How to tell a real Tor market from a phishing clone: onion fingerprint verification, page-header check, PGP-signed mirror list, common phishing patterns and how to avoid them.
Most money lost on Tor markets is lost to phishing, not exit scams and not seizures. Somebody clones the market UI, ranks for the market name on Google, and intercepts your password and your deposit address. The good news is this is the easiest attack to defend against, you just have to do the checks.
1. Compare the v3 onion you typed against the address printed in the page header. Markets on this shortlist reprint the canonical onion on every page so you can verify the address bar matches.
2. Compare the onion against a PGP-signed mirror announcement on Dread. If the address you have is not on the signed list, it is not the real market, regardless of how convincing the UI looks.
3. Look for the captcha that bakes the onion into the image. Several markets on this list do this exactly because phishers cannot easily fake an image-embedded onion that matches your address bar.
The Google trap: search the market name, click the first result, land on a clearnet domain that looks identical to the market. The cloned login works, the cloned captcha works, your password ends up in their database. Never reach a market through search.
The forum link: Telegram and Reddit groups publish "official" links daily. None of them are official. Verify against a PGP-signed source.
The email "support": no Tor market emails its users. Any email claiming to be from the market is fake.
The character swap: a v3 onion is 56 characters. A phisher generates a vanity address with the same first eight characters and the rest random, hoping you do not verify the full string. Always verify all 56.
Change passwords on the real market immediately. Move any balance off the compromised account. If the phisher captured a PGP-encrypted message that includes your shipping address, that address is burned, switch to a drop or a different one.
Back to the guides hub or the top picks.
