Nexus Website — Phishing Safety Guide

Why Are Phishing Attacks So Common on Darknet Markets?

The Nexus Website documents phishing as the most prevalent attack vector targeting darknet marketplace users. Unlike traditional web phishing, darknet market phishing exploits the difficulty of verifying .onion addresses — 56-character strings that look identical to casual inspection unless compared character by character.

Phishing operators invest significant resources into replicating the visual interface of legitimate markets. A convincing fake mirror captures credentials and cryptocurrency deposit addresses. The victim deposits funds to the attacker's wallet without realising they were never on the legitimate platform.

Documented Phishing Vectors

  • Forum posts — Fake mirror links posted in darknet forums and Reddit, often by newly created accounts
  • Counterfeit information sites — Sites mimicking legitimate information pages like this one, with substituted .onion addresses
  • Social media — Twitter/X accounts impersonating official market accounts
  • Search engine results — Phishing sites that appear in Tor Browser's DuckDuckGo results for market search queries
  • Exit node injection — Malicious Tor exit nodes modifying HTTP content (only relevant for clearnet sites)
  • Referral spam — Messages on encrypted messenger platforms advertising "exclusive access" links

How to Verify Nexus Verified Addresses Are Legitimate

Method 1: PGP Signature Verification

The most reliable verification method is PGP signature verification. The Nexus platform publishes new mirror addresses in a PGP-signed text file. This signed file can only be verified against the platform's known public key — a file cryptographically signed with a different key will fail verification.

  • Import the Nexus PGP public key from the connect page
  • Download the signed address file from a trusted source
  • Run: gpg --verify nexus-mirrors.txt.asc
  • A "Good signature" result confirms authenticity
  • A "Bad signature" result means the file was modified or signed with a different key — do not use the addresses

Method 2: Character-by-Character Comparison

  • Open the official address from this site's verified links page
  • Compare every character of the .onion address before entering credentials
  • v3 .onion addresses are 56 characters — a single character difference means a different site
  • Pay particular attention to characters that look similar: l/I, 0/O, rn/m

Method 3: Bookmark Verified Addresses

The simplest operational practice is to bookmark verified addresses in Tor Browser immediately after verifying them through PGP. Never navigate to darknet market addresses by typing or searching — always use your bookmarked, verified address.

Signs You May Be on a Phishing Site

  • The login page accepts any password without error — phishing sites harvest all credentials
  • The site loads significantly faster than usual — legitimate markets have Tor overhead
  • Deposit addresses cannot be verified by the platform's own address verification feature
  • The .onion address in your browser bar does not match the verified list exactly
  • The site prompts for unusual verification steps not present on the legitimate platform
  • HTTPS certificate errors — legitimate .onion sites use HTTPS; errors signal potential MITM

Browser Security Settings to Prevent Phishing Exploitation

Tor Browser Settings

  • Set security level to Safest — disables JavaScript on all non-HTTPS sites
  • Enable HTTPS-Only Mode — prevents connecting to onion sites over HTTP where HTTPS is available
  • Do not install any browser extensions — they change your browser fingerprint and may introduce tracking
  • Do not maximise the browser window — window size is a fingerprinting vector
  • Do not enable WebGL, WebRTC, or Canvas — these are fingerprinting APIs
  • Check about:config and confirm media.peerconnection.enabled is set to false

Account Security Practices

  • Use a unique, randomly generated password for each marketplace account
  • Enable 2FA with a TOTP app — never SMS-based 2FA
  • Store the 2FA backup codes in an encrypted offline location
  • Do not log in from any device that has been used for personal or work activity
  • If you suspect your credentials were phished, immediately move any escrow funds to a fresh account and report to the market's moderator team

Official verified Nexus onion addresses with character-by-character display are available on the official access links page. Always use this source as your verification reference.

How Can You Tell a Real Market From a Phishing Site?

What should I do if I entered credentials on a suspected phishing site?
Immediately stop all activity. Do not deposit any cryptocurrency to any address provided by the phishing site. Contact the legitimate marketplace's moderator team via a verified address to report the compromise. Create a new account with a completely different username and password. If funds were deposited to a phishing address, they cannot be recovered — there is no dispute mechanism for phishing victims.
Can phishing sites harvest my PGP private key?
A phishing site cannot access your PGP private key unless you paste it into a form field. Legitimate marketplaces only require your public key. Never paste private key material into any web interface under any circumstances. Your private key should never leave your local machine.
Why does the Nexus platform use Nexus Verified address publications?
Nexus Verified address publications — signed files containing current mirror addresses — allow users to cryptographically confirm that the address list was issued by the legitimate platform operators. This creates a verification path that phishing operators cannot replicate without access to the platform's private PGP key.