Anti-Phishing & Scam Protection

The Phishing Threat Landscape

Darknet market phishing has evolved into a highly sophisticated operation. Criminal groups operate dozens of fake market clones simultaneously, distributing phishing links through social media, forums, and private messages. The fake sites are often pixel-perfect copies of the legitimate market — distinguishable only by the onion address.

When a user logs into a phishing site, their credentials are captured immediately. The attacker then logs into the real market, drains the wallet, and the victim receives an "incorrect password" error. The entire attack takes under 60 seconds.

How to Identify Phishing Sites

The Onion Address — Your Primary Defence

Every V3 .onion address is exactly 56 characters long, consisting of lowercase letters and numbers. A phishing clone will differ from the legitimate address in at least one character — but it may be a letter that looks visually similar (l/1, 0/o, rn/m).

• Copy the onion address from this page or from a PGP-signed canary
• Compare character by character before entering credentials
• Paste both addresses into a text editor side by side if needed
• Pay special attention to: l (lowercase L) vs 1 (one), 0 (zero) vs o, rn vs m

PGP Signature Verification

The Torzon admin team signs all official mirror announcements with a PGP private key. Any site or post claiming to be Torzon without a valid admin PGP signature must be treated as suspicious.

• Import the Torzon admin public key into your GPG keyring
• Verify the signature on any mirror announcement before using the link
• A valid signature proves the message was created by someone with access to the admin private key — it is cryptographically unforgeable

Visual Indicators (Not Sufficient Alone)

• Phishing sites often have small visual differences — slight colour shifts, missing elements, different fonts
• HTTPS padlock in Tor Browser does not indicate a legitimate site — it only confirms an encrypted connection
• Do not rely on visual inspection alone — always verify the address

High-Risk Distribution Channels

Phishing links are distributed through the following channels with extremely high frequency. Treat all links from these sources as potentially hostile:

Social Media & Forums

• Reddit — r/darknet, r/onions, and related subreddits are heavily targeted. Upvoted posts can still be phishing
• Dread — The darknet Reddit equivalent. Phishing links are regularly planted in posts and comments
• Twitter/X — Accounts impersonating market admins regularly post phishing links

Messaging Platforms

• Telegram — "Official" Torzon channels are frequently impersonated
• Discord — Invites to "darknet communities" often lead to phishing distribution
• Private messages — Unsolicited link offers from strangers are almost universally phishing

Search Engines

• Phishing sites sometimes appear in search results above legitimate resources
• Never search for a darknet market name and click the first result
• Use your bookmarked, verified URL exclusively

Exit Scams — Market-Level Theft

An exit scam occurs when a market operator suddenly disappears with all user and vendor funds held in deposit wallets. This is distinct from phishing — the legitimate market itself becomes the attack vector.

Warning Signs Before an Exit Scam

• Unusual withdrawal limits suddenly imposed without explanation
• Extended withdrawal processing times with vague status messages
• Admin communication becomes sparse or promotional rather than substantive
• Unusual spike in staff "finalise early" pressure on buyers
• Suspicious regulatory announcements or "maintenance" periods

How to Minimise Exit Scam Risk

• Never maintain a large balance in a market wallet — deposit only what you intend to spend immediately
• Withdraw immediately after a transaction completes — do not leave funds sitting
• Diversify across markets — never depend on a single market for all activity
• Prefer markets with multisig escrow — 2-of-3 multisig prevents unilateral fund seizure by admins
• Follow market reputation on trusted community boards — sudden negative shifts are early indicators

Vendor-Level Scams

Selective Scam (Partial Exit)

A vendor selectively scams new or low-reputation buyers while maintaining good standing with regular customers. They continue to operate normally to avoid market action while stealing from targets of opportunity.

Protection Strategies

• Only purchase from vendors with 50+ reviews and a long operational history
• Read recent negative reviews carefully — patterns of selective non-delivery are a strong signal
• Use escrow for all transactions — never finalize early (FE) with a new vendor
• FE should only ever be used with vendors you have extensive positive transaction history with
• When a vendor offers significant unsolicited discounts for FE, treat this as a red flag

What to Do If Scammed

• Open a dispute immediately — do not contact the vendor first for resolution
• Document all communications, order details, and tracking information
• Submit a detailed dispute to market staff with all available evidence
• Post an honest review — this protects other buyers from the same vendor
• Funds held in escrow are recoverable through the dispute process; FE funds generally are not

Security Checklist Before Every Session

• ✅ Using Tor Browser at Safest security level
• ✅ Market URL verified against PGP-signed canary or this site
• ✅ Full 56-character onion address matches verified address
• ✅ Accessing via bookmarked URL — not a link from any message or post
• ✅ Wallet balance is minimal — only funds needed for immediate use
• ✅ 2FA is enabled and functional
• ✅ PGP key verified for any vendor you are communicating with
• ✅ Using Monero (XMR) acquired from a KYC-free source