Anti-Phishing & Scam Protection

Phishing is the primary attack vector against darknet market users. Thousands of users lose funds every year to sophisticated clone sites that mimic legitimate markets. This guide gives you the knowledge to identify and avoid them every time.

Threat Landscape

How Phishing Works on Darknet Markets

Darknet market phishing operates differently from clearnet phishing. Attackers cannot redirect via DNS hijacking (Tor handles DNS internally), so instead they rely on near-identical clone sites hosted on look-alike onion addresses. A phishing site differs from the legitimate market by as little as one character in the 56-character v3 onion address.

Once you enter your credentials on a phishing site, the attacker has immediate access to your account, your wallet balance, and your pending orders. Because cryptocurrency transactions are irreversible, there is no recourse once funds are stolen. The phishing site may also harvest your PGP private key if you use the market's built-in message decryption feature.

The most common distribution vectors for phishing links: Reddit threads claiming "official" links, Telegram groups advertising market access, forum posts with fake "updated" mirror lists, Google search results (the real market cannot appear here), and private messages from unknown users claiming to be market staff.

⚠ Immediate Red Flags
  • Link received via DM, Telegram, or Reddit
  • Link found via Google/Bing/DuckDuckGo search
  • URL is not 56 characters before .onion
  • Site asks for your PGP private key
  • Site asks for your seed phrase or wallet key
  • Design looks slightly wrong or outdated
  • "Staff" contact you offering help outside the market
  • Prices or listings seem unusually good
Phishing Attack Frequency
Via Social Media Links47%
Via Forum Posts31%
Via Private Messages15%
Via Search Engines7%
Protection Methods

How to Verify Legitimate Market Links

01
Use Only Trusted Sources for Links
The only reliable sources for a legitimate onion address are: the market's official PGP-signed canary document, well-established darknet-focused research sites, and direct community consensus from long-standing forum members. Our Enter Marketplace page maintains a current verified link list cross-referenced against the PGP-signed mirror list. Do not use links from: Reddit, Twitter/X, Telegram, Discord, Instagram, YouTube comments, private messages from strangers, or any Google search result — the real market cannot appear in search results.
02
Verify the PGP Signature
Import the market's official admin PGP public key (available on our Enter Marketplace page) into GPG or Kleopatra. Download the latest PGP-signed mirror list from the official canary publication. Run gpg --verify against the signature. If the verification fails — the document has been tampered with and any links it contains should be considered hostile. PGP signature verification is the gold standard for link authentication and takes less than 60 seconds once you have GPG set up.
03
Character-by-Character Address Comparison
A v3 Tor onion address is exactly 56 characters long (base32 alphabet: a–z, 2–7) followed by ".onion". Phishing addresses exploit visual similarity between characters — common substitutions include: l (L) and 1 (one), 0 (zero) and o (letter o), rn and m, 6 and b. Compare your address to the verified list using a monospace font. The most reliable method: paste both addresses into a text comparison tool and verify they produce zero differences. Never abbreviate this check — the entire 56 characters must match.
04
Bookmark After First Verified Use
After successfully verifying and accessing the legitimate market, create a Tor Browser bookmark immediately. Label it clearly with the verification date. For your next session, use this bookmark as your starting point — but re-verify the address before logging in, as malware on your device can potentially modify bookmark targets. The safest practice: keep the verified onion address stored in an encrypted offline note and manually paste it for every new session.
05
Check the Login Page Carefully
Before entering any credentials, inspect the login page: Does it match the expected visual design exactly? Are there any unusual prompts, extra fields, or requests for information the market wouldn't need (email address, phone, recovery codes)? Does the 2FA/CAPTCHA behave correctly? Phishing sites often have subtle differences — slightly different fonts, missing elements, or broken functionality. If anything feels wrong, close the tab and re-verify your address before attempting to log in again.
06
Enable Login Phrase / Anti-Phishing Code
Many legitimate darknet markets including Torzon support a personal anti-phishing code or login phrase feature. This displays a custom phrase you choose during account setup whenever you access the login page — a phishing clone cannot display this phrase because it requires access to your account data. If your login page does not show your configured phrase, you are on a phishing site. Enable this feature immediately after account creation — it is one of the most effective anti-phishing mechanisms available.
Threat Types

Types of Scams to Know

Phishing Clone Sites
Near-identical copies of legitimate markets hosted on look-alike .onion addresses. Capture login credentials and wallet balances. Most dangerous and most common scam type. Prevention: PGP signature verification and character-by-character address comparison.
Exit Scams
Legitimate market operators steal all escrowed user funds and disappear. Usually preceded by signs: slow withdrawal processing, sudden 2FA issues, communication delays. Prevention: avoid keeping large balances on-market; use multisig escrow where available; monitor canary publications.
Vendor Scams (Selective Exit)
Individual vendors who request FE (Finalize Early) then disappear after receiving payment. More common than market-wide exit scams. Prevention: never FE with unestablished vendors; use escrow for all transactions regardless of vendor reputation claims.
Impersonation Scams
Scammers impersonate market staff or well-known vendors in private messages, offering special deals, "account recovery," or "bonus credits" in exchange for direct payment. Legitimate market staff will never contact you first via DM. Never send funds based on unsolicited contact.
Fake Escrow Services
Third-party "escrow" services offered outside the market platform, typically promising lower fees. Always use the market's native escrow system — external escrow is a guaranteed scam. No legitimate market transaction requires you to leave the market interface to complete payment.
Tracking Number Fraud
Vendors provide fake or stolen tracking numbers to make an order appear shipped and pressure buyers to FE before the dispute window closes. Verify tracking on the official carrier website. If a package is delivered to a different address, open a dispute immediately with screenshots as evidence.
Resources

Security Resources & Verification Tools

🔐
Gpg4win / Kleopatra (Windows PGP)
gpg4win.org
🔑
GNU Privacy Guard (GPG)
gnupg.org
🧅
Tor Project — Official Tor Browser
torproject.org
🛡️
Tails OS — Amnesic Operating System
tails.boum.org
View Verified Torzon Links →