Security and Tor Browser hardening

A short checklist that handles ninety percent of the realistic threats: phishing, JavaScript exploits, wallet correlation, and account compromise.

Tor Browser configuration

1. Download Tor Browser only from torproject.org. Verify the GPG signature on the bundle before running it.
2. Set the security slider to Safest. JavaScript will be disabled globally, which is correct for darknet markets.
3. Do not install browser extensions. Every extension widens the fingerprint surface and most are useless inside Tor Browser anyway.
4. Do not maximize the browser window. The default size is part of the anti-fingerprinting story.
5. Do not log into clearnet accounts inside the same Tor Browser session as your market activity.

Mirror verification

The mirror list on this page is the signed manifest, but you should not trust this page blindly. Pull the manifest from the rotator endpoint jcyjjcu4oocqkgxyq4d6mmbuuha5db7iz3zifhf2cm6n6m5mvogxwqyd.onion/manifest.txt.asc and verify the signature locally with the operator key. If the signature does not validate, do not use the mirrors.

Pattern for cli verification:

• curl --socks5-hostname 127.0.0.1:9050 http://<rotator>/manifest.txt.asc -o manifest.asc
• gpg --import operator-key.asc
• gpg --verify manifest.asc: expect a Good signature line from the operator fingerprint

Wallet hygiene

• Monero is the default. Generate the wallet offline if possible, or in a fresh Tails session.
• Never deposit directly from a clearnet exchange that has your ID. Use at least one intermediate hop.
• Bitcoin is supported but treat each deposit address as single-use. The market rotates them per order anyway.
• Withdraw before you log out for the last time of a session, not when the wallet sits idle.

Account hygiene

• Pick a fresh username with no overlap with any clearnet handle. No homonyms, no clever variations.
• Generate a fresh PGP keypair for the account. Do not reuse the key you use for anything else.
• Enable PGP 2FA in account settings as soon as you can. Login then requires decrypting a challenge.
• Write down the mnemonic / recovery in a place that is not on the same device as your wallet.

Threat model notes

Three failure modes account for almost all losses on this market and the others like it. Phishing clones, where a fake mirror collects credentials. Wallet correlation, where Bitcoin addresses get linked back to a clearnet identity via chain analysis. And device compromise, where malware on the host machine snoops on the Tor Browser session. The Safest slider handles the second category. Manifest verification handles the first. A clean machine, ideally Tails on a removable USB, handles the third.

What this page is not

Not a legal advice page. Not an opsec manual for high-risk vendors, which is its own discipline. Not a guarantee that a given mirror will not be seized tomorrow morning, which is also a thing that has happened to other markets. Treat the recommendations as a baseline, not a finished defense.