Nexus security practices
and threat model 2026
Everything you need to access Nexus market without leaving traces: PGP key setup, TOTP 2FA, Tor Browser hardening, Tails OS, and a realistic threat model. No vague advice — only steps that work in practice.
Understanding your actual threat model
Before running through tools and settings, you need to know who is actually trying to observe you and what they can see. Most opsec failures come from solving the wrong problem.
"Security without a threat model is just security theater. Picking your tools before understanding your adversaries is like taking medication before knowing the diagnosis."
Threats Tor protects against
- Your ISP seeing which .onion you visit
- Network-level traffic analysis by a passive observer
- IP address disclosure to the destination server
- DNS leaks revealing your activity to the resolver
Threats Tor does NOT protect against
- JavaScript fingerprinting from inside the browser
- Weak or reused passwords on the marketplace itself
- Physical access to your device or RAM imaging
- Operational slips: reused username, screenshots with metadata
Most people accessing Nexus market face a medium threat model: curious ISPs, opportunistic snoopers, and phishing operators, but not targeted law enforcement with court orders. The guidance below is calibrated for that reality, with notes on where to upgrade if your risk is higher. The Electronic Frontier Foundation publishes detailed threat modeling guides if you want a deeper framework.
Setting up Tor Browser correctly
The default Tor Browser configuration is a reasonable starting point but not optimal for marketplace access. Work through these steps before you open the Nexus link for the first time. Learn more at the official Tor Project documentation.
Download from the official source only
Go to torproject.org/download. Avoid mirrors, app stores, and any third-party hosts. The installer is signed — verify the GPG signature before running it. A tampered build can silently leak your IP address on every connection.
Set the security level to Safest
Click the shield icon in the toolbar. Select Safest. This disables JavaScript on all sites, prevents WebGL fingerprinting, and removes most browser APIs that leak hardware details. Nexus market operates with JavaScript disabled — the site is designed for this security level.
Don't resize the browser window
Tor Browser opens at a standard size to make all users look identical to sites. Resizing creates a unique screen fingerprint. Keep it at the default size. If you need more screen space, use a second monitor rather than enlarging the Tor window.
Use a new circuit for each marketplace session
Before opening any .onion link, click the onion icon → New Tor Circuit for This Site. This rotates the three-hop relay path. Do this again after any session you want isolated from the previous one.
Use the DuckDuckGo onion at https://duckduckgogg42ts4qkbmhehbe.onion/ for any research you do within the same session — this keeps all traffic within the Tor network, no clearnet exposure.
Keep Tor Browser updated automatically
Old Tor Browser versions have known browser vulnerabilities. Enable automatic updates in Preferences → General. Each major Firefox ESR release that Tor Browser is based on patches exploitable bugs. A 6-month-old Tor Browser binary is a meaningful risk.
PGP key generation and Nexus verification
PGP (Pretty Good Privacy) is end-to-end encryption built on public-key cryptography. Nexus uses it in two ways: passwordless login (your private key proves identity) and encrypted messaging with vendors. GnuPG is the standard open-source implementation.
Generate your key pair
Open a terminal (or Kleopatra on Windows). Run the interactive key generation. Use Ed25519 for the primary key — faster and more secure than RSA-2048:
gpg --expert --full-generate-key # When prompted: # (9) ECC and ECC # (1) Curve 25519 # Key does not expire (press 0) # Real name: [any alias — do NOT use your real name] # Email: [use a ProtonMail or any throwaway] # Passphrase: [minimum 24 characters, stored in KeePassXC]
Export your public key for Nexus
Your public key is what you upload to your Nexus profile. It is safe to share — it cannot be used to decrypt your messages.
# List your keys to get the key ID gpg --list-keys # Export the public key as ASCII armor gpg --armor --export YOUR_KEY_ID_OR_EMAIL > nexus_pubkey.asc # Print it for copy-paste cat nexus_pubkey.asc
Copy the entire block from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK----- and paste it into your Nexus account settings.
Verify the Nexus admin PGP key on Dread
Any announcement about Nexus mirrors or downtime on Dread should be signed by the official admin key. Download the Nexus admin public key from their verified Dread profile. Import it and verify each announcement signature:
# Import the Nexus admin public key (get from their Dread profile) gpg --import nexus_admin_key.asc # Save the signed announcement to a file, then verify gpg --verify announcement.txt.asc announcement.txt # Good output shows: # gpg: Good signature from "Nexus Admin <...>" # gpg: WARNING: This key is not certified with a trusted signature # (this warning is normal — you haven't personally signed their key)
The key fingerprint shown in the verification output should match the fingerprint listed in their original Dread introduction post. If fingerprints differ, the announcement is forged.
Keep your private key temporarily inaccessible
Export your private key to an encrypted USB drive and remove it from the machine you use daily. If an adversary gets your private key file and knows the passphrase, they can impersonate you on Nexus and decrypt any messages sent to you.
gpg --armor --export-secret-key YOUR_KEY_ID > nexus_privatekey.asc # Store this file on an encrypted temporarily inaccessible drive (VeraCrypt container) # Never email, cloud-sync, or leave on a frequently-used machine
Two-factor authentication on Nexus
Nexus supports TOTP-based 2FA in addition to PGP login. Enable both. A stolen password alone cannot access your account when 2FA is active, and PGP login ensures even the password matters less.
