Nexus Market Bureau est. 2026
Case

The February 2026 phishing wave, three domains burned in six days

A case study on a specific phishing wave that hit Nexus, how it was spotted, how it was neutralised.

By Editor · 16 July 2026 · 7 min

In late February 2026, three lookalike clearnet domains were registered targeting Nexus Market. Each hosted a copy of the login page. Within six days all three had been burned by community reports and cross-verification against the signed rotation. This case study walks through what happened.

Domain profile

All three were on the same TLD family. Registration timestamps were within 48 hours of each other, suggesting a single operator or coordinated ring. Two used cheap hosting on well-known free tiers. One paid for slightly better hosting. All three used Cloudflare in front of the origin, standard operational pattern for short-lived phishing infrastructure.

None of the three domains were on .onion. That fact alone would have caught the majority of readers, because Nexus is a Tor storefront and every real address ends in .onion. But the domains showed up in some search results, and readers who clicked without thinking landed on the clone.

Login pages

Pixel-perfect copies of the Nexus login form, complete with the DDoS wait counter animation. Two of the three even had a scraped copy of the current Nexus captcha image embedded (stale, but present). The third had no captcha, just went straight to a credential form.

None of the three could produce a signed rotation announcement. This was the fatal gap.

Community detection

A reader forwarded one of the URLs to the pinned Dread thread with a screenshot. Another reader recognised the pattern and pointed out that the address was clearnet, not onion. The thread propagated. Within 36 hours, community verification against the current signed rotation had identified all three domains as clones.

Bureau response

Editors verified the reports against the operator PGP key. All three claimed addresses failed verification. The Bureau published a short advisory in the security section within four hours of the third confirmation, listing the three domains and the reader defence steps.

Timeline resolution

Cloudflare received abuse reports on all three domains, from multiple reporters. Two were nullrouted within 48 hours of the first report. The third took slightly longer because the abuse mechanism was slower for that particular hosting stack. All three were unreachable within six days of first detection.

Lessons for readers

The captcha URL check would have caught all three on the first session (URL bar showed a clearnet domain, captcha embedded either nothing or a stale onion). The PGP verification against signed rotation would have caught all three at the address-listing stage. Both defences worked as designed. Neither is optional.

Lessons for the Bureau

The domain squat pattern seems to be increasing in frequency, so the Bureau updated the phishing defence report to emphasise the never-clearnet-search rule more prominently.