All verified Nexus Market mirrors

Mirror onions, ordered

Pick any one. They’re interchangeable from your point of view, the marketplace itself is a single instance behind whichever onion you reach.

Last verified: 17 June 2026

• 01. nexusb2l73qzjn4slhyfxa3jvpolw7fomiz5sgyyefnsdhikaqgborqd.onion
• 02. nexusabcdrwy7632jfmkfu3f6u7usyw2xn2mcfiljunz6zsj4p5vioqd.onion
• 03. nexuspokkxp4ayqqec3c3lkekwhnjdqur5bqiocemx4t6sy3werqihad.onion

Leaked private Nexus onions

Two additional Nexus onions have surfaced in chat channels and aren’t part of the operator’s public mirror rotation. The operator originally handed these out to specific groups: vendors, staff, a closed beta. They were never posted to Dread under the operator’s PGP key, and they were never meant to circulate. They leaked anyway.

• 01. nexusncagw2vnag3ycv62occuouhfgkp6htx7alhnzl5xwgtzi2mfbid.onion
• 02. nexusr4ivg23525pvw53h3av7b7xcamxqguprosazaoray33qgrar2qd.onion

Why Nexus runs more than one mirror

A single hidden service is cheap to denial-of-service against. There’s no real cost for an attacker to keep one onion saturated; the only effective defence is to spread the load across several active addresses at once. Nexus keeps three running. Pressure on any one of them moves users to the others by the simple expedient of pasting a different string into Tor Browser. No client config, no DNS to repoint, no waiting for failover.

The trade-off is operational: the operator has to keep three hidden-service descriptors registered, three Tor instances healthy, and three subdomains worth of monitoring up. That’s why most markets with bespoke UI codebases (Crown is the obvious example) run fewer mirrors, the cost of spinning up additional instances is higher when the codebase isn’t templated. Nexus uses the templated stack, so three is what the operator chose.

How Nexus mirrors are added and retired

Mirror rotations on Nexus aren’t scheduled, they’re pressure-driven. When an address takes sustained DDoS the operator may retire it and bring up a replacement. When the pool drops below the operator’s target of three, a new onion gets added. Cadence is roughly every few weeks, sometimes faster during active attack waves.

Every change shows up on the operator’s Dread account as a detached-PGP-signed post. The signature is the strong-verification source, import the operator’s public key once, and you can validate every future announcement against it. Anything that doesn’t carry a valid signature isn’t authoritative regardless of where it’s posted.

What about old Nexus links that don’t load?

If a Nexus link you have was working a month ago and stopped, it’s most likely been retired in a rotation. The operator doesn’t announce retirements individually for short-lived rotations, just pull the current set from this page (or from the Dread post) and use one of those. Don’t hunt around in chat channels for “the new Nexus link”, that’s how people end up on phishing clones.

Verification mechanics, in detail

A onion address is self-authenticating: the 56-character string IS the ed25519 public key of the hidden service, base32-encoded. The Tor client derives the public key from the string and validates the descriptor against it. There’s no DNS, no certificate authority, no separate name-to-key binding to attack at the protocol layer.

What that leaves is the human-layer attack: convincing you to type the wrong string. Vanity-prefix matches are the standard trick, a phisher generates a vanity key whose first eight to twelve characters match a known marketplace onion (e.g. starting with “nexus”) and randomises the rest, hoping you stop comparing after the prefix. The only defence is reading all 56 characters. It’s tedious; do it anyway.