Install an authenticator app on a separate device
Use Signal Note-to-Self for scratch storage, but for the TOTP app itself, install Aegis (Android, open source) or Raivo OTP (iOS). Avoid Google Authenticator — it has no backup encryption. Never install your 2FA app on the same device you browse Nexus from.
Scan the QR code inside Nexus account settings
Log in to Nexus via the verified mirror. Navigate to Account → Security → Two-Factor Authentication. Scan the displayed QR code with your authenticator app. Confirm with the first generated code before saving.
Enable PGP login in parallel
With 2FA active, also enable passwordless PGP login in the same security settings. This means login challenges are signed with your private key — no password to phish, no replay attack possible. Combined with 2FA, account takeover requires physical access to both your private key file and your TOTP device at the same time.
Password management and privacy tools
The rest of your security posture: unique passwords, secure local storage, and supplementary tools that close the gaps Tor alone cannot address.
KeePassXC password manager
Store every marketplace credential in KeePassXC. It is open source, runs entirely temporarily inaccessible, and stores the encrypted database in a local file you control. Generate a unique 24+ character password per site. The database is unlocked with one master passphrase only you know.
→ keepassxc.orgMullvad VPN as a pre-Tor layer
Running VPN → Tor hides from your ISP even the fact that you use Tor. Mullvad is recommended because it accepts cash payments, requires no email for signup, and has a verified no-logs policy confirmed by independent audits. Buy months in cash, not with a credit card.
→ mullvad.netGnuPG for message encryption
When messaging vendors on Nexus, encrypt your address and personal details with the vendor's public key before sending. Even if Nexus's messaging system is compromised, the ciphertext reveals nothing. GnuPG is the tool — see the PGP section above for setup steps.
→ gnupg.orgSearXNG for private search
Research vendors and products without Google logging your queries. SearXNG is a self-hostable metasearch engine that aggregates results without tracking. A public instance accessible via Tor keeps even the search engine from seeing your IP.
→ searx.github.ioI2P as a Tor alternative
The I2P network is a different anonymity network with a distinct threat profile. Some Nexus users run I2P and Tor simultaneously for redundancy. I2P has higher setup complexity but different timing attack resistance. Worth understanding even if you don't switch networks.
→ geti2p.netOperating system security: Tails and Whonix
If your threat model includes a compromised host OS or physical seizure, a security-focused operating system eliminates the entire software layer below the browser. Both options run entirely in RAM — no persistent trace on the machine.
Tails OS — live amnesic system
Tails boots from a USB stick. Every session starts fresh from the same state — no cookies, no browser history, no residual files unless you explicitly save them to the Persistent Storage. All network traffic is forced through Tor automatically. Shutdown destroys all session data from RAM within seconds.
Install KeePassXC and store your credentials in Tails Persistent Storage, which is encrypted. Your PGP private key can also live there. After each session, the computer retains nothing your adversary can find without the Persistent Storage passphrase.
Endorsed by Amnesty International for journalists in high-risk environments.
Whonix — dual-VM architecture
Whonix runs as two virtual machines: a Gateway VM that handles all Tor traffic, and a Workstation VM where you browse. Even if the workstation is completely compromised by malware, it cannot determine your real IP — all traffic must pass through the gateway, which only speaks Tor.
Best combined with Qubes OS, which provides hardware-level compartmentalization between VMs. The Qubes + Whonix combination is what EFF recommends for the highest-risk users — activists, investigative journalists, and researchers in authoritarian environments.
"The advantage of Tails over a standard Tor Browser setup is not just technical — it's behavioral. Because sessions leave no trace, there is nothing to discover even under physical search. The amnesic property holds regardless of how the session went."
Security checklist before your first Nexus session
Use this table before each session. Priority levels indicate how much protection each step provides relative to the effort it takes.
| Action | Status check | Priority | Notes |
|---|---|---|---|
| Tor Browser updated to latest stable | Check Help → About | CRITICAL | Old builds have known CVEs |
| Security level set to Safest | Shield icon → Safest | CRITICAL | Disables JS fingerprinting |
| .onion link verified against PGP-signed source | See Mirrors page | CRITICAL | One wrong char = phishing |
| PGP key uploaded to Nexus profile | Account → Keys | HIGH | Required for encrypted messages |
| 2FA TOTP active on account | Account → Security | HIGH | Blocks credential replay attacks |
| Unique password in KeePassXC | 24+ chars, not reused | HIGH | Breach at other site won't cascade |
| Tor Browser window at default size | Not resized | MEDIUM | Screen size is a fingerprint |
| VPN active before opening Tor | VPN connected | MEDIUM | Hides Tor usage from ISP |
| New Tor circuit requested for this session | Onion → New Circuit | MEDIUM | Separates sessions by relay path |
| Running Tails or Whonix (advanced) | Optional | ADVANCED | Eliminates host OS risks entirely |
| PGP private key stored temporarily inaccessible | Encrypted USB | ADVANCED | Key theft requires physical access |
| Vendor communications PGP-encrypted | Per-message | ADVANCED | Protects message contents if platform breached |
Ready to access Nexus market?
All four verified .onion addresses are on the Mirrors page, updated against PGP-signed admin announcements. Set up Tor Browser correctly first — the steps above take about 20 minutes to complete once.