Security & Verification — questions & answers

Security topic hub. Onion verification, PGP workflow, phishing avoidance, definitions of the protocols underneath.

Security on Tor markets is mostly about avoiding phishing. The biggest share of money lost on darknet markets goes to fake lookalike sites, not exit scams and not seizures. The good news is phishing's the easiest failure mode to defend against — every check is mechanical and takes under a minute. The bad news is almost nobody runs the checks consistently. This topic hub collects the practical workflow: how to verify a mirror announcement, how to verify an onion fingerprint, how to spot a clone before you submit credentials, what to do if you fell for one.

The strong-verification source for any operator-published endpoint is a detached-PGP-signed announcement on the operator's Dread account. Import the operator's public key once, verify signatures forever after. An endpoint surfaced anywhere else — Telegram, Reddit, Twitter, email, chat groups — is not authoritative, regardless of how convincing the channel looks. None of the operators we cover use those channels for endpoint announcements. The two-step is: read the signed announcement, then verify the captcha-embedded fingerprint or page-banner fingerprint on the loaded site against the address you typed. Full 56-character match, no shortcuts.

v3 onion addresses are self-authenticating, in the sense that the 56-character string IS the ed25519 public key of the hidden service, base32-encoded. A Tor client that resolves a v3 address derives the public key from the string and validates the descriptor it gets back. No DNS, no certificate authority, no separate name-to-key binding to attack at the protocol level. The remaining attack surface is at the human layer: typing the wrong address, clicking through to a clone, trusting an unsigned post. All of those are mitigated by mechanical verification against the signed list.

PGP, beyond verifying mirror announcements, is what encrypts shipping addresses to vendors. Every vendor publishes a public key on their profile page. Import it, encrypt the shipping address against that key, paste the encrypted block into the order notes. The operator never sees the plaintext — only the vendor can decrypt it. A vendor who refuses PGP for 'convenience' is choosing not to do business with privacy-conscious buyers, and the right response is to find a different vendor.

5 answered questions

Security & VerificationWhich Tor markets have a French interface?WeTheNorth (WTN) is the bilingual English/French Tor marketplace tracked here. Canadian focus, domestic shipping by default, native French m…Read answer →Security & VerificationHow do I verify a Tor market onion address is genuine?Step-by-step: compare the 56-character v3 fingerprint against a PGP-signed announcement on Dread, check the page banner, never trust partial…Read answer →Security & VerificationHow do I avoid Tor market phishing sites?Most money lost on Tor markets is lost to phishing clones, not exit scams. Concrete checks before logging in: signed announcements, page ban…Read answer →Security & VerificationWhat is a v3 onion address?A v3 .onion address is a 56-character ed25519 public-key identifier for a Tor hidden service. Structure, why partial matches are dangerous, …Read answer →Security & VerificationWhat is PGP and how is it used on Tor markets?PGP / GnuPG on hidden-service commerce: encrypting your shipping address, signing messages, verifying operator mirror announcements. Beginne…Read answer →