How to spot a fake Nexus Market mirror
A fake mirror will look identical to the real one down to the pixel. It has to, or nobody would type their password. The tells are almost never visual. This is the checklist that catches them.
Verify the address against a signed announcement
Every real Nexus Market rotation is published as a PGP-signed message using the same key that has signed every rotation before. Read the signed announcement, verify it with the public key you already have, and only then paste the address into Tor Browser. The PGP verification guide walks through it.
Fake mirrors match the first 8 to 12 letters of a real address because generating a matching prefix takes hours of GPU work. Matching all 56 characters takes centuries. Compare the whole string, letter by letter, against the signed version.
Check the captcha image address
Nexus Market prints the current onion address inside the login captcha image itself. When you solve the captcha, glance at the small text at the bottom of the picture. It should match what you have in the address bar. Different addresses mean the mirror is fake.
Some phishing operators paint their fake address into their own captcha to pass this check. The counter is that the captcha address must also match the address in the last signed announcement, not just the address you happen to be on.
Confirm the anti-DDoS queue actually holds you
The real Nexus login has an anti-DDoS wait page in front of it. It says something like "you are number N in the queue" and holds you for anywhere from ten seconds to a minute. Fake mirrors almost never bother building a queue because it is complicated. If a mirror sends you straight to the login without a wait, that is a red flag.
Some phishers now put in a fake countdown that clears in one second every single time. A real queue behaves like a queue: variable wait, sometimes fast, sometimes slow.
Bookmark the current signed address, not a random link
The most common way buyers get phished is by clicking an old bookmark. You bookmarked a mirror in April, it went stale in June, someone hijacked the address in July, and you are still clicking your old bookmark in September. Every session, glance at the address bar and compare against the current signed announcement. Two seconds. Habit that saves accounts.
Do not trust search results
Someone types "nexus market mirror" into a search engine, clicks the top result, that page is not the market. It is either a directory (some legit, most not) or a phishing landing page dressed up as one. Fresh directory-looking pages ranking well for "nexus market" queries are almost always affiliate operations that route to phishing.
Reliable sources are the ones that have been publishing the same primary onion the market itself signs, for months. Not new directories with polished branding.
Site behaviour tells
- Real markets rotate their captcha image on every load. Fake ones serve the same image ten times in a row.
- Real markets show fresh balance, prices and order counts after login. Fake ones show static numbers because they only expected to catch your password.
- If you get past the login and the vendor list is from months ago or one of your open orders is missing, log out immediately and re-verify the address.
What to do when you are unsure
Close the tab. Open a fresh Tor Browser window (New Identity from the menu). Go to a source you already trust for the current signed address. Verify the signature. Copy the address from there, paste into a new tab. If the site looks like the one you closed, you were fine. If it looks slightly different, you just dodged a phishing page.
Nobody has ever regretted checking one extra time. Plenty of people have regretted skipping it once.