Security researchers monitoring darknet marketplace infrastructure identified and publicly documented 14 fraudulent phishing sites during Q3 2025, all of which were designed to impersonate the WeTheNorth marketplace with near-perfect visual fidelity.
The phishing sites were distributed through multiple vectors: fake 'official mirror list' posts in darknet forum communities, Pastebin entries indexed by clearnet search engines, compromised social media accounts impersonating marketplace staff, and malicious redirects embedded in sites targeting darknet users with other content.
Analysis of the phishing infrastructure revealed that at least seven of the 14 sites were operated by the same actor or group, sharing server infrastructure and JavaScript credential-capture code. The captured credentials were being used within minutes of capture to access victims' real accounts and drain cryptocurrency balances.
The fake mirror URLs differed from the genuine onion address by as few as one character — typically a character substitution in the middle of the 56-character address that is nearly impossible to detect without careful character-by-character comparison. Attackers chose substitutions between visually similar characters where possible.
Users are strongly advised to access the marketplace only through a bookmark created from a PGP-verified link. The marketplace administration team has published an updated PGP-signed link announcement that users can verify against the official public key. Our access page contains the verified link and PGP key for verification.
The incident reinforces a fundamental principle: no darknet marketplace link found in a search engine result, unsolicited forum post, or unverified source should ever be trusted without PGP verification.