Nexus Market Bureau est. 2026
Report

Phishing defence, the reader-side workflow that works

What actually protects a Nexus Market user against phishing clones, in the order those defences run.

By Editor · 16 July 2026 · 9 min

Phishing is the single largest historical cause of buyer account loss on Nexus Market and every other serious Tor storefront. Not exchange failures, not exit scams, not law enforcement seizures. Phishing. This report walks through the defence workflow that actually protects buyers, in the order those defences run.

Layer one: bookmark hygiene

The first line of defence is not verifying anything about the address you are about to visit, it is having a trusted source for that address in the first place. Bookmark the mirror reference page inside Tor Browser. Never type an onion from memory. Never click a link to a Nexus mirror from a search-engine result, a chat message, a forum banner, or a directory site you have not personally vetted. If the address does not come from either your own bookmark or a signed rotation announcement you verified yourself, treat it as untrusted.

Most reader account loss traces back to this step failing. The reader trusted a link from somewhere, and the link went to a phishing clone. Everything else downstream (captcha, credentials, deposit) followed.

Layer two: PGP verification per rotation

When the operator publishes a signed rotation, verify it. Once per rotation, not once per session. This is what turns a set of addresses on a page into a set of addresses you can trust. See the report on PGP verification workflow for the step-by-step.

Verifying once per rotation catches the class of clones that try to publish a fake rotation. They cannot sign under the operator key, so the fake rotation will fail your PGP check, and the addresses inside are worthless.

Layer three: captcha URL match per session

Every session, before typing the password, read the small text at the bottom of the login captcha image. Compare it against your URL bar. Match wins. Mismatch means phishing clone.

This defence exists because bookmark rot is real. A bookmark you saved months ago may point at an address that has since been rotated out. If a phishing clone happens to notice the retirement, they can spin up a clone on a lookalike domain and hope you click the stale bookmark. The captcha check catches this pattern on the first attempt.

Real-world clone patterns

Bureau observation across the past year of clone attempts against Nexus:

Domain squats. Clones on clearnet domains that look close to a Nexus address (like nexus-market-onion.xyz). These target readers who search for Nexus in a clearnet search engine. Defence: never search for Nexus on clearnet, ever. Nexus is a Tor storefront, it does not have a clearnet presence.

Prefix-collision onions. Onion addresses that match the first 4-8 characters of a real Nexus address. These target readers who eyeball only the beginning of the string. Defence: full letter-for-letter comparison of the entire 56 characters.

Stale-address hijacks. A rotated-out real address gets registered by a phishing clone shortly after the operator retires it, and the clone serves a login page on the address. Some readers with stale bookmarks land on it. Defence: keep bookmarks against the current signed rotation, not against addresses you memorised.

Search-engine sponsored results. A clone runs paid search ads for Nexus-related queries. Defence: same as domain squats, never search for Nexus on clearnet.

What phishing clones do after credential capture

They wait. The clone captures your username, password and any mnemonic seed you type in a panic. It does not immediately steal your account, because the clone infrastructure needs your login credentials to actually work on the real Nexus login. So the clone stores them, and at some point the operator (or their downstream buyer of stolen credentials) logs into your real account through the real storefront, and drains what is drainable.

The drain window is usually within 24-48 hours of capture. If you realise you were phished, immediately log into the real Nexus, change your password, and withdraw any wallet balance to a fresh address you control.

What phishing clones cannot do

They cannot fake a signed rotation. They cannot fake the captcha URL match against the real address. They cannot compromise the operator PGP key. Any single one of the three defence layers, run correctly, catches the median phishing attempt.