How to Verify .onion Links

Last updated: July 2026

Phishing is the number one threat to darknet market users. Attackers create pixel-perfect copies of market login pages on similar-looking .onion URLs. When you enter your credentials, they steal your username, password, and any deposited funds.


Why You Must Verify Every Link

  • Phishing sites look identical to real markets but steal your login details.
  • Fake mirrors can redirect you to scam sites even if you have the correct URL.
  • PGP verification is the only way to confirm you are on the authentic marketplace.

How to Verify a .onion Link Using PGP

  1. Find the official PGP-signed mirror list from a trusted source (e.g., Dread, the market's official forum).
  2. Import the market's public PGP key if you don't already have it.
  3. Verify the signature of the mirror list using gpg --verify.
  4. Check the fingerprint — ensure it matches the market's known fingerprint.
  5. Only use URLs that pass verification.

Example command:

gpg --verify mirror-list.sig mirror-list.txt

If the signature is valid, you will see "Good signature" and the fingerprint of the signing key.


Common Red Flags

  • Unverified links shared on forums or chat rooms.
  • Links that differ by one or two characters from the official URL.
  • Pages that ask for your private key or 2FA code on the login page.
  • Markets that do not provide a PGP-signed mirror list.
Never rely on unverified links from random sources. Always verify with PGP before entering any credentials.