customers does not look good. Class action lawsuits have already been filed in federal courts in Maryland and Texas, with customers alleging negligence and failure to safeguard personal information. Malwarebytes published a detailed breakdown of the whole situation.
The Everest ransomware group, for those not familiar, is a Russian-speaking operation that’s been active since late 2020. They’ve got a hybrid model going where they use ransomware, sell initial access to other hackers, and even run an insider recruitment program where they pay company employees for access to corporate networks. They’ve claimed hits on McDonald’s India, Chrysler, Asus, and a bunch of other big names. These guys aren’t messing around.
Empire Market Co-Creator Pleaded Guilty to $430 Million Drug Conspiracy
Raheim Hamilton, a 30-year-old from Suffolk, Virginia, pleaded guilty on January 26th to federal drug conspiracy charges for his role in running Empire Market, one of the biggest dark web marketplaces of its time. This was a long time coming.
Empire Market operated from 2018 to 2020 and handled over 4 million transactions worth more than $430 million. The site sold everything from drugs and stolen credentials to counterfeit currency and hacking tools. But drug sales were the main event, accounting for nearly $375 million of total revenue. At its peak in August 2020, the marketplace had about 1.68 million registered users, 360,000 buyers, and over 5,000 vendors.
Hamilton ran Empire Market together with Thomas Pavey, a 40-year-old from Florida. The site was basically built as an AlphaBay clone after authorities shut that marketplace down in 2017. It operated exclusively on the Tor network, required all transactions in cryptocurrency, and the operators actively encouraged users to run their coins through mixing and tumbling services to hide the money trail.
Pavey already pleaded guilty to similar charges back in January 2025, so Hamilton’s plea this month closes the book on both operators. As part of his deal, Hamilton agreed to forfeit about 1,230 Bitcoin, 24.4 Ether, and three properties in Virginia. Pavey’s forfeiture includes roughly 1,584 Bitcoin, two boxes of 25-ounce gold bars, three cars, and two Florida properties. BleepingComputer has the full details on the case.
Hamilton faces a mandatory minimum of 10 years in prison and a maximum of life. Sentencing is set for June 17th, 2026. The investigation involved the FBI, U.S. Postal Inspection Service, and Homeland Security Investigations. Authorities had made undercover purchases on the site between 2019 and 2020, buying heroin, meth, and other drugs.
Empire Market famously went dark in August 2020 without warning, and a lot of users at the time suspected it was either a DDoS attack or an exit scam. Now we know the full picture.
Kingdom Market Operator Alan Bill Pleaded Guilty
January was apparently “guilty plea month” because we got another big one. Alan Bill, a 33-year-old Slovakian national, pleaded guilty on January 28th to conspiracy to distribute controlled substances for his role in operating Kingdom Market.
Kingdom Market ran from March 2021 through December 2023 and was a full-service darknet marketplace selling narcotics (including fentanyl and meth), cybercrime tools, fake government IDs, stolen personal info, and more. It supported transactions in Bitcoin, Litecoin, Monero, and Zcash. At the time of its seizure, the marketplace hosted about 42,000 listings with several hundred sellers and tens of thousands of customer accounts.
German authorities, specifically the Federal Criminal Police Office (BKA), seized Kingdom Market’s domains and infrastructure in December 2023. Bill, who operated under the aliases “Vend0r” and “KingdomOfficial,” was arrested that same month at Newark Liberty International Airport. Customs inspectors found two phones, a laptop, a thumb drive, and a cryptocurrency hardware wallet on him.
The investigation kicked off when federal agents started making undercover purchases from Kingdom Market around July 2022. They bought meth, fentanyl, and even a fraudulent U.S. passport that was shipped to Missouri. As part of his plea deal, Bill agreed to forfeit five different types of cryptocurrency from a wallet, plus the Kingdommarket.live and Kingdommarket.so domains. Sentencing is scheduled for May 5th. He faces between 5 and 40 years in prison. The U.S. Attorney’s Office published the full announcement.
Incognito Market Boss Got 30 Years in Prison
This one sent shockwaves through the darknet community. On January 30th, Rui-Siang Lin, the 24-year-old Taiwanese founder of Incognito Market, was sentenced to 30 years in a U.S. federal prison. The judge, Colleen McMahon, described it as “the most serious drug crime I have ever been confronted with in 27.5 years.” That tells you everything you need to know about the scale of this operation.
