Anti-Phishing Guide — Don't Get Fooled

What Is Darknet Market Phishing?

Phishing in the darknet context refers to fraudulent .onion websites that are designed to look identical to legitimate darknet marketplaces. When users log in, their credentials are stolen. When users deposit cryptocurrency, it disappears into the attacker's wallet.

These sites are prolifically distributed through clearnet search engine results (Google, Bing, DuckDuckGo), Reddit posts, Telegram channels, Discord servers, and even some darknet forums. Because .onion addresses are long and opaque, users often cannot tell they've entered the wrong one.

How Phishing Sites Work

How to Verify a Legitimate WeTheNorth Link

The only reliable method for verifying darknet market links is PGP signature verification. Here is the process:

1. Download the market's PGP public key — available on our /access page. Import it into GPG or Kleopatra.
2. Obtain the signed link announcement — legitimate market admins sign all official link updates with their PGP private key. A signed message looks like a standard PGP message block.
3. Verify the signature — run gpg --verify announcement.txt or use Kleopatra's verification interface. A valid signature means the message came from someone holding the corresponding private key.
4. Extract the link from the verified message — only use links from successfully verified signed messages.

If the signature is invalid or you receive an error, do not use the link. Discard it and seek a fresh verified link from a trusted source.

Recognising Phishing Sites — Red Flags

• One character off in the URL: Phishing .onion addresses often differ from the real one by a single character — a lowercase L instead of an uppercase I, or a 0 instead of an O. Count and compare every character.
• Link came from a search engine: Legitimate darknet market addresses are never reliably found through Google, Bing, or DuckDuckGo. If you found it through a search engine, treat it as suspect.
• No PGP verification available: If a site or link source cannot provide a PGP-signed link from the market's official key, do not use it.
• SSL-style lock indicators: Some sophisticated phishing .onion sites claim to have "valid SSL certificates" — meaningless on the Tor network. Don't be reassured by these claims.
• Unusually fast login: Phishing sites sometimes log you in instantly without the normal processing delay, having simply accepted your credentials without actually authenticating.
• Deposit address changes unexpectedly: If a deposit wallet address differs from what you expected or changes between sessions without explanation, do not send any funds.
• Sent from someone on Telegram, Discord, or Reddit: Unsolicited links in chat platforms are almost always phishing. Moderators and admins of legitimate communities do not send personal DMs with links.
• Requesting extra verification steps: Some phishing sites ask you to "verify your account" by entering your seed phrase, private key, or other sensitive information. Legitimate markets never ask for this.

Safe Practices — The Complete Anti-Phishing Checklist

What to Do If You Suspect You Were Phished

1. Immediately close Tor Browser — do not interact further with the suspected phishing site
2. If you entered credentials: assume they are compromised. If the same password is used elsewhere (it shouldn't be), change it on all platforms immediately
3. If you made a deposit: the funds are likely unrecoverable. Note the wallet address for potential reporting
4. Return to this page and use only the PGP-verified link from our /access page
5. Report the phishing .onion address to the WeTheNorth community forum so other users are warned
6. Generate fresh PGP keys — if your old keys were exposed, generate a new pair and update your profile