Anti-Phishing Guide — How to Avoid Fake Darknet Markets

Currently Active Threat

Multiple phishing sites impersonating WeTheNorth are indexed by search engines and distributed via forums. They look identical to the real market. Never use a URL from a search engine result, advertisement, or unverified forum post. Always verify against PGP-signed announcements.

How Phishing Works

The Anatomy of a Darknet Phishing Attack

Darknet market phishing follows a consistent playbook. Attackers create a pixel-perfect visual clone of the target marketplace. The login page looks identical — same logo, same layout, same colors. The only difference is the onion address, which is controlled by the attacker.

When a user enters their credentials, the phishing site captures the username and password. Sometimes it forwards the login to the real market to avoid detection, while extracting credentials in the background. The attacker then logs into the real market using the stolen credentials and drains any cryptocurrency balance.

More sophisticated attacks also capture the user's PGP passphrase if they use integrated PGP decryption on the phishing site, allowing the attacker to decrypt any encrypted messages in the account — including shipping addresses for pending orders.

Protection Methods

How to Verify a Legitimate Market URL

01

Never Use Search Engine Results

Search engines index phishing sites. Never search "WeTheNorth onion link" or any similar query and click a result. Search engines cannot verify .onion address authenticity. Phishers specifically optimise for these searches.

02

Verify URL Length — V3 Onion Addresses Are 56 Characters

Modern darknet markets use v3 onion addresses, which are exactly 56 characters long before the .onion suffix. If the address is shorter (v2 addresses were 16 characters), it is outdated or fraudulent. Count the characters carefully.

03

Verify the PGP Signature

All legitimate market link announcements are PGP-signed by the administrator's key. Import the admin public key (from our Enter page) into GnuPG and verify the signature of any announcement before trusting a new URL. If the signature does not verify, do not proceed.

04

Use Dark.fail as a Secondary Reference

Dark.fail (accessible on both clearnet and Tor) maintains a curated list of verified onion addresses, cross-referenced and PGP-verified. Use it as a secondary source — not a primary one — and always verify PGP signatures yourself.

05

Bookmark the Verified Address

Once you have verified the correct onion address through PGP signature verification, bookmark it in your Tor Browser. Never delete the bookmark. Always use the bookmark to navigate — never retype or paste from an unverified source.

06

Enable 2FA and Check Your Balance Immediately

After logging in, always check your account balance and order history immediately. If anything looks wrong — missing funds, unfamiliar orders, account details changed — you may have been phished. Change your password and 2FA immediately if you suspect compromise.

07

Never Decrypt PGP on an Untrusted Site

Some phishing sites include a fake PGP decryption widget. Never decrypt anything on a marketplace's website — always decrypt locally using GnuPG on your own machine. No legitimate market requires you to paste your PGP passphrase or private key into a website field.

Verified Access

Access the Real WeTheNorth Market Safely

Use the verified WeTheNorth URL from our Enter page, PGP-verified and maintained by this mirror.

View Verified Onion Link → Read Full OPSEC Guide →

Anti-Phishing Tools

Resources for Staying Safe

Dark.fail

Curated list of verified onion addresses with PGP confirmation. Accessible on Tor and clearnet.

Visit Dark.fail →

GnuPG

Free, open-source PGP implementation. Use for signature verification of market announcements.

Download GnuPG →

Dread Forum

The Tor-based Reddit equivalent for darknet communities. Cross-reference link announcements here, accessible via Tor only.

Get Tor Link →