Torzon Safety Rules: How Not to Get Phished

Phishing is the #1 way darknet users lose funds and compromise their safety. Learn to recognize attacks, verify addresses, and operate securely.

Critical: Never access Torzon through any URL found via Google, Bing, Telegram, or social media. Only use verified addresses from trusted sources such as our verified links page.

What Is Darknet Phishing?

Phishing on the darknet follows the same fundamental principle as on the clearnet — attackers create convincing copies of legitimate services to steal your login credentials and, ultimately, your money. However, the darknet environment creates unique attack vectors that clearnet users rarely encounter.

Fake Mirror Sites

Attackers register onion addresses that look visually identical to the real Torzon market. They copy the entire front-end design and replicate login pages pixel-for-pixel. When you enter your credentials, they are captured and your account is immediately compromised.

How they spread: Via Reddit, Dread posts from low-reputation accounts, Telegram channels, Discord, YouTube comments, and surface web "darknet directory" sites.

Exit Scams

A vendor — or even an entire market — accumulates significant funds in escrow or wallet balances, then disappears with the money without fulfilling orders.

Warning signs: Unexplained delays in withdrawals, market "maintenance" extending for days, vendors suddenly going "FE only," unusually large deposit bonuses designed to attract large balances.

Typosquatting

Onion addresses are 56-character strings. Attackers generate addresses that share several characters with the legitimate address, hoping users copy-paste carelessly or do not verify character by character. Modern vanity address generators can create addresses sharing 8-12 characters with a target.

Clipboard Hijacking

Malware that monitors and modifies clipboard contents. When you copy a cryptocurrency address or onion link, the malware silently replaces it with the attacker's address.

Defense: Always verify the pasted address matches what you intended to copy. For cryptocurrency, check the first 6 and last 6 characters at minimum.

How to Verify Onion Addresses

Character-by-Character Verification

The only reliable way to confirm you have the correct onion address is to compare it character by character against a trusted source.

  1. Obtain the address from a trusted source — this page, the Dread forum via its own verified onion address, or directly from the official Torzon PGP-signed announcement.
  2. Do not trust any address found via: Google/search engines, Reddit clearnet, Telegram, Discord, social media, YouTube, or any site not using PGP-signed announcements.
  3. Segment the address: Break the 56-character string into groups of 4 or 8 characters for easier comparison.
  4. Compare each segment against your trusted reference. Do not rush this step.
  5. After pasting into Tor Browser: Read the address in the URL bar again before logging in.

PGP Verification

The most secure way to verify an onion address is through a PGP-signed message from the market's known public key.

  1. Obtain the market's official PGP public key from a trusted source (Dread, the market's own canary).
  2. Import the key into GPG: gpg --import torzon_public_key.asc
  3. Verify the signed address announcement: gpg --verify announcement.txt.sig announcement.txt
  4. A "Good signature" result from the known key fingerprint confirms authenticity. A bad signature or unknown key is a red flag.
  5. Cross-reference the key fingerprint with multiple independent sources.
PGP key warning: Attackers can create PGP keys with identical display names. Always verify the full key fingerprint (40 hex characters), not just the name. A key named "Torzon Official" means nothing — only the fingerprint matters.

The 5 Rules of Safe Darknet Browsing

01 Verify Before You Log In

Never log in to any market without first confirming the onion address matches your trusted reference. Check the address bar in Tor Browser against your bookmarked/verified address every single time.

Rule: Bookmark verified addresses. Use your bookmarks exclusively. Never follow links from messages, forums, or search results to log in.

02 Use PGP for Everything

Encrypt all communications with vendors using PGP. This protects your delivery address from interception and verifies you are communicating with the legitimate vendor. Never send a delivery address unencrypted.

Rule: If a vendor refuses to use PGP or claims it is unnecessary, do not order from them.

03 Use Multisig or Escrow — Never FE

Finalizing Early (FE) means releasing funds to the vendor before you receive your order. Legitimate, established vendors rarely require FE. FE requests from new vendors are a strong indicator of a scam.

Rule: Never FE for a new vendor regardless of their explanation.

04 Minimize Your Wallet Balance

Never keep more cryptocurrency in a market wallet than you need for an immediate purchase. Markets can exit scam at any time. Deposit, transact, and withdraw. Funds in a market wallet are at risk at all times.

Rule: Keep market wallet balances minimal. Your real holdings should be in your own wallet.

05 Separate Your Identities

Your darknet identity must be completely separate from your clearnet identity. Use a unique username not used anywhere else. Use a unique, randomly generated password. Never access markets from your regular browser.

Rule: Compartmentalization is the foundation of OPSEC. One slip can unravel everything. See our full OPSEC guide.

