This is the February 2026 security bulletin from the Nexus platform security team. The bulletin covers threat intelligence gathered since the January bulletin, new platform hardening measures implemented in response to observed threats, and recommended user actions. Security bulletins are published monthly and PGP-signed by the platform's official key. Users should verify the signature before acting on any advisory content.
Threat Intelligence: Active Phishing Campaigns
The security team has identified two active phishing campaigns targeting Nexus users this month. The first involves a network of .onion sites with addresses constructed to visually resemble the first 8 characters of the three official Nexus mirror addresses. These sites serve a login form identical to the authentic platform. The user-facing indicator of compromise is subtle: the page loads slightly faster than the real platform (no Tor rendezvous overhead because the fake site has lighter infrastructure), and the onion certificate shown in Tor Browser's address bar -- if examined carefully -- does not match the official addresses.
The second campaign is operating through a Dread forum account impersonating a known community member, posting "updated mirror lists" that include the phishing addresses alongside legitimate ones. The inclusion of legitimate addresses is deliberate: it creates plausibility and makes users less likely to question the complete list. Any mirror address sourced from any channel other than the official PGP-signed announcement on the Enter Marketplace page should be treated as potentially compromised.
Platform Hardening Measures Implemented in February
In response to the identified threats, the following hardening measures have been deployed. The freshness beacon -- a PGP-signed timestamp embedded in the authentic site's HTTP response headers -- has been upgraded to include a hash of the current valid .onion addresses. Users with technical capability to read HTTP headers can now programmatically verify that the site they are on is serving the correct address hash, providing a machine-verifiable integrity check without requiring manual PGP verification on every visit. The community blacklist of confirmed phishing .onion addresses has been updated with 11 new entries from February, bringing the cumulative total to 54 confirmed phishing sites tracked since October 2025.
Recommended User Actions This Month
Immediately: delete any .onion bookmarks, retrieve the current mirror list fresh from the Enter Marketplace page, verify the PGP signature on the mirror announcement before using any address. This month: review your PGP key configuration -- ensure your private key is stored offline, your expiration date has not passed, and your account's registered public key is current. If your PGP key has expired or you are uncertain of its status, generate a new keypair and update your account before the expanded PGP verification requirements affect your access. For step-by-step PGP setup, see the enhanced PGP verification guide. For the complete anti-phishing workflow, see money protection and the OPSEC guide.