The Phishing Threat Landscape
Darknet market phishing operates differently from clearnet phishing. Fake .onion mirrors targeting TorZon users are distributed through Reddit, Telegram channels claiming to be market communities, and clearnet 'mirror list' websites that rank in search results for queries like 'TorZon onion link'. The fake sites are visually identical to the real TorZon interface — difference is only in the .onion address and the behavior of deposit wallets.
The Standard Attack Vector
A user searching for TorZon access finds a clearnet mirror list site. The site displays several .onion addresses labelled as 'verified', none of which are. The user opens one, creates an account or logs in, deposits XMR or BTC to fund their account — and the funds go directly to the attacker's wallet. No error messages appear. The phishing site may function as a pass-through to the real market for a period to appear legitimate.
How to Verify Genuine TorZon Links
The only reliable verification method is PGP. TorZon publishes a signed statement of current onion addresses using its official PGP key. Before trusting any onion address, download the signed statement from a source you trust independently, verify the signature with GnuPG against TorZon's published public key, then use only the addresses from the verified statement. Bookmark the address only after PGP verification. See our dedicated anti-phishing guide for the step-by-step verification protocol.