Knowledge Base & Technical FAQ

Access to the .onion network requires the Tor Browser (The Onion Router). This specialized browser routes traffic through multiple encrypted nodes, obscuring the user's IP address and allowing connection to hidden services. Standard browsers (Chrome, Firefox, Safari) cannot resolve .onion Top Level Domains (TLDs).

High latency or temporary downtime is often caused by Distributed Denial of Service (DDoS) attacks targeting the Tor network infrastructure. To mitigate this, administrators frequently rotate mirrors and implement proof-of-work captchas. Users are advised to keep a list of verified mirrors signed by the administration's PGP key.

The underlying database of the marketplace is decentralized from the frontend mirrors. If a specific .onion link is down, the backend data (accounts, wallets, orders) remains intact. Users simply need to switch to an alternative verified mirror to restore connectivity to their session.

PGP (Pretty Good Privacy) is an encryption standard used to secure communications. In "Passwordless" architectures, the server encrypts a unique login challenge with the user's public key. The user must decrypt this message with their private key to prove identity. This eliminates the risk of password interception or database leaks exposing credentials.

Two-Factor Authentication (2FA) in this context refers to PGP-based 2FA. Even if an attacker intercepts a session cookie, they cannot access sensitive account functions without decrypting a fresh challenge string. This strictly binds the session to the holder of the PGP private key.

A warrant canary is a regularly updated message, signed by the administrator's PGP key, confirming that the infrastructure has not been compromised or seized by law enforcement. If a canary is outdated or has an invalid signature, users are advised to treat the platform as compromised.

Research indicates the use of anti-phishing codes. Upon login, the site displays a secret code or phrase previously set by the user. If this code is missing or incorrect, the user is on a phishing site. Furthermore, users should always verify the site's PGP signature against a trusted public key.

Monero (XMR) is the standard for privacy. It utilizes Ring Signatures, Ring Confidential Transactions (RingCT), and Stealth Addresses to completely obfuscate the sender, receiver, and transaction amount. Unlike Bitcoin, which has a transparent public ledger traceable by chain analysis, XMR provides default fungibility and privacy.

The Escrow system acts as a neutral third party. Funds are locked in a multisig or holding wallet until the terms of the order are met. The funds are only released to the vendor once the buyer confirms receipt, or returned to the buyer if a dispute is resolved in their favor.

To prevent funds from being locked indefinitely, an Auto-Finalize timer is implemented. If a buyer does not dispute an order or extend the timer within a set period (typically 7 to 14 days after marking as shipped), the escrowed funds are automatically released to the vendor.

A vendor bond is a substantial security deposit (paid in XMR) held by the marketplace. This capital requirement serves to deter low-effort scammers and ensures that vendors have a financial stake in maintaining their reputation and account standing.

Aggressive captchas serve as a rate-limiting filter. They prevent automated botnets from scraping market data or launching application-layer DDoS attacks. While inconvenient, they are necessary for maintaining the stability of the hidden service.

Upon account creation, the system generates a unique mnemonic seed phrase. Since PGP keys are the primary method of access, this mnemonic is the only fallback mechanism to recover an account if keys are lost. It is processed locally and typically not stored in plaintext on the server.

Cryptocurrency networks operate on probability. To prevent "double-spending" attacks, the market waits for a specific number of blocks (confirmations) to be added to the blockchain. For Monero, 10 confirmations (approx. 20 minutes) are typically required before funds are considered finalized and credited to a wallet.