Security Alert

How Not to Get
Phished: Complete
Anti-Phishing Guide

Critical Warning: Phishing sites targeting darknet market users are extremely common and sophisticated. They visually replicate legitimate market interfaces and steal credentials the instant they are entered. A phished account cannot be recovered. Prevention is the only defence.

This guide explains the techniques phishers use, how to identify fraudulent mirrors, and the specific practices that will protect your market account and wallet from theft.

Threat Analysis

How Darknet Market
Phishing Works

01
Mirror Site Creation
Attackers create near-identical copies of TorZon's interface. These phishing mirrors are registered as V3 .onion addresses that visually resemble legitimate addresses. They copy HTML, CSS, and images directly from the real site. The only difference is that credentials you enter are sent to the attacker, not the market.
02
Link Distribution
Phishing links spread through clearnet search results, fake Pastebin posts, compromised Reddit/forum accounts, spam emails, and fraudulent "link directories" on the clearnet. Some attackers pay for SEO to rank phishing pages above legitimate market information sites.
03
Credential Harvesting
When a victim enters their username and password on a phishing page, credentials are immediately sent to the attacker. The victim may see a convincing "incorrect password" error, encouraging them to try again — double-confirming the stolen credentials. The attacker can then immediately log in and drain the market wallet.
04
Advanced Techniques
Sophisticated phishing pages intercept real-time logins (acting as a proxy to the real site), allowing them to bypass PGP 2FA by relaying the challenge to the victim and capturing their signed response. This is why always verifying the onion address before entering ANY information is non-negotiable.

Protection Protocol

How to Verify a
Genuine TorZon Link

1

Only Use Links from This Page

The verified TorZon onion addresses are published on our access page. These links are cross-referenced against PGP-signed official announcements. This is the only source you should trust for current verified links. Bookmark it now.

2

Verify with PGP Signature

The official TorZon PGP public key is published on our login page. Any legitimate TorZon announcement includes a valid signature from this key. To verify: import the key into GPG, then use gpg --verify announcement.txt.sig announcement.txt. If the signature is invalid or the key doesn't match, the announcement is fraudulent.

3

Inspect Every Character of the Onion Address

V3 .onion addresses are 56 characters long. Compare character by character. Phishers use visual substitutions: "l" (lowercase L) for "1" (one), "O" (capital O) for "0" (zero), or "rn" (r+n) for "m". Pay special attention to the first and last 8 characters, which are the most commonly altered in phishing attempts.

4

Never Follow Links from Unknown Sources

Never click .onion links posted in forums, chats, paste sites, or by strangers. Never search for TorZon onion links in clearnet search engines like Google, Bing, or DuckDuckGo — these index phishing pages. If you don't have the link bookmarked, come back to this verified page to retrieve it.

5

Enable PGP 2FA on Your Account

Even if your credentials are phished, PGP 2FA prevents the attacker from accessing your account without your private PGP key. The login challenge must be signed by your private key — which never leaves your device. This is TorZon's most important account security feature. Enable it immediately.

6

Check Page Behaviour

Red flags on a page you've reached: unusual CAPTCHA at login (real TorZon uses a simple text CAPTCHA, not image-based), any request for two passwords, wallet "recovery" prompts, unexpected "account verification" steps, requests for your seed phrase or private key. Legitimate markets never ask for seed phrases or private keys.

Phishing Red Flags
Checklist

URL / Address Red Flags

  • Address length is not exactly 56 characters + .onion
  • Contains uppercase letters (valid onion addresses are all lowercase)
  • Visually similar characters substituted (0/O, 1/l, rn/m)
  • Address ends differently from your saved bookmark
  • Link came from a clearnet source (search, forum, paste)
  • HTTPS / SSL certificate prompts in Tor Browser (unusual)

Page / Behaviour Red Flags

  • Login immediately fails and asks you to retry
  • Requests for wallet seed phrase or private key
  • Asks you to "verify your identity" with ID documents
  • Offers suspiciously good vendor deals on login page
  • Different CAPTCHA style than you remember
  • PGP 2FA challenge doesn't match your enrolled key
  • Images load from clearnet URLs (not the .onion)
  • Page design differs slightly from your last visit

Further Security
Resources

Security

OPSEC Guide

Full operational security framework beyond phishing prevention.

Finance

XMR Guide

Protect your payments with Monero privacy by default.

Access

Verified Links

PGP-verified TorZon onion addresses, updated regularly.