How Fake Support Scams Work

One of the most sophisticated phishing vectors on the darknet is the fake support scam. Here is how it typically unfolds:

  1. You post a problem publicly on a forum like Dread about a disputed order or login issue.
  2. The attacker contacts you privately, posing as a market support representative or admin.
  3. They create urgency: "Your account has been flagged," "Your funds are at risk," "You need to verify your identity."
  4. They send you a link to what looks like the official market, but is a phishing clone — and ask you to log in.
  5. Once you do, they have your credentials and immediately log in on the real site to drain your balance.

How to Recognize Fake Support

  • Real market admins do not contact you first via private message about account issues. Open a support ticket through the verified market interface.
  • Any link sent in a message should be treated as potentially malicious. Always navigate to the market yourself using your bookmarked address.
  • Pressure tactics and urgency are red flags. Legitimate processes do not require you to act in minutes.
  • Requests for your password or 2FA code outside of the official login page are always scams.
  • Check the Dread handle of anyone claiming to be official staff against known verified admin accounts.

Password and Account Security

Password Best Practices

  • Use a unique, randomly generated password for each darknet account. KeePassXC is recommended for offline password management.
  • Minimum length: 20+ characters with uppercase, lowercase, numbers, and symbols.
  • Never reuse passwords across any sites, clearnet or darknet.
  • Do not use dictionary words, personal information, or predictable patterns.

Two-Factor Authentication (2FA)

  • Enable 2FA on any market that offers it. PGP-based 2FA is preferred over TOTP for darknet markets.
  • Store your 2FA backup codes and PGP keys in an encrypted, offline location.
  • Generate a new PGP keypair specifically for each market.

PIN / Withdrawal Passwords

  • Set a strong withdrawal PIN that is different from your login password. This is your last line of defense if login credentials are compromised.
  • Some markets allow you to whitelist specific withdrawal addresses. Use this feature if available.

What to Do If You Think You Have Been Phished

  1. Act immediately. Time is critical — every second counts if an attacker has your credentials.
  2. Log in to the real market immediately using your verified bookmarked address and change your password and 2FA.
  3. Withdraw any remaining balance to an external wallet you control.
  4. If you entered credentials on a suspected phishing site, assume your account is compromised. Do not wait to "see what happens."
  5. Review your recent orders — dispute any orders the attacker may have placed or cancelled.
  6. Contact market support through the verified market interface only to report the compromise.
  7. Assess broader exposure: Did you reuse this password elsewhere? Change all instances. Was your PGP key compromised? Revoke it and generate a new keypair.
  8. Document what happened and report it to the community on Dread to protect others.
Cryptocurrency cannot be reversed. Once funds leave a market wallet to an attacker's address, they are unrecoverable. Speed of response determines whether any balance is saved.

How to Report Phishing to Community Forums

Reporting phishing attempts protects the wider darknet community.

On Dread (darknet forum — onion access only)

  • Post in the relevant market subdread (e.g., d/Torzon) with the phishing onion address and how you encountered it.
  • Moderators and admins can pin warnings and update community resources.
  • Include: the fake onion address, the source where you found it, and any PGP keys the phisher presented.
  • Note: Dread is accessible via Tor Browser only.

External Resources

  • EFF Surveillance Self-Defense (ssd.eff.org) — Comprehensive digital security guides including threat modeling and safe communications.
  • Tor Project (torproject.org) — Official Tor Browser downloads and documentation. Always download Tor Browser from the official site only.
  • Dread Forum — The primary community forum for darknet market discussion. Accessible via Tor only.

Access Verified Torzon Addresses

The only safe way to access Torzon is via addresses verified by the community and cross-referenced against PGP-signed announcements. We maintain a regularly updated list of confirmed working onion addresses.

View Verified Torzon Links →

Also see: Verified Access page with trust indicators and the verification checklist.

Frequently Asked Questions

How do I know if an onion link I found online is real or a phishing site?

You cannot determine whether an onion link is real solely from its appearance. The only reliable methods are: (1) Compare the full 56-character address character-by-character against a trusted, long-standing community source. (2) Verify a PGP-signed announcement from the market using the market's known public key and confirmed fingerprint. (3) Cross-reference against multiple independent community sources. Any address found via search engines, social media, or messages from unknown parties should be treated as potentially fake until verified.

Is using a VPN with Tor enough to stay safe from phishing?

A VPN and Tor protect your network-level anonymity and IP address — they do not protect you from phishing. Phishing attacks target your credentials and behavior, not your IP address. A phishing site will capture your username and password regardless of whether you are using a VPN, Tor, or both. You need both technical anonymity tools AND behavioral vigilance about verifying addresses.

What is PGP and why do I need it on darknet markets?

PGP (Pretty Good Privacy) is an encryption system that uses a public/private key pair. On darknet markets it: (1) Encrypts your delivery address so only the vendor can read it. (2) Verifies communications are genuinely from the claimed party. (3) Allows you to verify PGP-signed market announcements. Using PGP is a fundamental operational security requirement for safe darknet market use.