How to Verify Onion Links and Avoid Scams
Last updated: 2026-06-27
Tor is useful for privacy and research, but it also attracts phishing, impersonation, and “mirror” scams. This guide shows **how to verify onion links** and **how to spot common traps**. It is written for legitimate research and safety.
The golden rule
- Assume every onion link is untrusted** until you verify it from multiple independent sources.
Quick checklist (60 seconds)
Before you click deeply or log in:
- Confirm the onion address matches **at least 2 independent references**.
- Look for impersonation signs (copycat branding, urgent deposit prompts, fake “support” chats).
- If it claims to be “official”, require proof (signed announcement, consistent PGP identity trail).
- Never reuse passwords; never share personal details.
- If anything feels off, leave and search again.
Step-by-step verification
Step 1 — Get the link from multiple sources
Best practice:
- Compare the onion address across **2–3 independent sources** (directory pages, trusted communities, archived references).
- If only one source mentions it, treat it as high risk.
Step 2 — Check for typo traps
- Onion addresses are long; one character difference can be a completely different site.
- Avoid manually typing when possible.
- Watch for look-alike branding (same logo/layout, different address).
Step 3 — Identify impersonation & phishing patterns
Common patterns:
- Immediate login prompt with no context.
- “Your account is locked—deposit to unlock” style messages.
- “Official mirror” banners everywhere, but no verifiable proof.
- Forced redirects, popups, or suspicious scripts.
Step 4 — Validate identity (when available)
A trustworthy service often provides:
- A published PGP key with a consistent fingerprint.
- Signed announcements (address changes, maintenance notices).
- A stable history of references (not “brand new” with aggressive claims).
Note: Not all legitimate projects publish PGP proofs, but scams almost never provide a consistent identity trail.
Step 5 — Reduce exposure (OPSEC basics)
Even when a link looks legitimate:
- Use unique credentials (password manager recommended).
- Do not reuse usernames tied to your real identity.
- Avoid sharing personal details (name, address, phone, workplace).
- Keep browsing sessions separated (research vs personal).
Step 6 — Treat “mirrors” carefully
“Mirror” is one of the most abused words on Tor. Safe approach:
- Require a signed announcement from a known identity trail.
- Compare mirror lists across independent sources.
- If a mirror asks for “verification deposits” or pushes urgency, assume scam.
Red flags (high confidence scam signals)
If you see any of these, leave:
- “Send funds first to verify” or “security deposit required”.
- Time pressure tactics (“only 10 minutes”, “last chance”, “act now”).
- Support that immediately pushes you to another platform.
- Address-change claims without signed proof.
- Pages that mimic a known service but have small differences (spelling, icons, layout spacing).
Common scam types on Tor
1) Phishing mirrors
Cloned websites designed to steal credentials or funds.
2) Impersonation pages
A fake page pretending to be a popular service or directory.
3) “Exit scam” messaging
Fake announcements claiming a project is “moving” to a new address to hijack traffic.
4) Fake support & escrow
“Support agents” pushing you into unsafe steps.
What to do if you were exposed
If you typed credentials or interacted with a suspicious site:
- Change passwords immediately (starting with reused passwords).
- Enable 2FA where possible (for services that support it).
- Move funds only if you are sure your wallet/security is compromised.
- Document the onion address and what happened.
- Report it so others can avoid it.
Reporting & cleanup
Help keep the directory safe:
- Report phishing/scams with:
- Exact onion address
- Date/time (with timezone)
- What you observed (screenshots if safe)
- Any impersonated brand name