Handbook/Getting Started

Getting started

Five steps from a fresh tool stack to a verified Nexus Market login. The drill takes about twenty minutes the first time and under sixty seconds every time after.

Most accounts that get compromised on Tor are compromised in the first session. The user opens a tab, sees a familiar UI, and submits credentials before doing the verification. This page is the antidote. Run through it once carefully, then commit it to muscle memory.

1Install Tor Browser

Pull Tor Browser directly from torproject.org. Do not accept it from a mirror, a re-uploader, or a software bundle that wraps it. The Tor Project signs every release. Verify the installer signature against the published key before running the binary.

# on Linux, after downloading tor-browser-linux64-X.X_ALL.tar.xz
$ gpg --auto-key-locate nodefault,wkd --locate-keys [email protected]
$ gpg --verify tor-browser-linux64-X.X_ALL.tar.xz.asc tor-browser-linux64-X.X_ALL.tar.xz

If the signature does not verify, do not extract the archive. Stop and report through the security channel on a verified mirror. A bad Tor Browser binary is a complete game over before you even begin.

2Install GnuPG and import the master key

GnuPG is the standard tool for PGP signature verification. On Linux and macOS it is available through the package manager. On Windows use Gpg4win. Once installed, fetch the Nexus master key from this handbook or from any active mirror under /pgp.key.

# import master key
$ gpg --import nexus-master.asc
# confirm fingerprint matches the published value
$ gpg --fingerprint 0x7F2A0A9D
  expected: 7F2A 9C41 66B8 E1D5 4832 19A4 88F3 BD2C 1E5A 0F77 ... 0A9D

Cross-check the fingerprint against at least one independent source. The key is also signed by three witnesses whose own keys are listed on each mirror. Do not trust this handbook alone for the master key import.

3Configure Tor Browser security

Open Tor Browser. Click the shield icon next to the address bar and slide the security level to Safest. This disables JavaScript by default, blocks remote font loading, and forces media to click-to-play. The Nexus login page renders fully under Safest, no exceptions.

Do not install browser extensions. Do not change the window size. Do not enable plugins. Tor Browser fingerprinting is a real deanonymisation vector, and any deviation from the default profile narrows the anonymity set you are hiding inside.

TipResist the urge to tweak Tor Browser to make it feel like your daily browser. The boring default is the secure default. Customisation is what gets users identified across sessions.

4Pull a mirror, verify the signature, log in

From the Mirror Roster, hit the Copy control on Mirror 1. Paste into the Tor Browser URL bar. Press Enter. Wait for the login page to render fully.

On the login page, find the signed timestamp block. It looks like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Nexus Market mirror 01 timestamp
Generated: 2026-04-25T00:00:00Z
Window: 24 hours
Signed by master 0x7F2A0A9D

-----BEGIN PGP SIGNATURE-----
... base64 signature block ...
-----END PGP SIGNATURE-----

Copy the entire block from BEGIN to END markers. Save into a local file, run gpg --verify timestamp.asc, and read the output.

$ gpg --verify timestamp.asc
  expected: Good signature from "Nexus Market <0x7F2A0A9D>"

If GPG returns Good signature with the matching fingerprint, you are on a real mirror. Submit credentials. If GPG returns anything else, including BAD signature, abandon the session immediately. Close the tab. Re-pull the onion from the handbook. Do not retry.

5Log in with offline-stored credentials

Use a password generated specifically for Nexus, not reused from any other account, stored in an offline manager like KeePassXC. The password manager itself runs locally, never in a browser tab. The vault file lives on encrypted local storage, ideally on a partition that is unmounted between sessions.

Generate a fresh PGP key for your Nexus identity, separate from any clearnet correspondence. Reusing a PGP key across markets is the single most reliable deanonymisation vector observed in the wild, more reliable than payment correlation, more reliable than browser fingerprinting. One key, one identity, one market.

Hard ruleNever run a Nexus session with a password manager that syncs to the cloud, never log in from a browser that has a password autofill enabled, never paste credentials from a clearnet device into a Tor session.

#Recap

Tor Browser	Pulled from torproject.org. Signature verified. Security on Safest.
GnuPG	Master key imported. Fingerprint cross-checked against witnesses.
Mirror	Copied from this handbook. Never retyped.
Verification	GPG returns GOOD signature, fingerprint ends 0A9D.
Credentials	Unique password, offline vault, fresh PGP key.

Once the drill is muscle memory, every login is a thirty second routine. Skip a step exactly once and you will not skip it again.

nexus market getting startednexus market guidenexus market accessnexus market login flownexus market first timenexus market tor browsernexus market gpg verifynexus market signature checknexus market opsecnexus market urlnexus market mirrorworking nexus market linkofficial nexus market