Background
A new wave of phishing attacks targeting the Wethenorth Darknet user base was identified in April 2026, this time primarily distributed through Telegram channels impersonating legitimate WTN community groups. The attacks were more sophisticated than previous campaigns, using Telegram bots to push fake mirror URLs with plausible-looking justifications.
Details and Context
The phishing messages typically claimed the 'official' address had changed due to a law enforcement action and urged users to access via a new link. These social engineering tactics exploited users' fear of marketplace disruption. The genuine platform does not make address announcements via Telegram and all legitimate mirror changes are announced via PGP-signed messages.
Community Response and Implications
The community issued an updated verification guide emphasizing that no legitimate WTN communication ever uses Telegram for address announcements. The only valid verification method remains a PGP-signed announcement verifiable against the market's known public key. All Telegram-sourced addresses should be treated as hostile until independently verified.