// THREAT INTELLIGENCE: PHISHING

ANTI-PHISHING GUIDE: DON'T GET CAUGHT

Phishing sites impersonating darknet markets are responsible for millions of dollars in stolen funds every year. This guide teaches you how to identify, avoid, and report phishing attempts targeting marketplace users.

🎣
CRITICAL THREAT:

Phishing is the number one cause of fund loss for darknet market users. A phishing site can steal your login credentials, drain your wallet, or capture your shipping address. Zero legitimate users need to re-enter credentials on a site they don't recognize. When in doubt — stop, verify, then proceed.

// THREAT ANALYSIS

HOW DARKNET PHISHING WORKS

Phishing sites targeting darknet marketplace users are sophisticated, high-effort operations. Unlike simple link-spamming, professional phishing campaigns for darknet markets involve:

  • Complete visual clones of legitimate marketplace interfaces, pixel-for-pixel identical to the real site
  • .onion addresses that are visually similar to the real address (using Unicode homoglyphs — characters that look identical to ASCII but are different bytes)
  • Distribution via forum posts, Dread, Reddit, Telegram, and even paid Google/Bing ads targeting surface-web searchers
  • Functioning login forms that capture credentials before forwarding to the real site (credential harvesting)
  • Fake deposit addresses that steal your cryptocurrency deposits

The economic incentive is enormous: a single day's traffic to a major market phishing site can yield thousands of stolen credentials and hundreds of thousands in crypto theft.

PHISHING_ANATOMY.sh
# Typical phishing attack flow:
[ATTACKER] Creates pixel-perfect clone
[ATTACKER] Generates similar .onion URL
[ATTACKER] Posts link in forums/clearnet
[VICTIM] Clicks link, lands on clone
[VICTIM] Enters credentials
[ATTACKER] Captures login + 2FA
[ATTACKER] Drains wallet immediately
V E R I F I C A T I O N / / P R O T O C O L
// VERIFICATION PROTOCOL

HOW TO VERIFY A NEXUS LINK

01

OBTAIN LINKS FROM VERIFIED SOURCES ONLY

Use only links from PGP-signed official sources — such as this page (nexus1onion.info/login) — or from within the official platform itself. Never trust links posted in forums, Telegram, Reddit, or search engine results without independent verification.

02

VERIFY VIA PGP SIGNATURE

The official mirror list is published with a PGP signature from the platform's master key. Import the public key, then use gpg --verify mirrors.txt.sig to confirm the link list is authentic. If GPG reports any error, the list is not genuine.

03

CHARACTER-BY-CHARACTER URL COMPARISON

Compare the .onion URL character by character against the verified source. Phishing URLs exploit visual similarity: rn vs m, Il vs Il, 0 vs O. Copy from the verified source and paste directly — never type .onion addresses manually.

04

CHECK VISUAL INDICATORS ON THE SITE

Compare the site's visual appearance against known screenshots. Look for: missing features, slightly different layout, different color shades, incorrect fonts, placeholder text, or broken images. Legitimate sites rarely have cosmetic defects.

05

BOOKMARK VERIFIED LINKS

Once verified via PGP, bookmark the URL in your Tor Browser. Access it via bookmark thereafter — never search for it or click links. Tor Browser's bookmarks are session-persistent if you've enabled that setting.

// ATTACKER TECHNIQUES

COMMON PHISHING TECHNIQUES TO RECOGNIZE

VISUAL

URL Homoglyphs

Attackers register .onion addresses using Unicode characters that visually appear identical to ASCII characters in the real URL. The human eye cannot distinguish — only automated comparison or hex analysis reveals the difference.

SOCIAL

Forum Link Injection

Compromised or fake accounts on Dread, Reddit, and other forums post phishing links as "official" or "updated" URLs. Even accounts with significant post history can be compromised.

TECHNICAL

SEO Poisoning

Clearnet websites (like this one, if compromised) could theoretically serve phishing links. Always cross-reference multiple trusted sources. SEO manipulation pushes phishing sites up in search results.

TECHNICAL

Session Hijacking

More sophisticated attacks inject JavaScript into the page to steal session cookies. Using Tor Browser with JavaScript disabled ("Safest" level) mitigates this attack vector entirely.

TECHNICAL

Credential Forwarding

Advanced phishing sites capture your credentials and immediately forward you to the real site — you experience a "brief login error" and then successfully log in. Meanwhile your credentials and any 2FA tokens are harvested.

SOCIAL

Fake "Official" Mirrors

Sites claiming to be "official" or "admin-operated" mirrors posted in forums. Legitimate platforms do not publish mirrors this way — always verify via PGP-signed official sources.

// RED FLAGS

IMMEDIATE RED FLAGS

Site loaded unusually fast (may not be .onion traffic)
Login page looks slightly different than expected
You were asked to re-login when you shouldn't need to
The URL was obtained from a forum post or search engine
Missing features or sections compared to your last visit
"Security upgrade" prompts asking for personal info
Deposit address changed after you already noted it
CAPTCHA on login you don't recognize
Page source contains links to clearnet domains
Browser shows JavaScript warnings
You used a URL you typed rather than copy-pasted
The site is accessible without Tor (big warning sign)
If you suspect phishing: Immediately close all browser windows. Do NOT enter any more credentials. Change your marketplace password from a verified clean device. Check your cryptocurrency wallets for unauthorized transactions. Report the phishing URL to Dread or relevant community forums.

ANTI-PHISHING RESOURCES

torproject.org — Official Tor Browser (avoid browser exploits) ssd.eff.org — EFF phishing avoidance guide gnupg.org — GnuPG for PGP verification privacyguides.org — General privacy and security tools

Ready to access Nexus safely? Use our verified, PGP-signed link list.

GET VERIFIED LINKS