Background
The Wethenorth Darknet community issued a high-priority warning in December 2025 following identification of at least seven fraudulent mirror sites impersonating the genuine platform. The phishing campaign was reported as unusually sophisticated, with attackers using .onion addresses that differed from the genuine address by only one or two characters.
Details and Context
Community members on Dread documented credential theft reports from users who had followed links from clearnet sources including fake forum posts, Telegram channels, and search engine results. The stolen credentials were reportedly used to drain any XMR or BTC balances held in market wallets.
Community Response and Implications
The community response included: immediate PGP-signed announcement of the verified address, a guide on character-by-character address verification, and warnings against any address obtained from clearnet sources. The genuine market issued a signed statement confirming the legitimate address and urging users to verify via the market's PGP key.