Security
The threat model that drives every recommendation in this handbook, plus the OpSec habits that prevent the attacks we actually see in support tickets.
#The realistic threat list
Ordered by frequency observed across the operator log over the past twelve months. Most account losses on Tor are not exotic, they are the same five mistakes repeated.
| 1. Phishing clones | Pixel-perfect copies of the login screen, served from clearnet domains or recycled onions. Mitigation: PGP signature on every session. |
|---|---|
| 2. Credential reuse | A password leaked from any unrelated breach gets tried against vendor and buyer accounts. Mitigation: unique offline passwords, never reused. |
| 3. PGP key reuse | Reusing a PGP key across markets ties identities together. Mitigation: one key per identity, never linked to a clearnet handle. |
| 4. Wallet seed compromise | Browser wallets, copy-paste accidents, screenshots of seed phrases. Mitigation: hardware wallet or air-gapped CLI. |
| 5. Tor Browser fingerprinting | Custom resolutions, font lists, plugins re-identify users. Mitigation: default Tor Browser, Safest level, no extensions. |
| 6. Social engineering | Telegram, Discord, Reddit DMs. The market does not run on those. Mitigation: anything claiming to be Nexus on clearnet messaging is impersonation. |
#Phishing in detail
Phishing is the dominant threat in absolute volume. Operators behind these campaigns spin up a clearnet domain with a name close to nexusmarket using a different TLD, hyphenation, or character substitution. They scrape onion mirror lists from public gateways and either serve a pixel-perfect login clone or proxy the real login while logging credentials in the middle. Within hours the domain ranks for low-volume search queries that stale gateways do not bother to defend.
The defence is signature verification. Every real Nexus login page ships a signed timestamp block. Every fake either omits the block, signs with the wrong key, or copies a stale signature whose freshness window has expired. GnuPG catches all three on first inspection. The only way to lose to phishing is to skip the verification step, which is exactly why the handbook hammers on the verification step in every chapter.
#Credential hygiene
Every account, on every market, deserves a unique password. The cost is one click in your password manager. The cost of reusing a password is the cumulative breach surface of every other account you ever created with that password. Treat the two costs accordingly.
Use an offline password manager. KeePassXC is the standard recommendation, the vault file lives on local encrypted storage and never leaves the device. Avoid any password manager that syncs to the cloud, those are convenient and represent an attack surface that has been exploited at scale by both criminals and state actors.
Generate passwords with the manager, not by hand. A 24-character random string from KeePassXC has astronomically more entropy than a clever passphrase you composed yourself. Save the passphrases for your master vault key and your PGP key, where memorability matters.
#PGP key handling
Generate a fresh key for each identity. Your Nexus key is not your clearnet email key, not your forum key, not your prior-market key. Tying any of those together turns a single mistake into total exposure across every surface.
# generate a new key for Nexus identity $ gpg --full-generate-key Key type: RSA and RSA Key size: 4096 Validity: 2y (renew before expiry) Real name: Nexus identity handle (no clearnet name) Email: [email protected] (no real email) Passphrase: long, in vault
Export the public key for your vendor or buyer profile. Keep the private key in an encrypted vault and never on a host that touches the clearnet. For high-value vendor accounts, run all PGP operations from Tails or Whonix, where the host has no persistent state to leak.
#Wallet hygiene
Monero is the default settlement currency. Use Feather Wallet for desktop or the Monero CLI for hardened sessions. Hardware wallets, Trezor and Ledger, support XMR through the official CLI and are recommended for any non-trivial balance.
Avoid web wallets entirely. Avoid browser-extension wallets. Avoid any tool that asks for your seed phrase in a form field. The seed phrase is the wallet, anyone who reads it controls the funds. Treat it like a 24-word password that opens an unlocked safe.
Generate a fresh wallet for Nexus, separate from any other Monero wallet you operate. Mixing balances across identities defeats the privacy properties of XMR for the user, even though the chain itself remains private. Stealth addresses make sender and recipient unlinkable on chain, but if your Nexus deposit address is the same as your exchange withdrawal address, the linkage is internal to your records and that is enough to deanonymise you on subpoena.
#Browser hygiene
Tor Browser default profile, security on Safest, no extensions, no theme changes, no plugin tweaks. Every customisation narrows the anonymity set you are hiding inside. Tor Browser fingerprinting is real, the work that goes into preventing it depends on users not customising.
Do not log in to clearnet accounts from the same Tor Browser session. Do not paste from a clearnet clipboard into a Tor session, or vice versa. Treat the Tor session as an isolated environment that should never share state with anything outside it.
#Tails and Whonix
For high-stakes sessions, particularly vendor sessions that touch shipping addresses or vendor key material, run from Tails or Whonix instead of a regular OS Tor Browser install. Tails is a live OS that boots from USB and forgets everything on shutdown. Whonix runs Tor Browser inside an isolated VM that cannot leak the host IP even if compromised.
Both are free, both are well documented, both have been audited by independent researchers. Either is a meaningful upgrade over a standard Tor Browser install on a daily-use machine.
#What to do when something feels off
Three signals always warrant abandoning a session immediately:
- The PGP signature on the login page returns BAD or fails to verify against the master key.
- The freshness window on the timestamp is older than 36 hours.
- The login flow asks for any new piece of information, particularly a seed phrase, a recovery question, or a confirmation code from a clearnet email.
None of those are normal Nexus behaviour. Close the tab. Wipe the clipboard. Re-pull the onion from this handbook. Report through the security channel on a verified mirror.