Nexus Market Bureau est. 2026
Dossier

The captcha system, address embedding and phishing defence

How the Nexus captcha works, why the address is baked into the image, what phishing clones cannot copy.

By Editor · 16 July 2026 · 4 min

The Nexus Market login captcha is more than a bot-blocker. It doubles as a phishing check by embedding the current onion address inside the captcha image itself. This dossier explains the mechanism and why it works.

The mechanism

When a reader lands on the login page of any Nexus mirror, the storefront generates a fresh captcha image. Two things go into the image: the puzzle (a distorted string the reader has to type) and the current mirror address printed in small text along the bottom edge. Both are rendered server-side into the same image file, which the reader's browser downloads and displays.

Why the address in the image

Because it costs a phishing clone something to fake. A clone that scrapes the Nexus login page gets an image with the real Nexus address baked in. If the clone displays that image unchanged, the reader can see that the address in the image does not match the address in the URL bar, and the clone is caught.

The clone could regenerate the image with the clone's own address baked in, but that requires infrastructure the clone operator would rather not build. Most clones do not bother, which is why the captcha check works reliably against the median phishing attempt.

Reader instruction

Every session, before typing the password, glance at the small text at the bottom of the captcha image. Compare against the URL bar. If they match, proceed. If they do not, close the tab. The check takes five seconds and catches the vast majority of phishing clones on the first attempt.

Refresh cadence

The captcha image regenerates on a rotating cycle, currently every twenty seconds under peak load and every forty-five seconds under typical load. Each regeneration produces a new puzzle and a new copy of the current address. A phishing clone that scrapes and caches a single image gets a copy that ages out within a minute, forcing the clone to either scrape continuously (which is fingerprintable server-side) or fall behind.

What the check does not catch

A sophisticated clone that regenerates captchas server-side with the clone address baked in. This requires the clone operator to implement captcha generation themselves, which is more work than most clones do, but not impossible. The Bureau has seen approximately three clones in the past year that made this effort.

Against a clone that generates its own captchas, the reader's remaining defence is PGP verification: the clone address will not appear in any signed rotation from the operator. The PGP check is the strong anchor, the captcha check is the fast per-session check that catches most clones without invoking gpg every time.

Interaction with anti-DDoS queue

The anti-DDoS queue holds the reader for twenty to sixty seconds before the captcha renders. This means a clone that wants to display a captcha image immediately (skipping the queue) is fingerprintable as a clone just by that fact. Serious readers who use Nexus regularly know that the wait is a genuine sign, and instant login pages are suspicious.

History of the mechanism

The captcha-with-embedded-address pattern was not present at Nexus launch. It was introduced in mid-2025 after the operator observed phishing patterns that exploited the reader's inability to check the address in real time. The pattern is now standard across serious Tor storefronts. Other storefronts picked up the same design within six months of Nexus rolling it out.