Community researchers and the platform's own security monitoring identified an active coordinated campaign in mid-September 2025 deploying over 14 phishing mirror sites targeting Torzon Market users. This represents one of the larger coordinated phishing operations documented against the platform.
The Campaign
The phishing operation used onion addresses visually similar to legitimate Torzon addresses, differing by 1-3 characters in positions that are difficult to notice without careful comparison. The sites replicated the platform's login interface with high fidelity — a common approach that is more effective than crude recreations.
How the Campaign Was Identified
Researchers identified the campaign through a combination of: community reports of suspicious login experiences, blockchain analysis showing deposits being redirected to attacker wallets, and pattern analysis of newly-registered .onion addresses containing the string 'torzon'.
Response
A new PGP-signed canary update was published within 24 hours of the campaign being confirmed, including the complete list of identified phishing addresses. Community platforms updated their link verification pages accordingly.
Protective Measures
This incident reinforces the critical importance of PGP-verified link sources. The three verified Torzon addresses listed on this site have been confirmed against the signed canary document. See our Anti-Phishing Guide for complete verification procedures.