How to access a Tor market safely in 2026
The whole flow, from a blank machine to a working market account. Twelve minutes for a first-time setup, two minutes for every visit after.
Install Tor Browser from the real source
Download only from torproject.org or its onion at 2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion. Any other download page is either a mirror you cannot verify or a booby-trapped copy. The Tor Project explains signature verification on the download page and it is worth doing once.
Set the security level to Safer or Safest
Click the shield icon next to the address bar and move the slider up. Safer disables JavaScript on plain HTTP sites. Safest disables it everywhere. Every market on this directory works fine on Safest because their logins use plain HTML forms.
Never resize the browser window
Tor Browser opens at a fixed size on purpose so every user looks the same to a fingerprinting site. If you resize, you become unique across pages. If you accidentally maximize, close and reopen the window.
Paste a verified onion address, do not click one
Copy the primary onion from a market page on this directory or from a source you already trust. Paste into Tor Browser. Do not follow a Tor link from a search result, a random forum comment or a Telegram screenshot. That is where every phishing operation lives.
Wait through the anti-DDoS queue
The first screen every market shows is a queue with a rolling counter. Wait. This is what proves your Tor circuit is real. Queue times swing between ten seconds on a quiet day and a couple of minutes during a spike. If the queue clears instantly on every attempt, that mirror is fake.
Read the captcha before you type
Every real market prints the current onion address inside the login captcha image. While you look at the puzzle, glance at the small text along the bottom. Compare it to the URL in your address bar. If they differ, close the tab. You are on a phishing clone.
Register with a fresh username
Do not reuse a username from another market or forum. Pick a passphrase you can remember without writing down. Save the recovery details offline on paper or an encrypted USB. Never in a cloud password manager.
Set up PGP before the first order
Paste your PGP public key into the profile section. Enable PGP-based 2FA in settings. This is what protects the account when your password leaks. Also learn to encrypt shipping addresses against a vendor's key so the market operator never sees plaintext.
Deposit small first
Send a small amount, watch it confirm, place a small order. Learn the flow with an amount you would not mind losing. Full-scale orders come after you trust both the market and the vendor.
What to skip
- Browser extensions on Tor Browser (they break the fingerprint model)
- VPN plus Tor when you do not know exactly what that stack does to your latency and DNS
- Downloads that require executing anything outside Tor Browser
- Any market or mirror URL somebody DMed you