Updated April 2026

PGP link verification for darknet markets

How to verify that a .onion address is real — not a phishing clone — using PGP cryptographic signatures.

PGP verification process diagram showing public key import and signature checking workflow

Why this matters more than anything else

Phishing is how most people lose money on darknet markets. Not law enforcement, not exit scams — phishing. Someone finds a market link on a random clearnet site, pastes it into Tor Browser, logs in, and enters their credentials into a perfect copy of the real site. The attacker now has their username, password, and any cryptocurrency sent to the fake deposit address.

PGP verification eliminates this problem. It works on a simple principle: the market operators publish their .onion addresses inside a message signed with their private PGP key. If you verify that signature against their known public key and the math checks out, the addresses are authentic. An attacker would need to steal the market's private key to forge this — and if they had the private key, they'd have access to the entire market.

This is not trust-based security. You are not trusting our site, or any site. You are verifying a cryptographic signature that is either mathematically valid or it isn't. There's no middle ground.

What you need before starting

PGP verification requires a PGP tool and two pieces of information from the market:

A PGP tool. On Windows, install Kleopatra (part of Gpg4win — download from gpg4win.org). On macOS, install GPG Suite from gpgtools.org. On Linux, gpg is already installed on most distributions.

The market's public PGP key. This is a block of text starting with -----BEGIN PGP PUBLIC KEY BLOCK-----. Markets publish this on their login page, their Dread profile, or both. You should have obtained this key from a source you verified before you needed it — not while you're actively worried about a phishing link.

The signed mirror message. A PGP-signed message containing the market's official .onion addresses. On our site, these appear in the "Signed Mirrors" block on each market page. The message starts with -----BEGIN PGP SIGNED MESSAGE-----.

Step-by-step verification

The process is the same regardless of your operating system. The interface differs between GUI tools (Kleopatra, GPG Suite) and the command line, but the underlying operation is identical: import the public key, verify the signed message, read the result.

Import the market's public key. Copy the entire public key block (including the BEGIN and END lines). In Kleopatra, go to Tools > Import and paste it. In GPG Suite, open GPG Keychain and click Import. On the command line, save the key to a file and run gpg --import market-key.asc. After import, note the key fingerprint — a 40-character hexadecimal string that uniquely identifies this key.

Confirm the fingerprint. Compare the fingerprint shown by your PGP tool with the fingerprint published by the market on at least one other source (Dread profile, login page, a different verified directory). If the fingerprints match, you have the right key. If they don't, someone may have given you a fake key — do not proceed until you find the correct one.

Copy the signed message. Copy the entire PGP-signed message containing the market's .onion links. Include everything from -----BEGIN PGP SIGNED MESSAGE----- through -----END PGP SIGNATURE-----. Even a single character missing or altered will cause the verification to fail.

Verify the signature. In Kleopatra, go to Decrypt/Verify and paste the signed message. In GPG Suite, use the Services menu or GPG Keychain's verify function. On the command line, save the signed message to a file and run gpg --verify signed-mirrors.txt.

Read the result. You are looking for one of two outcomes:

Good result

gpg: Good signature from "MarketName Admin "
gpg: Signature made 2026-04-28 using RSA key ID ABCDEF12

Bad result

gpg: BAD signature from "MarketName Admin "

If you see BAD signature, stop. The addresses in that message have been tampered with. Do not use them. Do not connect to them. Find the original signed message from a different, trusted source and try again.

What "Good signature" actually proves

A valid PGP signature proves exactly one thing: the message was created by someone who holds the private key corresponding to the public key you imported. Nothing more.

It does not prove that the person behind that key is trustworthy, honest, or running a legitimate operation. It proves authorship. If you imported the key from the market's official login page and a signed message verifies against that key, the addresses in the message are the same addresses the market operators are using. Whether you trust those operators is a separate decision.

This distinction matters. PGP verification protects you against phishing — someone impersonating the market. It does not protect you against the market itself behaving badly (exit scams, selective scamming, etc.). Those are different problems.

