DarknetDir DarknetDirVerified Tor Markets
Home Guides Avoid fake Tor market mirrors, 2026 checklist

Avoid fake Tor market mirrors, 2026 checklist

A phishing clone looks pixel-identical to the real login. It has to. The tells are almost never visual. This is the checklist that catches them anyway.

Compare the whole address, not the beginning

Every fake Nexus URL starts with the letters nexus. Every fake TorZon URL starts with torzon. Generating a matching prefix that long takes a few hours of GPU work. Matching all 56 characters would take centuries, which is why you compare the full string letter by letter against a source you trust.

Read the captcha

The captcha image on a real market login carries the current onion address in its bottom line. That image is generated on the operator's server and cannot be faked without the operator private key. If the address inside the picture does not match your URL bar, close the tab.

Confirm the anti-DDoS queue

Serious markets sit behind a wait page. It shows a rolling position counter and takes between ten seconds and two minutes to clear. Phishing operators skip it because building one is expensive. Mirrors that go straight to the login with no queue are almost always fake. Mirrors that show an obviously fake countdown clearing in exactly one second every time are also fake.

Verify PGP rotations

Every serious market signs its mirror rotations with the same private key. Verify the signature once per rotation and you can trust any URL that came out of the signed announcement. The workflow lives on the PGP verification guide.

Bookmarks go stale

The other common way to get phished is by clicking an old bookmark. You saved a URL in March. It rotated in May. Someone bought the retired address in July and put a clone behind it. You are still clicking your March bookmark in September. Every session, glance at the address bar and verify against the current signed rotation. Two seconds. Habit that saves accounts.

Search results are dangerous

Fresh directories ranking well for market queries are almost always affiliate operations routing clicks to phishing. Reliable directories are the ones that have been publishing the same primary onion the market itself signs, for months. This one is one of them. Trusted forum announcements on Dread are another.

When in doubt

Close the tab. Open Tor Browser New Identity. Go to a source you already trust for the current URL. Verify the PGP signature. Copy the URL from there. Paste into a fresh tab. If it looks like what you closed a minute ago, you were fine. If it looks slightly different, you just dodged a phishing page. Nobody has ever regretted checking one extra time.

← All guides