Nexus Marketplace announced the deployment of an enhanced two-factor authentication (2FA) system in mid-March 2026, responding to a wave of credential-stuffing attacks that targeted multiple darknet platforms throughout January and February. The new system adds a time-limited PGP-encrypted challenge to the existing TOTP layer, creating a dual verification requirement that significantly raises the bar for unauthorized account access.
Credential-stuffing attacks — where attackers use automated tools to try username/password combinations leaked from other breaches — have become the most common form of account compromise across all types of online platforms. For darknet markets, the stakes are particularly high: a compromised account can expose shipping addresses, order history, and wallet balances.
Technical Implementation
The new authentication flow works as follows: after standard username/password entry, users receive a time-limited (5-minute) challenge encrypted with their PGP public key stored on the platform. Decrypting this challenge and entering the revealed code proves possession of the private key — something a credential-stuffer does not have. This combines something you know (password) with something you have (PGP private key).
Security researchers who analyzed the implementation described it as a significant improvement over TOTP alone, noting that the PGP component eliminates SMS-based and app-based 2FA weaknesses (SIM-swapping, compromised authenticator apps) simultaneously.
Users are advised to ensure their PGP public key is up to date on their profile and that their private key backup is stored securely offline. The rollout is being phased, with all accounts required to complete the new 2FA setup by April 15, 2026.