Phishing is one of the most prevalent threats on the darknet. Malicious actors create convincing copies of legitimate marketplaces to steal login credentials, cryptocurrency, and shipping addresses. This guide teaches you to identify and avoid them.
⚠ Critical Reminder: The only verified source for Nexus Onion links is the enter page on this domain — signed with the official PGP key. Never use .onion links from Reddit, Telegram, forum posts, or other third-party sources. Every link must be PGP-verified.
Darknet phishing is the creation of a fake, lookalike version of a legitimate marketplace's .onion site. These clones are designed to be visually identical to the real platform — same logo, same layout, same page structure. The goal is to capture your login credentials, or worse, to intercept your cryptocurrency deposit addresses with addresses controlled by the attacker.
Because .onion v3 addresses are 56 characters of random-looking text, users cannot reliably memorise them or spot small differences at a glance. This makes darknet phishing particularly effective compared to clearnet phishing, where a domain like "paypa1.com" vs "paypal.com" is more immediately suspicious.
Documented cases of marketplace phishing include: fake Silk Road mirrors (2012-2013), DarkMarket clones (2019), and numerous fake AlphaBay links circulating after its takedown and re-launch. In each case, thousands of dollars worth of cryptocurrency was stolen from unsuspecting users.
Before entering any credentials, compare the full .onion URL in your Tor Browser address bar character-by-character against the verified URL from this page's access page. Even a single character difference indicates a different site. Bookmark verified addresses from a known-good source — do not rely on memory.
The strongest verification method. Any legitimate announcement from a marketplace, including link updates, must be signed with the market's official PGP key. The process:
gpg --import market_key.ascgpg --verify message.txt.ascTor Browser does not show traditional SSL certificates for .onion sites, but watch for unusual security warnings or certificate prompts that you haven't seen on previous visits. These can indicate a MITM (man-in-the-middle) setup.
On any marketplace, always verify that the deposit address shown in your account was generated by the platform — not replaced by an attacker's address. On phishing sites, all deposit addresses belong to the attacker. If the address looks different from previous deposits or doesn't match the pattern, do not send funds.
Legitimate darknet marketplaces function fully with JavaScript disabled (Tor Browser "Safest" setting). If a site requires JavaScript to function, displays blank pages with JS disabled, or prompts you to enable JS, treat it as highly suspicious.
For any clearnet sites claiming to list darknet resources, verify HTTPS certificates. A site without HTTPS claiming to list verified .onion links is itself suspicious and may serve malicious content.
Attacker creates a clone of the marketplace with a slightly different .onion address. Distributes links via forums, Reddit, and Telegram claiming they are "updated mirrors." Users who bookmark these links unknowingly return to the fake site on future visits.
Malware on a user's system monitors the clipboard. When a cryptocurrency address is copied, it is silently replaced with the attacker's address. Always verify the first and last 6 characters of an address after pasting — ideally on a malware-free system.
Malicious Tor exit nodes intercept clearnet traffic and inject malicious redirects or content. This affects clearnet browsing through Tor — not .onion sites, which never leave the Tor network. Always use .onion addresses rather than clearnet proxies for marketplace access.
Fake "admin" accounts on forums and Telegram channels post updates claiming the market has moved to a new address, or offer "support" requiring you to share credentials. Legitimate market admins never ask for passwords or private keys. All communications use PGP-signed messages.
Fake clearnet sites (like "nexus1onion.net" vs "nexus1onion.com") list phishing .onion addresses to intercept users searching for the legitimate resource. Always verify you are on the exact domain in your address bar.
Subreddits, paste sites, and forum posts claiming to maintain "updated link lists" frequently serve phishing addresses mixed with legitimate ones. Community-maintained lists have no verification mechanism. Use only PGP-verified official sources.
Ready to access the marketplace? Use only the verified links on our secure access page.
View Verified Links — PGP Confirmed →