One address, one source. This directory syncs against DrugHub's PGP-signed announcement on Dread — the only authoritative mirror source. The copy button loads from _links.json, never hardcoded. Phishing sites look identical to the real marketplace. Verify before you enter.
Loading…
Paste inside Tor Browser only. .onion addresses do not resolve through Chrome, Safari, or Firefox — Tor is required. For a zero-trace session use Tails OS or Whonix.
Status pulled from the Dread thread and manual verification. Tor latency varies by circuit — if a node responds slowly, rebuild the circuit before assuming it is down.
| Node | Address (anchor chars) | Status | Uptime 30d | DDoS protection | Verified |
|---|---|---|---|---|---|
| Primary | drughu…lnad |
Online | END GAME | Apr 23, 2026 |
DrugHub operates one active node at a time. When additional mirrors come online, this table updates within 48 hours of the signed Dread announcement. Retired mirrors are removed once they stop resolving consistently. Historical addresses are kept in the Dread thread for reference — this table shows only the currently live set.
Phishing operators most commonly introduce lookalike characters at the start and end of an address, assuming users skim the middle. These positions are the minimum viable check — full comparison is better.
DrugHub · Verified Address · April 2026
drughub75eoe5pqwy4e5swpjpwz77vikb5t2qxzsslfr3s6kqok5lnad.onion
Trusting this directory is one confidence layer. Cross-checking against the PGP-signed Dread announcement is a second, independent layer. Both together are more reliable than either alone. Do this process once when setting up, and repeat whenever an address changes.
Find the official DrugHub thread on Dread. Locate the pinned admin post containing a PGP public key block (it begins with -----BEGIN PGP PUBLIC KEY BLOCK-----). Copy the full block and import it into GnuPG with gpg --import drughub-admin.asc. You only need to do this once. If the admin ever rotates their key, the rotation announcement will be signed by the previous key — so the chain of trust is verifiable.
Open the DrugHub subreddit on Dread. Look for posts from the verified admin account that include a -----BEGIN PGP SIGNED MESSAGE----- block. Only these posts carry PGP signatures — regular posts from the same account do not. Copy the entire block from header through to the closing -----END PGP SIGNATURE-----. A partial copy fails verification even if one character is missing.
Paste the PGP block into a plain text file — announcement.txt works. Run gpg --verify announcement.txt. GnuPG should output Good signature from DrugHub Admin alongside the key fingerprint. If the output says bad signature, expired key, or no public key found — stop entirely. That announcement was modified after signing, or it was faked. Any links inside it should be discarded. EFF's Surveillance Self-Defense has a beginner-level PGP guide if this is your first time.
Once the signature is verified, copy the .onion address from the announcement. Compare it character by character against the address shown above. At minimum, check the first 6 and the last 4 characters. If both this directory and the signed announcement agree, you have two independent confirmations. If they differ, trust the PGP-verified announcement over this page and flag the discrepancy via Element or a Dread message. Always paste the address — never type it. One wrong character in 56 is almost certain when typed manually.
Phishing clones reproduce the visual design exactly. These technical signals cannot be faked without control of the actual .onion private key. Each one requires only seconds to check.
DDoS gate shows a Cloudflare challenge or Google reCAPTCHA widget
Text-based CAPTCHA with deliberately warped characters — no Cloudflare, no Google widgets on the real .onion
Login form asks for a username and password
Login is PGP challenge-response — the site sends an encrypted message you must decrypt. There is no password field anywhere
Address contains lookalike substitutions: digit 0 in place of letter o, digit 1 in place of lowercase l
Address matches the PGP-signed announcement character-for-character. The first 6 are drughu, the last 4 are lnad
No PGP fingerprint shown at the bottom of the entry screen
PGP fingerprint visible below the DDoS gate — write it down on first visit, compare every subsequent visit. A mismatch is not a glitch
Deposit function asks you to send XMR to a hardcoded wallet address before placing an order
Walletless system — no deposit wallet exists. Each order generates a fresh 2-of-3 multisig invoice. The market never holds your funds
Focused on links, rotation, and verification. For questions about the marketplace itself, see the main FAQ on the overview page. For the full access walkthrough, see the eight-step guide.
DrugHub mirrors exist to counter DDoS attacks. Darknet marketplaces face constant denial-of-service pressure from competitors, automated scanning scripts, and probing routines. When the primary node is under attack, mirrors hosted on separate infrastructure stay accessible. Every mirror is an independent server running the same codebase — they share the same multisig backend and the same user database. If one mirror becomes unreachable, switch to the next; your account, open orders, and message queue are all unaffected. The END GAME anti-DDoS system reduces how often mirrors need to fail over, but the redundancy exists precisely for the attacks it cannot absorb. The 98.4% uptime figure reflects the combined availability of the primary node and the END GAME layer.
Cross-reference with DrugHub's PGP-signed announcement on Dread. The admin account there publishes link updates signed with a known key — import that key into GnuPG, run gpg --verify on the signed message, and confirm you get Good signature. Only trust links that appear inside a successfully verified announcement. Additionally, compare the first 6 characters (drughu) and last 4 (lnad) of any candidate address against a known-good source. Phishing operators most commonly introduce lookalike substitutions in those positions because they assume users only skim the middle. The EFF Surveillance Self-Defense guide has a clear PGP beginner walkthrough.
