Nexus Market Bureau est. 2026
Dossier

The onion address, structural dossier

What a v3 onion address actually is, how it is constructed, why the prefix does not matter cryptographically.

By Editor · 16 July 2026 · 5 min

Every current Nexus Market mirror address is a v3 Tor onion address. This dossier explains what such an address actually is, how it is derived, and why some parts of it matter cryptographically while others (like the prefix) do not.

Structure

A v3 onion address is a 56-character string ending in .onion, made up of a subset of the base32 alphabet (lowercase a to z and digits 2 to 7). The whole address encodes three things: the hidden service's public key (32 bytes), a checksum (2 bytes), and a version byte (1 byte). Together these encode into the 56 characters you see.

The public key

The 32-byte Ed25519 public key of the hidden service. This is the cryptographic identity of the service. Anyone who reaches this address is proving to the network that they want to talk to whoever holds the corresponding private key, and only the holder of that private key can respond as the service.

The checksum

A 2-byte truncation of a SHA-3 hash over the public key concatenated with the version byte. Its purpose is typo detection: if a reader mistypes an address, the checksum will not match, and Tor Browser refuses to route the request. This catches most typos before they become clicks.

The version byte

Currently version 3. Version 2 addresses (older, 16-character format) have been deprecated for years and are no longer supported. Anything that looks like a v2 address in 2026 is either a museum piece or a scam.

The prefix

The first few characters of the address (like nexus...) are what most readers use as a visual sanity check. Cryptographically they carry no weight: they are just the first few base32 characters of the public key encoding. But because generating an address with a specific prefix requires brute-forcing until a matching Ed25519 keypair happens to produce that prefix, longer prefixes are more expensive.

A four-character prefix like nexu takes seconds on a laptop. A six-character prefix like nexusa takes hours. A twelve-character prefix would take years of GPU time. This is why phishing clones can match the first few characters but not the whole address.

Why full address comparison matters

A phishing address that matches the first eight characters of a real Nexus address looks like the real address at a glance. The reader who eyeballs only the beginning of the string will not spot the difference. Every character of the 56-character body has to match for the address to be the real one.

The reader defence here is copy-paste, not typing. Copy from a source you trust. Paste. Never type.

Why v3 replaced v2

v2 addresses were 16 characters and derived from an 80-bit truncated hash of a 1024-bit RSA public key. This was strong enough for years but became increasingly weak as computing power grew. v3 addresses are derived from a 256-bit Ed25519 key, which is significantly stronger and resistant to attacks that were becoming feasible against v2.

The switch happened in 2020-2021. Every serious hidden service migrated. Any surviving v2 addresses in 2026 are either shells or scams.

How Nexus mirrors relate

Each Nexus mirror address is a distinct v3 onion address, meaning each mirror has its own Ed25519 key. The addresses do not share cryptographic identity, they share a backend. When a reader reaches any mirror, they end up at the same storefront because the storefront is configured to answer on all three onion addresses, not because the addresses are cryptographically related.

This has an implication for the operator: rotating a mirror means generating a new Ed25519 keypair and adding it to the storefront's configured onion set. It does not mean touching the operator's PGP signing key, which is a separate thing entirely.