PROTOCOL: MANDATORY DOC ID: SEC-01

Security & OpSec Guide

The decentralized web operates without the safeguards of the clearnet. Mistakes here are permanent. This comprehensive guide outlines the operational security (OpSec) protocols required to interact with the Nexus Onion Link ecosystem safely. Failure to adhere to these standards compromises anonymity and financial assets.

ZERO TRUST ARCHITECTURE

Assume every link is a phishing attempt until verified. Assume every device is compromised until hardened. Trust only mathematical proof (PGP Signatures).

01. Identity Isolation

Compartmentalization

Your Tor identity must be completely separate from your "real life" (clearnet) identity. Never mix the two.

  • Never use a username you have used on Reddit, Instagram, or Discord.
  • Never use a password derived from personal information (birthdays, pets).
  • Use a fresh, random identity for every market account.

Data Leakage Prevention

Metadata often reveals more than the message itself. Stripping metadata is crucial before uploading images or files.

  • Never upload photos taken with a smartphone without scrubbing EXIF data.
  • Use tools like MAT2 to clean metadata from support tickets or disputes.

02. PGP Protocol (The Golden Rule)

Client-Side Encryption Only

"If you don't encrypt, you don't care." This is the mantra of the darknet. You must NEVER trust a website to encrypt data for you.

The "Auto-Encrypt" checkbox found on many market checkout pages is a convenience feature, not a security feature. If the server is compromised or seized, that data is readable by the adversary.

RULE: Always encrypt sensitive data (addresses, tracking numbers) on your own device using software like Kleopatra, GPG4Win, or GPG Suite BEFORE pasting the result into the browser.

// Example of Safe Data Submission
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQEMA2Kx... [ENCRYPTED BLOCK] ...
... [UNREADABLE BY SERVER] ...
... [UNREADABLE BY ISP] ...
=yO/s
-----END PGP MESSAGE-----
// This text block is safe to paste.

03. Phishing Defense

Man-in-the-Middle (MitM) Attacks

Phishing sites on Tor are sophisticated. They act as a proxy between you and the real site. When you log in, they steal your credentials. When you deposit, they swap the deposit address with their own.

The ONLY way to detect this is by verifying the site's PGP signature.

Red Flags

  • Links found on Reddit, YouTube, or Clearweb Wikis.
  • Sites asking for your Mnemonic/Seed Phrase during login.
  • "Disable 2FA" requests upon login.

How to Verify an Onion Link

  1. Import the Market's public PGP key into your keychain (Kleopatra/GPG).
  2. Visit the onion link. Look for a message signed by the market (usually found at /verify or on the login page).
  3. Copy the signed message block entirely.
  4. Paste it into your PGP software and select "Decrypt/Verify".
  5. SUCCESS: If the signature is valid, verify that the onion address mentioned inside the signed message matches the one in your browser URL bar.

04. Browser Hardening

Security Level

Set Tor Browser security slider to Safer or Safest. This disables JIT and some font rendering exploits.

Disable JavaScript

Where possible, disable JavaScript entirely. Nexus Market interfaces often work without JS to reduce attack surface.

No Resizing

Do not maximize the Tor Browser window. Keep it at default size to prevent window-size fingerprinting.

05. Financial Hygiene

The Chain of Custody

Exchange
(Coinbase/Binance)
KYC LINKED
Private Wallet
(Monero GUI / Cake)
BUFFER ZONE
Market
(Nexus Wallet)
DESTINATION

Direct Transfers are Fatal

NEVER send funds directly from a KYC exchange to a darknet market. Exchanges use Chainalysis tools to flag these transactions, leading to immediate account bans and reports to authorities.

Monero over Bitcoin

Bitcoin (BTC) is a public ledger; every transaction is traceable forever. Monero (XMR) is opaque by default. Always convert BTC to XMR before interacting with hidden services.