Phishing is the single largest cause of buyer account loss on WeTheNorth and every serious Tor storefront. This reading walks through the defence workflow in the order the defences run.

Layer one: bookmark hygiene

The first defence is having a trusted source for the mirror addresses in the first place. Bookmark the mirror reference page inside Tor Browser. Never type an onion address from memory. Never click a link to WeTheNorth from a search engine result, chat message, forum banner or directory you have not vetted.

Layer two: PGP verification, once per rotation

When the operator publishes a signed rotation, verify it against the operator public key you have on your keyring. If the signature is good, the address inside is real. If not, the rotation is fake and the address is worthless.

Layer three: captcha URL match, every session

Every session, before typing the password, compare the small text at the bottom of the login captcha image against your URL bar. Match wins. Mismatch means phishing clone.

Common phishing patterns

Domain squats. Clones on clearnet domains that look close to a WeTheNorth address. Defence: never search WeTheNorth on clearnet.

Prefix-collision onions. Onion addresses matching the first 4-8 characters. Defence: full letter-for-letter comparison of all 56 characters.

Stale-address hijacks. A retired address gets registered by a phisher shortly after the operator retires it. Defence: keep bookmarks against the current signed rotation, not against addresses you memorised.

What phishing clones cannot fake

They cannot fake a valid signed rotation. They cannot fake the captcha URL match. Any one defence layer, run correctly, catches the median attempt.