Handling key conflicts and multiple keys

Sometimes you'll encounter multiple PGP keys claiming to be from the same market. This happens when a market rotates its PGP key (a normal security practice), or when a phishing site publishes a fake key.

The defense is the fingerprint. If you verified the market's fingerprint from multiple independent sources when you first imported the key, a new key with a different fingerprint should not automatically be trusted. Some markets sign their new key with the old key to create a chain of trust — if you verify that the new key is signed by the old key, and you trust the old key, the new key is legitimate.

If a market simply publishes a new key without cross-signing it from the old one, and you can't verify the new fingerprint through independent channels, treat those addresses as unverified until you can confirm them through a separate trusted source.

Common mistakes in PGP verification

Copying only part of the signed message. The signature covers every character between the BEGIN and END markers. If you miss a line or add a trailing space, the verification fails even if the message is legitimate. Use "Select All" when copying.

Getting the key from the same site that gave you the link. If you found a market link on a suspicious clearnet site, the public key on that same site may also be fake. Import keys from the market's login page (accessed through a link you already trust) or from the market's Dread profile, not from the same site that prompted you to verify in the first place.

Skipping fingerprint confirmation. Importing a key and verifying a signature against it is useless if the key itself is fake. An attacker can create a PGP key with any name they want, sign a message containing phishing addresses, and publish both the fake key and the fake signed message. Without fingerprint cross-referencing, you'd see "Good signature" and believe the addresses are real.

Ignoring key expiration warnings. If your PGP tool says the key has expired, the signature may still verify as "Good" but the key should be treated with caution. Check whether the market has published a new key.

Command-line reference

For users comfortable with the terminal, here are the raw commands. These work on Linux, macOS (with GPG Suite installed), and Windows (through Gpg4win's command prompt).

Import a public key

gpg --import market-publickey.asc

# Check the fingerprint after import:
gpg --fingerprint "MarketName"

Verify a signed message

# Save the signed message to a file first:
gpg --verify signed-mirrors.txt

# Expected output for valid signatures:
# gpg: Good signature from "MarketName Admin"

# Expected output for invalid signatures:
# gpg: BAD signature from "MarketName Admin"

Check key details

# View all imported keys:
gpg --list-keys

# View a specific key with fingerprint:
gpg --fingerprint "MarketName"

# Delete a key you no longer trust:
gpg --delete-keys "MarketName"

After verification

Once you see "Good signature" and you've confirmed the key fingerprint through at least one independent source, the .onion addresses inside that signed message are authentic. Copy them, open Tor Browser, and paste one into the address bar.

Bookmark the verified address inside Tor Browser — this prevents you from needing to re-verify every time. If a market rotates its addresses, repeat this verification process with the new signed message before using the new links.

For verified .onion links to all active markets with PGP-signed mirror blocks, see the market directory. Each market page includes the full signed message for independent verification.

PGP verification questions

Only if the attacker has the market's private key. Creating a valid PGP signature requires the private key. A fake key with the same display name can be created trivially, which is why you must verify the key fingerprint from multiple independent sources — not just the key name.

The most reliable source is the market's own login page (accessed through a link you've already verified). Secondary sources include the market's official Dread profile and established verified directories. Never use a key published only on a single unverified clearnet site.

An expired key means the key owner intended for it to stop being used after a certain date. The signature itself is still mathematically valid, but the key may have been compromised since its intended expiration. Check whether the market has published a new key and, ideally, cross-signed the new key with the old one.

You haven't imported the market's public key yet, or you imported a different key than the one that signed the message. Run gpg --list-keys to see which keys you have. If the market's key isn't listed, import it first, then verify again.

No method is as reliable as PGP verification. Some people compare links across multiple directories, which reduces risk but does not eliminate it — if a phishing link propagates across multiple sites, cross-referencing won't catch it. PGP verification is the only approach that gives you mathematical certainty of authorship.