MirrorsMarkets — frequently asked questions

A mirror is one of the v3 hidden-service onion endpoints an operator publishes for the same marketplace. The marketplace is a single back-end; the mirrors are alternate entry points. All mirrors for one marketplace share the back-end — same account, same balance, same orders.

Denial-of-service pressure against a single onion is cheap to mount. Running several concurrent mirrors limits the blast radius: when one is being flooded, traffic moves to the others by users typing a different onion. There is no client-side update, no DNS, no fallback timer.

Every mirror onion published here comes from the operator’s detached-PGP-signed announcement on Dread. We import the operator’s public key, verify the signature on every announcement, and copy the verified mirrors into the directory. Mirrors surfaced outside Dread are not authoritative.

Rotations are not scheduled. They are pressure-driven — when a mirror takes sustained DDoS the operator may retire it, when the pool drops below the operator’s target the pool is topped up. Expect rough cadence of every few weeks per marketplace, with peaks during DDoS waves.

A mirror is an alternate onion endpoint for the same marketplace back-end, published by the operator. A phishing clone is a separate onion running a copy of the marketplace’s front-end, intercepting credentials and deposits. The mechanical distinction is the PGP signature: real mirrors are in signed posts, clones are surfaced in unsigned channels.

Yes, but re-verify it every session. Mirrors get retired and an old bookmark may point at a dead onion or, in worst cases, at one that’s been claimed by a phisher running a similar vanity prefix. Five seconds of verification against the signed list is the cheapest insurance.

The operator is most likely mid-rotation or under unusually heavy pressure. Wait an hour, then check the operator’s Dread account for an updated signed post. Do not accept mirrors surfaced in Telegram, Reddit, email or chat groups during outages — those channels are systematically abused by phishers.

Import the operator’s PGP public key from the operator’s Dread profile or from a previously-verified source. Open the signed mirror post in your PGP client, paste the signed message in. The client validates whether the signature matches the imported key. A valid signature is the strong-verification source for the mirrors in the post.