OPSEC Guide → Enter Marketplace

Financial Security · Anti-Phishing Guide

How to Avoid Phishing & Protect Your Funds

Phishing sites are the most common cause of cryptocurrency theft and account compromise in the darknet ecosystem. This guide explains how to verify sites, spot fakes, and protect yourself.

The Scale of the Phishing Problem

Darknet marketplace phishing is a massive industry. Operators create near-identical clones of popular marketplaces, deploy them at lookalike .onion addresses, and drive traffic through fake forum posts, compromised link aggregator sites, Telegram channels, and even paid clearnet advertising. Victims log in, unknowingly hand over their credentials to attackers, and lose any cryptocurrency held in their account.

Unlike most cybercrime where chargebacks and fraud protection exist, cryptocurrency transactions are irreversible. There is no "contact customer support" option when your funds are stolen via phishing — the loss is permanent and unrecoverable.

The Nexus marketplace has been specifically targeted by phishing operators. Sites with near-identical designs and URLs differing by one character have been documented in circulation. Never trust any address you haven't personally verified through cryptographic means.

How Phishing Sites Work

Lookalike Addresses: Tor v3 addresses are 56 characters long. Attackers create addresses where one or several characters are different from the legitimate address. The difference may be a single letter, a number substitution, or a character swap. Human eyes cannot reliably spot these differences in a 56-character alphanumeric string without careful character-by-character comparison.

Legitimate-Looking Design: Sophisticated phishing operations invest significant effort in cloning the target site's visual design. The page looks identical to the real marketplace. The login form functions normally. The difference: your credentials go to the attacker's database instead of authenticating you to the real platform.

Social Engineering Distribution: Attackers distribute phishing links through: forum accounts with long post history (purchased or compromised), "helpful" posts in darknet-related forums claiming to share "working mirrors," Telegram groups claiming to be official channels, and clearnet sites claiming to aggregate current .onion links.

The Only Safe Verification Method: PGP

The only reliable method to verify an onion address is to authenticate it against a PGP-signed announcement from the platform's confirmed public key. No other method provides cryptographic certainty.

The process:

  1. Import the platform's verified public key (see our Enter Marketplace page for the Nexus public key)
  2. Verify the fingerprint matches the published fingerprint
  3. Obtain a recent, PGP-signed announcement from a verifiable source (official forum thread, signed release post)
  4. Verify the signature: gpg --verify announcement.txt
  5. Output must read "Good signature from [Platform Name]"
  6. The address listed in the verified announcement is the legitimate address

Any address that cannot be authenticated through this process should be treated as potentially fake.

Phishing Red Flags

  • Address from a forum post by a new or low-reputation account — Attackers create accounts specifically to distribute phishing links
  • Site requesting login when you already have a session — Phishing sites sometimes interrupt an active session with a fake re-authentication prompt
  • Login page looks slightly different — Different font rendering, slightly different spacing, different captcha style
  • Urgent messaging — "The real site is down! Use this emergency mirror!" is a classic phishing vector
  • Site found through a search engine — Legitimate darknet markets do not appear in Google, Bing, or DuckDuckGo results. Any result claiming to be a marketplace link is either a clearnet guide site (like this one) or a phishing site
  • Links in Telegram groups — The vast majority of "official" darknet market Telegram channels are fake and used to distribute phishing links
  • Links embedded in DMs/PMs — Never click unsolicited links even from users you know on darknet forums (accounts can be compromised)
  • Site that asks for 2FA code immediately after password — Some phishing sites perform real-time relay attacks, capturing your 2FA code before it expires

Safe Browsing Practices

Bookmark Verified Addresses: Once you've verified an address through PGP, bookmark it immediately in Tor Browser. Always navigate to the marketplace from this bookmark, never from fresh links. Tor Browser bookmarks persist between sessions by default (unlike Tails, where you must save them in Persistent Storage).

Character-by-Character Verification: Before entering any credentials, compare the address bar URL character by character against your verified bookmarked address. On Tor Browser, click the address bar to see the full URL. Count characters, compare groups, look especially for l/1/I and 0/O substitutions.

Verify Regularly: Legitimate marketplace addresses occasionally change (new mirrors, updated v3 addresses). Re-verify your bookmarks against fresh PGP-signed announcements every few weeks, especially after extended time away from the platform.

Never Search for Marketplace Links: Search engines do not index .onion addresses (they require Tor and are not crawled). If a search engine returns a URL claiming to be a marketplace link, it is either a clearnet informational page (like this one) or a phishing site. Never use search engine results as a source of marketplace addresses.

If You Think You've Been Phished

If you have entered credentials on a site that may be a phishing site:

  1. Do not deposit any cryptocurrency to the account — If your credentials are captured, any funds you deposit can be stolen immediately
  2. Change your password on the real marketplace immediately — Navigate to the verified real address and change your password before the attacker does
  3. Generate new 2FA codes — Reset your 2FA application if the site uses 2FA
  4. Assume your username is now associated with the phishing operation — Consider creating a new account on the real marketplace
  5. Report the phishing site — Post details (address, characteristics) in the legitimate marketplace's forum to warn other users

Protecting Your Cryptocurrency

Beyond phishing, protect your cryptocurrency by keeping minimal balances in marketplace accounts. Only deposit what you need for an immediate transaction. Withdraw cryptocurrency to your personal wallet after transaction completion. An attacker who compromises your marketplace account can only steal the balance held at that moment.

Use multi-signature escrow whenever available (the Nexus marketplace supports this for XMR) — multi-sig escrow means the platform never has unilateral control of your funds, limiting loss potential if the platform itself is compromised or performs an exit scam.