FAQ

Three v3 onion mirrors listed on the Mirror Roster. All three carry the same PGP signature with fingerprint ending in 0A9D. The roster is republished daily.

Hit Copy on the mirror card, open Tor Browser pulled directly from torproject.org, paste into the URL bar, set the security slider to Safest, then load the page. Verify the PGP timestamp before submitting credentials.

Try Mirror 2, then Mirror 3. Tor congestion is routine, single-mirror outages happen weekly. If all three fail past 30 minutes, reload the Mirror Roster. Never search for replacement URLs on the clearnet.

No. Nexus Market does not run a clearnet frontend. Clearnet domains claiming to be Nexus are phishing operators. Use the handbook, verify the PGP signature, then enter credentials only on the v3 onion.

Yes. The mirror addresses rarely change and the bookmark will work across sessions. Even with a bookmark, run the PGP verification flow on every login. The bookmark proves the address has not changed, not that the page is fresh.

RSA 4096, key ID 0x7F2A0A9D, full fingerprint 7F2A 9C41 66B8 E1D5 4832 19A4 88F3 BD2C 1E5A 0F77 ... 0A9D. The public key is published on each mirror under /pgp.key and cross-signed by three independent witnesses.

Import the master key once. On the mirror login page, copy the signed timestamp block between BEGIN and END markers, save into a local file, run gpg --verify timestamp.asc. A clean Good signature with the matching fingerprint is the only clearance to log in. See Getting Started step 4 for the full flow.

No, that is the trust web warning. If the message reads Good signature followed by WARNING: This key is not certified with a trusted signature, the signature itself is cryptographically valid. After confirming the fingerprint matches, sign the key locally to silence the warning on future runs.

The master key has not rotated since the platform opened in late 2023. Subkeys for support, vendor desk, and other functions rotate quarterly, signed by the master and witnessed independently. A future master rotation would be announced 30 days in advance and signed by the outgoing key.

Bitcoin transactions are public and indexed by chain analysis vendors in real time. Monero ring signatures, stealth addresses, and ringCT hide sender, recipient, and amount. For a market whose entire purpose is privacy, only one of those defaults makes sense.

For legacy balances only. Accounts created before the 2024 currency rotation can still hold and withdraw BTC. New deposits route to XMR on signup. The platform does not encourage ongoing BTC use.

Feather Wallet for desktop, the Monero CLI for hardened sessions, hardware wallet support through Trezor and Ledger for cold storage. Avoid web wallets entirely. Avoid any tool that asks for a seed phrase in a form field.

Each order creates a 2-of-3 Monero multisig contract. Buyer, vendor, and platform each hold one key. Two of the three must sign to release funds. The buyer signs on receipt of goods. The vendor signs on dispatch confirmation. The platform signs only in dispute resolution. No single party drains the contract alone.

Apply through the in-market vendor portal after a buyer account in good standing exists. The application requires a PGP key, a vendor handle, a category list, a description, and an upfront bond denominated in XMR. The bond is held in multisig, refunded after probation closes cleanly, forfeit on the first confirmed scam complaint.

The bond is a commitment device. It signals that the vendor expects to operate long enough to recover the deposit, which selects against single-shot scammers. The amount tracks category risk, higher for goods that draw more disputes.

Yes. Signed feedback exports from Empire, Dream, AlphaBay, and other markets that issued cryptographic signatures shorten the probation window. They never waive it entirely.

Inside the order ticket, after the listed delivery window has lapsed and after at least one good-faith message to the vendor has gone unanswered for 48 hours. Premature disputes are dismissed without prejudice. The order ticket is the only legitimate dispute channel.

Photos timestamped against shipping deadlines, tracking screenshots, signed message logs from the in-market system, and PGP-signed buyer statements. Anonymous external claims and clearnet screenshots are ignored. The dispute panel only acts on evidence that exists inside the order context.

No. Rulings are written, signed, and attached to the vendor profile permanently. The only recourse is appeal to a fresh panel within 14 days. Even on appeal the original ruling stays on the profile, only the appeal outcome is added.

Encrypted onion email only. Addresses for general support, vendor desk, dispute panel, and security disclosure are published on each active mirror under /contact. Nexus does not run a clearnet support inbox, a Telegram bot, a Discord server, or any other clearnet messaging surface.

Report it to the security channel with the URL and any messages received. The more reports we collect, the faster the impersonation network gets burned. Do not engage with the phishing site, do not enter test credentials, just report and move on.

Yes, paid in XMR after the fix is deployed. Verbal NDA, no contracts. Reports go to the security channel encrypted under the security subkey, with a working callback handle for follow-up.