Operational reference: how phishing operators impersonate Anubis and Nexus, and the verification habit that catches them. Verify before you paste; a working onion is not the same as a legitimate one.
Phishing operators clone the visual layout of a darknet-market login page, register a near-identical v3 onion (typically one or two characters different from the legitimate address), and harvest credentials from users who arrive via mistyped links or third-party Telegram pins. The clones are pixel-perfect; the only durable defence is to copy directly from a verified directory like this one.
The directory does not republish active phishing addresses verbatim — doing so would amplify their reach by giving them a high-PageRank inbound link. Instead, the editorial advice is: (1) always copy from a verified directory like this one or from the operator’s announcement, (2) never retype an onion by hand, (3) if anything looks off, close the tab.
| Market | Verified primary | Uptime | |
|---|---|---|---|
| Anubis Market | anubisq6kqiq5ttmrrnj3pyxssmnaxurl76flaegbtzbcwtes3vomiid.onion | 99.42% | |
| Nexus Market | nexusncagw2vnag3ycv62occuouhfgkp6htx7alhnzl5xwgtzi2mfbid.onion | 99.81% |