Nothing — and this is intentional. Open orders are tied to multisig addresses on the Monero blockchain, not to a specific server or session. The 2-of-3 multisig escrow address is a chain-native construct that exists independently of any web server. If the mirror you were using drops while a payment is in-flight, the Monero transaction confirms on-chain regardless of server state. Switch to any working mirror, log in with your PGP key, and your order status, escrow details, and message history will all be accessible. The walletless architecture was specifically designed so no single server failure — planned or unplanned — can affect fund security. See the Monero documentation on multisig for the cryptographic background.
Yes, but the variation comes from Tor circuit routing more than mirror quality. Tor routes your connection through three relays, and the exit relay's physical proximity to the mirror's server affects latency in ways that change with every new circuit. If a mirror feels slow, close the tab and reopen it — you may get a different exit relay with better routing to the same server. A rough working rule: if a page does not start loading within 30 seconds, rebuild the circuit. If it still does not respond after 90 seconds on a fresh circuit, the mirror is likely unreachable rather than just slow. Keeping two working mirrors bookmarked inside Tor Browser lets you switch without a search.
There is no fixed schedule. Mirror addresses change when a node faces sustained attack that the END GAME layer cannot absorb, or when the team proactively rotates infrastructure for operational security reasons. Each rotation is announced on Dread with a PGP signature — unsigned rotation announcements should be treated as suspicious regardless of how they're formatted. Historically, rotations have happened every few weeks during high-traffic periods and much less frequently during quieter stretches. Saving two working addresses inside Tor Browser's bookmark manager gives you a 24–48 hour buffer when a rotation happens, which is usually enough time to verify a fresh address from the signed Dread announcement.
Yes. Phishing clones download the full HTML, CSS, image assets, and JavaScript from the real site and re-serve them from a different .onion address with a modified payment flow. Visual similarity is therefore useless as a verification signal — the design being correct tells you nothing about whether the address is correct. The reliable checks are: the exact .onion address (compare every character, at minimum first 6 and last 4), the CAPTCHA type (real DrugHub uses its own text CAPTCHA with no Cloudflare challenge), the login mechanism (no password field — PGP challenge only), and the PGP fingerprint on the gate screen. Phishing operators cannot reproduce the PGP fingerprint without control of the admin private key. Also see the five-tell comparison table above.
PGP (Pretty Good Privacy) lets someone publish a message alongside a cryptographic signature derived from their private key. Anyone who holds the corresponding public key can verify two things: that the message was written by the holder of that private key, and that the message was not modified after signing. DrugHub admins sign their mirror announcements with a publicly available key that has been in use since the marketplace launched in August 2023. If you import that key into GnuPG and successfully verify a signed announcement with it, the links inside can be trusted as genuinely from DrugHub. If verification fails — bad signature, wrong key, or key mismatch — the announcement was either tampered with in transit or was faked from the start. The VeraCrypt documentation explains how to store your keyring in an encrypted container for an extra layer of protection.
Check the DrugHub thread on Dread first — it is where new links appear when infrastructure changes, and it is accessible through Tor Browser on its own .onion address. If both Dread and all DrugHub mirrors are unreachable simultaneously, wait 24–48 hours. A complete simultaneous outage of both platforms is rare and almost always resolves within a day. Do not search for new links through Google, DuckDuckGo, or other clearnet search engines — the results will be overwhelmingly phishing pages ranked by engagement. Do not trust links from Telegram channels, Reddit posts, or unverified forum threads unless they include a PGP signature you have personally verified against the known admin key. Patience is safer than using an unverified address.
Quantity is not a signal of trustworthiness — it is often the opposite. Sites that list twenty or thirty DrugHub addresses typically scrape outdated aggregators and include dead links, rotated-out mirrors, and active phishing addresses without any verification step. A long list of unverified addresses creates more risk than it resolves: if nine out of ten are dead, users assume the tenth is correct simply because it loads. This directory publishes only the address confirmed in DrugHub's most recent PGP-signed Dread announcement, verified against the admin key. One verified link is more useful than thirty unverified ones. When DrugHub publishes additional mirrors, this table will add them — with the same verification standard applied each time.
None of these organizations have any stake in this directory. Read the documentation for anything you use — understanding a tool is not optional when account security depends on it.
The combination of Tor Browser and Tails OS is the baseline stack. Tails boots from a USB drive, routes all traffic through Tor, and leaves no trace on the host machine after shutdown. Sessions are amnesic by design. If you cannot run Tails, Whonix — two VMs with a gateway VM handling all Tor routing — provides equivalent protection on a permanent machine.
GnuPG handles all PGP operations: key generation, signing, verification, encryption, and decryption. Kleopatra on Windows and GPG Suite on macOS are graphical frontends for the same library. VeraCrypt encrypts containers — a reliable home for your PGP private key and Monero wallet seed phrase. An encrypted air-gapped container mounted only when needed is the practical minimum for secure key storage.
Mullvad VPN accepts cash and Monero, requires no email, and does not log connections. It is useful when ISP-level visibility of Tor usage creates risk — connect to Mullvad before starting Tor (VPN → Tor, not the reverse). For clearnet research before sessions, Startpage proxies search results without logging queries or IP addresses.
EFF Surveillance Self-Defense is the most complete public guide for personal operational security — it covers threat modeling, device hardening, communication tools, and PGP in plain language. Amnesty Tech publishes annual digital security reports whose threat models transfer directly to anyone using anonymized platforms. Access Now runs a 24/7 digital security helpline.