Anti-Phishing Guide: Don't Get Scammed

What Is a Darknet Phishing Attack?

Phishing on the darknet involves attackers creating convincing imitations of legitimate marketplaces — including exact copies of the interface, branding, and even a similar-looking .onion address. When users log in on the fake site, their credentials are captured. When users make deposits, their cryptocurrency is stolen rather than reaching the real market.

The scale of darknet phishing is significant. Multiple security researchers have documented hundreds of fake .onion sites impersonating major darknet markets at any given time. These sites are distributed through:

• Fake "official mirror" lists on clearnet forums and search results
• Compromised posts on darknet forums by hijacked accounts
• SEO-poisoned search results on clearnet search engines
• Social engineering via messaging platforms
• Malware that modifies browser bookmarks or stored URLs

How to Identify a Phishing Site

1. The .onion Address Is Different

V3 .onion addresses are 56 characters long and cryptographically derived from the server's key pair. A phishing site cannot have the same .onion address as the real market — it will always be a different, similar-looking string.

Common tricks phishers use:

• Using addresses that start and end with the same characters as the real address
• Using addresses with visually similar characters (0 vs O, 1 vs l, etc.)
• Using addresses that contain the market name (e.g., "wethenorth" somewhere in the 56-char string)

Defense: Do not rely on visual inspection alone. Always copy-paste the expected address and compare character by character, or use PGP verification (see below).

2. Missing or Invalid SSL Certificate (Clearnet Sites)

If you encounter any site claiming to be WeTheNorth Market on a clearnet (non-.onion) domain, it is 100% fraudulent. The real WeTheNorth Market is only accessible via its v3 .onion address.

3. Suspicious Login Behavior

Phishing sites often:

• Accept any username/password combination (they record it but log you in anyway)
• Show a deposit address immediately after login that differs from your established address
• Lack proper 2FA verification (or present a fake 2FA prompt that accepts any code)
• Have slight differences in page layout, fonts, or color that look "almost right"

4. The Site Loaded Unusually Fast

Legitimate .onion sites load slowly due to Tor routing. A site that loads suspiciously fast may be a clearnet-hosted phishing proxy that makes the connection appear to be an onion service while actually routing through clearnet infrastructure where your IP is visible.

PGP Verification: The Gold Standard

The only fully reliable method to verify the WeTheNorth URL is PGP signature verification. Here's how to do it:

1. Obtain the market's PGP public key from our Access page (which you've separately verified against multiple trusted sources)
2. Import the key into GnuPG: gpg --import wtn_pubkey.asc
3. Locate the latest PGP-signed URL announcement from the market's official channel (Dread forum, for example)
4. Save it to a file and verify: gpg --verify announcement.txt
5. Confirm the key fingerprint matches the imported key
6. Only use the .onion address extracted from a successfully verified message

Common Phishing Attack Vectors

Social Engineering

Attackers may pose as market staff, trusted vendors, or fellow users to share "updated mirror links." They may claim the original address is down and offer a "working" alternative. Legitimate market staff will never send you URLs through private messages — they communicate through signed public announcements.

Forum Account Hijacking

Established darknet forum accounts with high reputation are valuable targets. Attackers compromise these accounts and post phishing links under the guise of trusted members. Always verify URLs independently regardless of the source's reputation.

Search Engine Manipulation

Do not use clearnet search engines to find darknet market URLs. Phishers actively optimize fake sites and subdomain mirrors to appear in search results for terms like "WeTheNorth link" or "WeTheNorth onion address."

Browser Extensions and Malware

Malicious browser extensions or malware can silently replace darknet market URLs with phishing alternatives in your bookmarks or clipboard. Use Tails OS (which starts fresh each session) or maintain strict device hygiene on dedicated hardware.

What to Do If You've Been Phished

1. Do not send any cryptocurrency — If you realize you're on a phishing site before depositing, do not proceed.
2. Change all credentials immediately — If you entered credentials, assume they are compromised. Change passwords for all accounts that used similar credentials.
3. Revoke PGP keys if compromised — If you entered private key information, revoke your PGP key immediately.
4. Consider your identity compromised — If you entered any personally identifiable information, assume that identity on the darknet is burned. Create a completely new identity for any future activity.
5. Scan for malware — Run a malware scan, or preferably reinstall your operating system or format your Tails USB and recreate it from scratch.

Quick Anti-Phishing Checklist

• ☐ I always verify the .onion URL via PGP before visiting
• ☐ I only get .onion links from PGP-verified announcements
• ☐ I never click .onion links from forums, search engines, or DMs
• ☐ I use JavaScript disabled (Tor Browser Security: Safest)
• ☐ I never use a clearnet browser to visit .onion sites
• ☐ I check the .onion address character by character against the verified address
• ☐ I do not store market URLs in clearnet browser bookmarks
• ☐ My market account has unique credentials and 2FA enabled

Additional Resources

• EFF Surveillance Self-Defense
• EFF Guide to PGP
• GnuPG Documentation