Lin operated under the alias “Pharaoh” and ran Incognito Market from its launch in October 2020 until it collapsed in March 2024. Over that time, the marketplace facilitated more than $105 million in drug sales through over 640,000 transactions. The site had more than 400,000 buyer accounts and 1,800 vendors selling cocaine, meth, heroin, MDMA, ketamine, LSD, and counterfeit prescription medications. Some of those fake pills turned out to be fentanyl disguised as oxycodone. Prosecutors linked the marketplace to at least one death, a 27-year-old man from Arkansas who overdosed on pills he bought from the site.
The platform had its own internal payment system called “Incognito Bank” where users deposited Bitcoin or Monero. Lin took a 5% cut on every single transaction and personally pocketed over $6 million.
Here’s where the story gets wild. Before his arrest, Lin was living in Saint Lucia, working for Taiwan’s Ministry of Foreign Affairs, and he actually ran a four-day training session for local police on “cybercrime and cryptocurrency.” He even bragged about it on Facebook. All while secretly running one of the world’s biggest drug marketplaces. You really cannot make this stuff up.
Then in March 2024, Lin pulled an exit scam. He shut down Incognito Market without warning, stole at least $1 million in user deposits, and tried to extort vendors by threatening to publish their transaction histories unless they paid fees ranging from $100 to $20,000. He literally posted “YES, THIS IS AN EXTORTION!!!” on the site.
He was eventually arrested at JFK Airport in New York and pleaded guilty in December 2024 to narcotics conspiracy, money laundering, and selling adulterated medication. On top of the 30-year sentence, the court ordered him to forfeit over $105 million. Bitdefender published a great writeup covering the whole case timeline.
This is the second-harshest sentence ever handed down for running a darknet marketplace. Only Ross Ulbricht, the Silk Road founder, got a tougher sentence (life in prison), though he was later pardoned by President Trump in January 2025.
The U.S. Government Seized $400 Million From Helix Crypto Mixer
Closing out the month with another massive enforcement action. On January 29th, the U.S. Department of Justice announced that a federal court had finalized the forfeiture of over $400 million in assets tied to Helix, one of the most widely used cryptocurrency mixing services on the dark web during its heyday.
For those unfamiliar, a crypto mixer (or tumbler) is a service that blends cryptocurrency from multiple users and routes it through a series of transactions to hide where the money came from and where it’s going. Drug dealers and other criminals loved these services because they made Bitcoin transactions much harder to trace. Helix was one of the most popular ones, processing at least 354,468 Bitcoin (worth roughly $300 million at the time) between 2014 and 2017.
Helix was operated by Larry Dean Harmon, who also built Grams, a search engine designed specifically for darknet marketplaces. The genius move here was that Helix had an API that let darknet markets like AlphaBay integrate the mixer directly into their Bitcoin withdrawal systems. That made laundering essentially seamless for drug vendors.
Harmon pleaded guilty to conspiracy to commit money laundering back in August 2021 and was sentenced in November 2024 to 36 months in prison plus supervised release. The $400 million forfeiture, which includes cryptocurrency, real estate, and bank accounts, represents the final legal chapter of this case. A federal judge signed the final forfeiture order on January 21st, officially handing legal ownership of all those assets to the U.S. government.
This case is particularly significant given the ongoing debate about crypto mixers and privacy tools. The DOJ has been cracking down hard on these services. Tornado Cash developer Roman Storm was convicted on money laundering charges last year. And while the Trump administration’s DOJ actually disbanded its dedicated National Cryptocurrency Enforcement Team in 2025, they made it clear that cases involving drug trafficking and terrorism are still fair game. The Helix forfeiture proves they meant it.
What Does All of This Mean Going Forward?
If January 2026 is any indication of what the rest of the year looks like, dark web operators should be seriously nervous. Three separate darknet marketplace cases reached guilty pleas or sentencing in a single month. A $400 million forfeiture was finalized. And the biggest English-language cybercrime forum had its entire user database leaked, potentially giving law enforcement a roadmap to thousands of cybercriminals.
The message from authorities is loud and clear: Tor, encryption, and cryptocurrency are not enough to keep you hidden forever. Blockchain analysis has become incredibly sophisticated, undercover operations are ongoing on every major marketplace, and the international cooperation between agencies is stronger than ever.
For regular internet users, the takeaways are more practical. If you had an Under Armour account, your data is likely out there now. Go check Have I Been Pwned and change your passwords. With Google dropping its dark web monitoring, you’ll need to stay more vigilant about checking for compromised accounts on your own. Use unique passwords for every service, turn on two-factor authentication everywhere you can, and keep an eye on your financial accounts for anything suspicious.
We’ll be back next month with another digest. If January was this wild, February should be interesting. Stay safe out there.
